Require portfolio id in upload-token

It's necessary for the authz decorator
2019-08-28 11:59:11 -04:00 · 2019-08-28 11:59:11 -04:00 · 67a4bb602d
commit 67a4bb602d
parent 0566b525f6
5 changed files with 28 additions and 15 deletions
--- a/atst/routes/init.py
+++ b/atst/routes/init.py
@ -9,7 +9,6 @@ from flask import (
    request,
    make_response,
    current_app as app,
-    jsonify,
 )

 from jinja2.exceptions import TemplateNotFound
@ -44,15 +43,6 @@ def root():
    return render_template("login.html", redirect_url=redirect_url)


-@bp.route("/upload-token")
-@user_can(Permissions.CREATE_TASK_ORDER, message="edit task order form")
-def upload_token():
-    (token, object_name) = app.csp.files.get_token()
-    render_args = {"token": token, "objectName": object_name}
-
-    return jsonify(render_args)
-
-
@bp.route("/help")
@bp.route("/help/<path:doc>")
 def helpdocs(doc=None):
--- a/atst/routes/task_orders/new.py
+++ b/atst/routes/task_orders/new.py
@ -1,4 +1,12 @@
-from flask import g, redirect, render_template, request as http_request, url_for
+from flask import (
+    g,
+    redirect,
+    render_template,
+    request as http_request,
+    url_for,
+    current_app as app,
+    jsonify,
+)

 from . import task_orders_bp
 from atst.domain.authz.decorator import user_can_access_decorator as user_can
@ -64,6 +72,16 @@ def update_task_order(
        )


+@task_orders_bp.route("/task_orders/<portfolio_id>/upload-token")
+@user_can(Permissions.CREATE_TASK_ORDER, message="edit task order form")
+def upload_token(portfolio_id):
+    print(app.csp)
+    (token, object_name) = app.csp.files.get_token()
+    render_args = {"token": token, "objectName": object_name}
+
+    return jsonify(render_args)
+
+
@task_orders_bp.route("/task_orders/<task_order_id>/edit")
@user_can(Permissions.CREATE_TASK_ORDER, message="edit task order form")
 def edit(task_order_id):
--- a/js/components/upload_input.js
+++ b/js/components/upload_input.js
@ -34,6 +34,9 @@ export default {
      type: Boolean,
      default: true,
    },
+    portfolioId: {
+      type: String,
+    },
  },

  data: function() {
@ -104,7 +107,9 @@ export default {
      this.sizeError = false
    },
    getUploader: async function() {
-      return fetch('/upload-token', { credentials: 'include' })
+      return fetch(`/task_orders/${this.portfolioId}/upload-token`, {
+        credentials: 'include',
+      })
        .then(response => response.json())
        .then(({ token, objectName }) => buildUploader(token, objectName))
    },
--- a/templates/components/upload_input.html
+++ b/templates/components/upload_input.html
@ -1,6 +1,6 @@
 {% from "components/icon.html" import Icon %}

-{% macro UploadInput(field, show_label=False, watch=False, token="", object_name="") -%}
+{% macro UploadInput(field, portfolio_id, show_label=False, watch=False, token="", object_name="") -%}
 <uploadinput
  inline-template
  {% if not field.errors %}
@ -9,6 +9,7 @@
    v-bind:initial-errors='true'
  {% endif %}
  v-bind:watch='{{ watch | string | lower }}'
+  v-bind:portfolio-id="'{{ portfolio_id }}'"
  name='{{ field.name }}'
  :optional='false'
  >
--- a/templates/task_orders/step_1.html
+++ b/templates/task_orders/step_1.html
@ -14,8 +14,7 @@
 {% set next_button_text = "Next: Add TO Number" %}
 {% set step = "1" %}

-
 {% block to_builder_form_field %}
  {{ TOFormStepHeader('task_orders.form.supporting_docs_header' | translate, 'task_orders.form.supporting_docs_text' | translate) }}
-  {{ UploadInput(form.pdf, watch=True, token=token, object_name=object_name) }}
+  {{ UploadInput(form.pdf, portfolio.id, watch=True, token=token, object_name=object_name) }}
 {% endblock %}