pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check that user has portfolio and invite perms to revoke or resend invites

Browse Source
This commit is contained in:
leigh-mil 2019-03-25 15:54:40 -04:00
parent d152034e1b
commit 5d2b8556ed
2 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
atst/domain/authz/decorator.py
View File

@ -6,6 +6,7 @@ from . import user_can_access
from atst.domain.portfolios import Portfolios from atst.domain.portfolios import Portfolios
from atst.domain.task_orders import TaskOrders from atst.domain.task_orders import TaskOrders
from atst.domain.applications import Applications from atst.domain.applications import Applications
from atst.domain.invitations import Invitations
from atst.domain.exceptions import UnauthorizedError from atst.domain.exceptions import UnauthorizedError
@ -25,6 +26,10 @@ def check_access(permission, message, exception, *args, **kwargs):
task_order = TaskOrders.get(kwargs["task_order_id"]) task_order = TaskOrders.get(kwargs["task_order_id"])
access_args["portfolio"] = task_order.portfolio access_args["portfolio"] = task_order.portfolio
if "token" in kwargs:
invite = Invitations._get(kwargs["token"])
access_args["portfolio"] = invite.portfolio_role.portfolio
if exception is not None and exception(g.current_user, **access_args, **kwargs): if exception is not None and exception(g.current_user, **access_args, **kwargs):
return True return True

52
tests/routes/portfolios/test_invitations.py
View File

@ -169,6 +169,58 @@ def test_revoke_invitation(client, user_session):
assert invite.is_revoked assert invite.is_revoked
def test_user_can_only_revoke_invites_in_their_portfolio(client, user_session):
portfolio = PortfolioFactory.create()
other_portfolio = PortfolioFactory.create()
user = UserFactory.create()
ws_role = PortfolioRoleFactory.create(
user=user, portfolio=other_portfolio, status=PortfolioRoleStatus.PENDING
)
invite = InvitationFactory.create(
user_id=user.id,
portfolio_role=ws_role,
status=InvitationStatus.REJECTED_EXPIRED,
expiration_time=datetime.datetime.now() - datetime.timedelta(seconds=1),
)
user_session(portfolio.owner)
response = client.post(
url_for(
"portfolios.revoke_invitation",
portfolio_id=portfolio.id,
token=invite.token,
)
)
assert response.status_code == 404
assert not invite.is_revoked
def test_user_can_only_resend_invites_in_their_portfolio(client, user_session, queue):
portfolio = PortfolioFactory.create()
other_portfolio = PortfolioFactory.create()
user = UserFactory.create()
ws_role = PortfolioRoleFactory.create(
user=user, portfolio=other_portfolio, status=PortfolioRoleStatus.PENDING
)
invite = InvitationFactory.create(
user_id=user.id,
portfolio_role=ws_role,
status=InvitationStatus.REJECTED_EXPIRED,
expiration_time=datetime.datetime.now() - datetime.timedelta(seconds=1),
)
user_session(portfolio.owner)
response = client.post(
url_for(
"portfolios.resend_invitation",
portfolio_id=portfolio.id,
token=invite.token,
)
)
assert response.status_code == 404
assert len(queue.get_queue()) == 0
def test_resend_invitation_sends_email(client, user_session, queue): def test_resend_invitation_sends_email(client, user_session, queue):
user = UserFactory.create() user = UserFactory.create()
portfolio = PortfolioFactory.create() portfolio = PortfolioFactory.create()