From 67a4bb602d164579fa66bf881536a08efb5f90ac Mon Sep 17 00:00:00 2001 From: richard-dds Date: Wed, 28 Aug 2019 11:59:11 -0400 Subject: [PATCH] Require portfolio id in upload-token It's necessary for the authz decorator --- atst/routes/__init__.py | 10 ---------- atst/routes/task_orders/new.py | 20 +++++++++++++++++++- js/components/upload_input.js | 7 ++++++- templates/components/upload_input.html | 3 ++- templates/task_orders/step_1.html | 3 +-- 5 files changed, 28 insertions(+), 15 deletions(-) diff --git a/atst/routes/__init__.py b/atst/routes/__init__.py index fe916c5b..a99c384c 100644 --- a/atst/routes/__init__.py +++ b/atst/routes/__init__.py @@ -9,7 +9,6 @@ from flask import ( request, make_response, current_app as app, - jsonify, ) from jinja2.exceptions import TemplateNotFound @@ -44,15 +43,6 @@ def root(): return render_template("login.html", redirect_url=redirect_url) -@bp.route("/upload-token") -@user_can(Permissions.CREATE_TASK_ORDER, message="edit task order form") -def upload_token(): - (token, object_name) = app.csp.files.get_token() - render_args = {"token": token, "objectName": object_name} - - return jsonify(render_args) - - @bp.route("/help") @bp.route("/help/") def helpdocs(doc=None): diff --git a/atst/routes/task_orders/new.py b/atst/routes/task_orders/new.py index b9912f9b..b6053dc0 100644 --- a/atst/routes/task_orders/new.py +++ b/atst/routes/task_orders/new.py @@ -1,4 +1,12 @@ -from flask import g, redirect, render_template, request as http_request, url_for +from flask import ( + g, + redirect, + render_template, + request as http_request, + url_for, + current_app as app, + jsonify, +) from . import task_orders_bp from atst.domain.authz.decorator import user_can_access_decorator as user_can @@ -64,6 +72,16 @@ def update_task_order( ) +@task_orders_bp.route("/task_orders//upload-token") +@user_can(Permissions.CREATE_TASK_ORDER, message="edit task order form") +def upload_token(portfolio_id): + print(app.csp) + (token, object_name) = app.csp.files.get_token() + render_args = {"token": token, "objectName": object_name} + + return jsonify(render_args) + + @task_orders_bp.route("/task_orders//edit") @user_can(Permissions.CREATE_TASK_ORDER, message="edit task order form") def edit(task_order_id): diff --git a/js/components/upload_input.js b/js/components/upload_input.js index f15cfdbf..83e173fd 100644 --- a/js/components/upload_input.js +++ b/js/components/upload_input.js @@ -34,6 +34,9 @@ export default { type: Boolean, default: true, }, + portfolioId: { + type: String, + }, }, data: function() { @@ -104,7 +107,9 @@ export default { this.sizeError = false }, getUploader: async function() { - return fetch('/upload-token', { credentials: 'include' }) + return fetch(`/task_orders/${this.portfolioId}/upload-token`, { + credentials: 'include', + }) .then(response => response.json()) .then(({ token, objectName }) => buildUploader(token, objectName)) }, diff --git a/templates/components/upload_input.html b/templates/components/upload_input.html index f78b6b31..04eb55aa 100644 --- a/templates/components/upload_input.html +++ b/templates/components/upload_input.html @@ -1,6 +1,6 @@ {% from "components/icon.html" import Icon %} -{% macro UploadInput(field, show_label=False, watch=False, token="", object_name="") -%} +{% macro UploadInput(field, portfolio_id, show_label=False, watch=False, token="", object_name="") -%} diff --git a/templates/task_orders/step_1.html b/templates/task_orders/step_1.html index 843b8c0b..dd17c1f1 100644 --- a/templates/task_orders/step_1.html +++ b/templates/task_orders/step_1.html @@ -14,8 +14,7 @@ {% set next_button_text = "Next: Add TO Number" %} {% set step = "1" %} - {% block to_builder_form_field %} {{ TOFormStepHeader('task_orders.form.supporting_docs_header' | translate, 'task_orders.form.supporting_docs_text' | translate) }} - {{ UploadInput(form.pdf, watch=True, token=token, object_name=object_name) }} + {{ UploadInput(form.pdf, portfolio.id, watch=True, token=token, object_name=object_name) }} {% endblock %}