From 54aa10275f6270f5413e308e92cc041161047527 Mon Sep 17 00:00:00 2001 From: richard-dds Date: Thu, 29 Nov 2018 10:35:11 -0500 Subject: [PATCH] Check workspace permission, not ATAT permission --- atst/domain/environments.py | 7 +++++-- atst/models/environment.py | 4 ++++ atst/models/workspace_role.py | 2 +- atst/routes/workspaces/members.py | 14 ++++++++++++++ tests/routes/workspaces/test_members.py | 21 +++++++++++++++++++++ 5 files changed, 45 insertions(+), 3 deletions(-) diff --git a/atst/domain/environments.py b/atst/domain/environments.py index f1d8842f..38e23ff1 100644 --- a/atst/domain/environments.py +++ b/atst/domain/environments.py @@ -88,7 +88,10 @@ class Environments(object): @classmethod def revoke_access(cls, user, environment, target_user): - Authorization.check_atat_permission( - user, Permissions.REMOVE_CSP_ROLES, "revoke environment access" + Authorization.check_workspace_permission( + user, + environment.workspace, + Permissions.REMOVE_CSP_ROLES, + "revoke environment access", ) EnvironmentRoles.delete(environment.id, target_user.id) diff --git a/atst/models/environment.py b/atst/models/environment.py index 7fa079ac..c5eaf98b 100644 --- a/atst/models/environment.py +++ b/atst/models/environment.py @@ -27,6 +27,10 @@ class Environment(Base, mixins.TimestampsMixin, mixins.AuditableMixin): def displayname(self): return self.name + @property + def workspace(self): + return self.project.workspace + def auditable_workspace_id(self): return self.project.workspace_id diff --git a/atst/models/workspace_role.py b/atst/models/workspace_role.py index 238eab98..692cafbb 100644 --- a/atst/models/workspace_role.py +++ b/atst/models/workspace_role.py @@ -20,7 +20,7 @@ MEMBER_STATUSES = { "error": "Error on invite", "pending": "Pending", "unknown": "Unknown errors", - "disabled": "Disabled" + "disabled": "Disabled", } diff --git a/atst/routes/workspaces/members.py b/atst/routes/workspaces/members.py index b09e943d..829cbf1d 100644 --- a/atst/routes/workspaces/members.py +++ b/atst/routes/workspaces/members.py @@ -168,3 +168,17 @@ def update_member(workspace_id, member_id): workspace=workspace, member=member, ) + + +@workspaces_bp.route( + "/workspaces//members//revoke_access", methods=["POST"] +) +def revoke_access(workspace_id, member_id): + revoked_role = Workspaces.revoke_access(g.current_user, workspace_id, member_id) + return redirect( + url_for( + "workspaces.workspace_members", + workspace_id=workspace_id, + revokedMemberName=revoked_role.user_name, + ) + ) diff --git a/tests/routes/workspaces/test_members.py b/tests/routes/workspaces/test_members.py index 1816ecad..0d3b3901 100644 --- a/tests/routes/workspaces/test_members.py +++ b/tests/routes/workspaces/test_members.py @@ -168,3 +168,24 @@ def test_update_member_environment_role_with_no_data(client, user_session): ) assert response.status_code == 200 assert EnvironmentRoles.get(user.id, env1_id).role == "developer" + + +def test_revoke_member_access(client, user_session): + workspace = WorkspaceFactory.create() + user = UserFactory.create() + member = WorkspaceRoles.add(user, workspace.id, "developer") + Projects.create( + workspace.owner, + workspace, + "Snazzy Project", + "A new project for me and my friends", + {"env1"}, + ) + user_session(workspace.owner) + response = client.post( + url_for( + "workspaces.revoke_access", workspace_id=workspace.id, member_id=member.id + ) + ) + assert response.status_code == 302 + assert WorkspaceRoles.get_by_id(member.id).num_environment_roles == 0