From 51a5929b526a331371148507a9034a076b8ab58b Mon Sep 17 00:00:00 2001
From: leigh-mil <leigh-ctr@friends.dds.mil>
Date: Mon, 8 Apr 2019 12:19:09 -0400
Subject: [PATCH 1/2] Check if member is PPoC before updating perms

---
 atst/routes/portfolios/index.py       |  8 ++++---
 tests/routes/portfolios/test_admin.py | 30 +++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/atst/routes/portfolios/index.py b/atst/routes/portfolios/index.py
index 46fa0a0e..444fc60b 100644
--- a/atst/routes/portfolios/index.py
+++ b/atst/routes/portfolios/index.py
@@ -107,10 +107,12 @@ def edit_portfolio_members(portfolio_id):
 
     if member_perms_form.validate():
         for subform in member_perms_form.members_permissions:
-            new_perm_set = subform.data["permission_sets"]
             user_id = subform.user_id.data
-            portfolio_role = PortfolioRoles.get(portfolio.id, user_id)
-            PortfolioRoles.update(portfolio_role, new_perm_set)
+            member = Users.get(user_id=user_id)
+            if member is not portfolio.owner:
+                new_perm_set = subform.data["permission_sets"]
+                portfolio_role = PortfolioRoles.get(portfolio.id, user_id)
+                PortfolioRoles.update(portfolio_role, new_perm_set)
 
         flash("update_portfolio_members", portfolio=portfolio)
 
diff --git a/tests/routes/portfolios/test_admin.py b/tests/routes/portfolios/test_admin.py
index 522dcb0c..286e4aa4 100644
--- a/tests/routes/portfolios/test_admin.py
+++ b/tests/routes/portfolios/test_admin.py
@@ -1,6 +1,7 @@
 from flask import url_for
 
 from atst.domain.permission_sets import PermissionSets
+from atst.domain.portfolio_roles import PortfolioRoles
 
 from tests.factories import PortfolioFactory, PortfolioRoleFactory, UserFactory
 
@@ -130,3 +131,32 @@ def test_rerender_admin_page_if_member_perms_form_does_not_validate(
     )
     assert response.status_code == 200
     assert "Portfolio Administration" in response.data.decode()
+
+
+def test_cannot_update_portfolio_ppoc_perms(client, user_session):
+    portfolio = PortfolioFactory.create()
+    ppoc = portfolio.owner
+    ppoc_pf_role = PortfolioRoles.get(portfolio_id=portfolio.id, user_id=ppoc.id)
+    user = UserFactory.create()
+    PortfolioRoleFactory.create(portfolio=portfolio, user=user)
+
+    user_session(user)
+
+    assert ppoc_pf_role.has_permission_set(PermissionSets.PORTFOLIO_POC)
+
+    member_perms_data = {
+        "members_permissions-0-user_id": ppoc.id,
+        "members_permissions-0-perms_app_mgmt": "view_portfolio_application_management",
+        "members_permissions-0-perms_funding": "view_portfolio_funding",
+        "members_permissions-0-perms_reporting": "view_portfolio_reports",
+        "members_permissions-0-perms_portfolio_mgmt": "view_portfolio_admin",
+    }
+
+    response = client.post(
+        url_for("portfolios.edit_portfolio_members", portfolio_id=portfolio.id),
+        data=member_perms_data,
+        follow_redirects=True,
+    )
+
+    assert response.status_code == 404
+    assert ppoc_pf_role.has_permission_set(PermissionSets.PORTFOLIO_POC)

From 32a7cbb80a77f11a16080511696a3914c18ef019 Mon Sep 17 00:00:00 2001
From: leigh-mil <leigh-ctr@friends.dds.mil>
Date: Mon, 8 Apr 2019 15:02:41 -0400
Subject: [PATCH 2/2] Disable form fields for PPoC

---
 styles/components/_portfolio_layout.scss    | 31 +++++++++++++++++++++
 templates/components/options_input.html     |  4 +--
 templates/fragments/admin/members_edit.html | 17 ++++++-----
 3 files changed, 43 insertions(+), 9 deletions(-)

diff --git a/styles/components/_portfolio_layout.scss b/styles/components/_portfolio_layout.scss
index 1f24f582..359e4a5f 100644
--- a/styles/components/_portfolio_layout.scss
+++ b/styles/components/_portfolio_layout.scss
@@ -295,6 +295,37 @@
       background: $color-red;
     }
 
+    select {
+      padding-left: 1.2rem
+    }
+
+    .members-table-ppoc {
+      select::-ms-expand {
+        display: none;
+      }
+
+      select {
+        -webkit-appearance: none;
+        -moz-appearance: none;
+        appearance: none;
+        display: block;
+        width: 100%;
+        float: right;
+        margin: 5px 0px;
+        padding: 0px 24px;
+        background-image: none;
+        -ms-word-break: normal;
+        word-break: normal;
+        padding-right: 3rem;
+        padding-left: 1.2rem;
+      }
+
+      select:hover {
+        box-shadow: none;
+        color: $color-base;
+      }
+    }
+
     .members-table-footer {
       float: right;
       padding: 3 * $gap 0;
diff --git a/templates/components/options_input.html b/templates/components/options_input.html
index 12ce0013..ff8af362 100644
--- a/templates/components/options_input.html
+++ b/templates/components/options_input.html
@@ -1,7 +1,7 @@
 {% from "components/icon.html" import Icon %}
 {% from "components/tooltip.html" import Tooltip %}
 
-{% macro OptionsInput(field, tooltip, inline=False, label=True) -%}
+{% macro OptionsInput(field, tooltip, inline=False, label=True, disabled=False) -%}
   <optionsinput
     name='{{ field.name }}'
     inline-template
@@ -29,7 +29,7 @@
           </legend>
         {% endif %}
 
-        {{ field() }}
+        {{ field(disabled=disabled) }}
 
         <template v-if='showError'>
           <span class='usa-input__message' v-html='validationError'></span>
diff --git a/templates/fragments/admin/members_edit.html b/templates/fragments/admin/members_edit.html
index 2c4df95f..5e5ee8c3 100644
--- a/templates/fragments/admin/members_edit.html
+++ b/templates/fragments/admin/members_edit.html
@@ -2,10 +2,11 @@
 
 {% for subform in member_perms_form.members_permissions %}
   {% set modal_id = "portfolio_id_{}_user_id_{}".format(portfolio.id, subform.user_id.data) %}
+  {% set ppoc = subform.user_id.data == portfolio.owner.id %}
 
-  <tr>
+  <tr {% if ppoc %}class="members-table-ppoc"{% endif %}>
     <td class='name'>{{ subform.member.data }}
-      {% if subform.member.data == user.full_name %}
+      {% if subform.user_id.data == user.id %}
         <span class='you'>(<span class='green'>you</span>)</span>
         {% set archive_button_class = 'usa-button-disabled' %}
       {% else %}
@@ -13,16 +14,18 @@
       {% endif %}
     </td>
 
-    <td>{{ OptionsInput(subform.perms_app_mgmt, label=False) }}</td>
-    <td>{{ OptionsInput(subform.perms_funding, label=False) }}</td>
-    <td>{{ OptionsInput(subform.perms_reporting, label=False) }}</td>
-    <td>{{ OptionsInput(subform.perms_portfolio_mgmt, label=False) }}</td>
+    <td>{{ OptionsInput(subform.perms_app_mgmt, label=False, disabled=ppoc) }}</td>
+    <td>{{ OptionsInput(subform.perms_funding, label=False, disabled=ppoc) }}</td>
+    <td>{{ OptionsInput(subform.perms_reporting, label=False, disabled=ppoc) }}</td>
+    <td>{{ OptionsInput(subform.perms_portfolio_mgmt, label=False, disabled=ppoc) }}</td>
 
     <td>
       <a v-on:click="openModal('{{ modal_id }}')" class='usa-button {{ archive_button_class }}'>
         {{ "portfolios.members.archive_button" | translate }}
       </a>
     </td>
-    {{ subform.user_id() }}
+    {% if not ppoc %}
+      {{ subform.user_id() }}
+    {% endif %}
   </tr>
 {% endfor %}