pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push authorization check for request approval into the requests domain

Browse Source
This commit is contained in:
dandds
2018-09-11 16:05:33 -04:00
parent 6859d562d6
commit 7949bdea18
2 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
atst/domain/requests.py
View File

@@ -58,17 +58,31 @@ class Requests(object):
return False return False
@classmethod @classmethod
def get(cls, user, request_id): def _get(cls, user, request_id):
try: try:
request = db.session.query(Request).filter_by(id=request_id).one() request = db.session.query(Request).filter_by(id=request_id).one()
except (NoResultFound, exc.DataError): except (NoResultFound, exc.DataError):
raise NotFoundError("request") raise NotFoundError("request")
return request
@classmethod
def get(cls, user, request_id):
request = Requests._get(user, request_id)
if not Authorization.can_view_request(user, request): if not Authorization.can_view_request(user, request):
raise UnauthorizedError(user, "get request") raise UnauthorizedError(user, "get request")
return request return request
@classmethod
def get_for_approval(cls, user, request_id):
request = Requests._get(user, request_id)
Authorization.check_can_approve_request(user)
return request
@classmethod @classmethod
def get_many(cls, creator=None): def get_many(cls, creator=None):
filters = [] filters = []

7
atst/routes/requests/approval.py
View File

@@ -11,7 +11,6 @@ from flask import current_app as app
from . import requests_bp from . import requests_bp
from atst.domain.requests import Requests from atst.domain.requests import Requests
from atst.domain.exceptions import NotFoundError from atst.domain.exceptions import NotFoundError
from atst.domain.authz import Authorization
from atst.forms.ccpo_review import CCPOReviewForm from atst.forms.ccpo_review import CCPOReviewForm
@@ -46,16 +45,14 @@ def render_approval(request, form=None):
@requests_bp.route("/requests/approval/<string:request_id>", methods=["GET"]) @requests_bp.route("/requests/approval/<string:request_id>", methods=["GET"])
def approval(request_id): def approval(request_id):
request = Requests.get(g.current_user, request_id) request = Requests.get_for_approval(g.current_user, request_id)
Authorization.check_can_approve_request(g.current_user)
return render_approval(request) return render_approval(request)
@requests_bp.route("/requests/submit_approval/<string:request_id>", methods=["POST"]) @requests_bp.route("/requests/submit_approval/<string:request_id>", methods=["POST"])
def submit_approval(request_id): def submit_approval(request_id):
request = Requests.get(g.current_user, request_id) request = Requests.get_for_approval(g.current_user, request_id)
Authorization.check_can_approve_request(g.current_user)
form = CCPOReviewForm(http_request.form) form = CCPOReviewForm(http_request.form)
if form.validate(): if form.validate():