From 7949bdea18afbf9b864240601883626643e98238 Mon Sep 17 00:00:00 2001
From: dandds <dan-ctr@friends.dds.mil>
Date: Tue, 11 Sep 2018 16:05:33 -0400
Subject: [PATCH] push authorization check for request approval into the
 requests domain

---
 atst/domain/requests.py          | 16 +++++++++++++++-
 atst/routes/requests/approval.py |  7 ++-----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/atst/domain/requests.py b/atst/domain/requests.py
index 2c2ccdab..47629ebc 100644
--- a/atst/domain/requests.py
+++ b/atst/domain/requests.py
@@ -58,17 +58,31 @@ class Requests(object):
             return False
 
     @classmethod
-    def get(cls, user, request_id):
+    def _get(cls, user, request_id):
         try:
             request = db.session.query(Request).filter_by(id=request_id).one()
         except (NoResultFound, exc.DataError):
             raise NotFoundError("request")
 
+        return request
+
+    @classmethod
+    def get(cls, user, request_id):
+        request = Requests._get(user, request_id)
+
         if not Authorization.can_view_request(user, request):
             raise UnauthorizedError(user, "get request")
 
         return request
 
+    @classmethod
+    def get_for_approval(cls, user, request_id):
+        request = Requests._get(user, request_id)
+
+        Authorization.check_can_approve_request(user)
+
+        return request
+
     @classmethod
     def get_many(cls, creator=None):
         filters = []
diff --git a/atst/routes/requests/approval.py b/atst/routes/requests/approval.py
index 1555c389..27445023 100644
--- a/atst/routes/requests/approval.py
+++ b/atst/routes/requests/approval.py
@@ -11,7 +11,6 @@ from flask import current_app as app
 from . import requests_bp
 from atst.domain.requests import Requests
 from atst.domain.exceptions import NotFoundError
-from atst.domain.authz import Authorization
 from atst.forms.ccpo_review import CCPOReviewForm
 
 
@@ -46,16 +45,14 @@ def render_approval(request, form=None):
 
 @requests_bp.route("/requests/approval/<string:request_id>", methods=["GET"])
 def approval(request_id):
-    request = Requests.get(g.current_user, request_id)
-    Authorization.check_can_approve_request(g.current_user)
+    request = Requests.get_for_approval(g.current_user, request_id)
 
     return render_approval(request)
 
 
 @requests_bp.route("/requests/submit_approval/<string:request_id>", methods=["POST"])
 def submit_approval(request_id):
-    request = Requests.get(g.current_user, request_id)
-    Authorization.check_can_approve_request(g.current_user)
+    request = Requests.get_for_approval(g.current_user, request_id)
 
     form = CCPOReviewForm(http_request.form)
     if form.validate():