Check workspace permission, not ATAT permission

atst/domain/environments.py

@@ -88,7 +88,10 @@ class Environments(object):
 
     @classmethod
     def revoke_access(cls, user, environment, target_user):
-        Authorization.check_atat_permission(
-            user, Permissions.REMOVE_CSP_ROLES, "revoke environment access"
+        Authorization.check_workspace_permission(
+            user,
+            environment.workspace,
+            Permissions.REMOVE_CSP_ROLES,
+            "revoke environment access",
         )
         EnvironmentRoles.delete(environment.id, target_user.id)

atst/models/environment.py

@@ -27,6 +27,10 @@ class Environment(Base, mixins.TimestampsMixin, mixins.AuditableMixin):
     def displayname(self):
         return self.name
 
+    @property
+    def workspace(self):
+        return self.project.workspace
+
     def auditable_workspace_id(self):
         return self.project.workspace_id
 

atst/models/workspace_role.py

@@ -20,7 +20,7 @@ MEMBER_STATUSES = {
     "error": "Error on invite",
     "pending": "Pending",
     "unknown": "Unknown errors",
-    "disabled": "Disabled"
+    "disabled": "Disabled",
 }
 
 

atst/routes/workspaces/members.py

@@ -168,3 +168,17 @@ def update_member(workspace_id, member_id):
             workspace=workspace,
             member=member,
         )
+
+
+@workspaces_bp.route(
+    "/workspaces/<workspace_id>/members/<member_id>/revoke_access", methods=["POST"]
+)
+def revoke_access(workspace_id, member_id):
+    revoked_role = Workspaces.revoke_access(g.current_user, workspace_id, member_id)
+    return redirect(
+        url_for(
+            "workspaces.workspace_members",
+            workspace_id=workspace_id,
+            revokedMemberName=revoked_role.user_name,
+        )
+    )