push authorization check for request approval into the requests domain

2018-09-11 16:05:33 -04:00 · 2018-09-11 16:05:33 -04:00 · 7949bdea18
commit 7949bdea18
parent 6859d562d6
2 changed files with 17 additions and 6 deletions
--- a/atst/domain/requests.py
+++ b/atst/domain/requests.py
@ -58,17 +58,31 @@ class Requests(object):
            return False

    @classmethod
-    def get(cls, user, request_id):
+    def _get(cls, user, request_id):
        try:
            request = db.session.query(Request).filter_by(id=request_id).one()
        except (NoResultFound, exc.DataError):
            raise NotFoundError("request")

+        return request
+
+    @classmethod
+    def get(cls, user, request_id):
+        request = Requests._get(user, request_id)
+
        if not Authorization.can_view_request(user, request):
            raise UnauthorizedError(user, "get request")

        return request

+    @classmethod
+    def get_for_approval(cls, user, request_id):
+        request = Requests._get(user, request_id)
+
+        Authorization.check_can_approve_request(user)
+
+        return request
+
    @classmethod
    def get_many(cls, creator=None):
        filters = []
--- a/atst/routes/requests/approval.py
+++ b/atst/routes/requests/approval.py
@ -11,7 +11,6 @@ from flask import current_app as app
 from . import requests_bp
 from atst.domain.requests import Requests
 from atst.domain.exceptions import NotFoundError
-from atst.domain.authz import Authorization
 from atst.forms.ccpo_review import CCPOReviewForm


@ -46,16 +45,14 @@ def render_approval(request, form=None):

@requests_bp.route("/requests/approval/<string:request_id>", methods=["GET"])
 def approval(request_id):
-    request = Requests.get(g.current_user, request_id)
-    Authorization.check_can_approve_request(g.current_user)
+    request = Requests.get_for_approval(g.current_user, request_id)

    return render_approval(request)


@requests_bp.route("/requests/submit_approval/<string:request_id>", methods=["POST"])
 def submit_approval(request_id):
-    request = Requests.get(g.current_user, request_id)
-    Authorization.check_can_approve_request(g.current_user)
+    request = Requests.get_for_approval(g.current_user, request_id)

    form = CCPOReviewForm(http_request.form)
    if form.validate():