Ensure workspace access can be revoked

2018-11-26 11:58:32 -05:00
parent 27cf1783e3
commit 8430b769f3
5 changed files with 39 additions and 4 deletions
--- a/atst/domain/workspaces/init.py
+++ b/atst/domain/workspaces/init.py
@@ -1 +1 @@
-from .workspaces import Workspaces
+from .workspaces import Workspaces, WorkspaceError
--- a/atst/domain/workspaces/workspaces.py
+++ b/atst/domain/workspaces/workspaces.py
@@ -10,6 +10,10 @@ from .query import WorkspacesQuery
 from .scopes import ScopedWorkspace


+class WorkspaceError(Exception):
+    pass
+
+
 class Workspaces(object):
    @classmethod
    def create(cls, request, name=None):
@@ -140,6 +144,10 @@ class Workspaces(object):

        WorkspacesQuery.add_and_commit(workspace)

+    @classmethod
+    def can_revoke_access(cls, workspace, workspace_role):
+        return workspace_role.user != workspace.owner
+
    @classmethod
    def revoke_access(cls, user, workspace_id, workspace_role_id):
        workspace = WorkspacesQuery.get(workspace_id)
@@ -150,8 +158,14 @@ class Workspaces(object):
            "revoke workspace access",
        )
        workspace_role = WorkspaceRoles.get_by_id(workspace_role_id)
+
+        if not Workspaces.can_revoke_access(workspace, workspace_role):
+            raise WorkspaceError()
+
        workspace_role.status = WorkspaceRoleStatus.DISABLED
        for environment in workspace.all_environments:
            # TODO: Implement Environments.revoke_access
            Environments.revoke_access(user, environment, workspace_role.user)
-        return WorkspacesQuery.add_and_commit(workspace_role)
+        WorkspacesQuery.add_and_commit(workspace_role)
+
+        return workspace_role
--- a/atst/routes/errors.py
+++ b/atst/routes/errors.py
@@ -8,6 +8,7 @@ from atst.domain.invitations import (
    ExpiredError as InvitationExpiredError,
    WrongUserError as InvitationWrongUserError,
 )
+from atst.domain.workspaces import WorkspaceError


 def log_error(e):
@@ -24,6 +25,7 @@ def make_error_pages(app):
    @app.errorhandler(werkzeug_exceptions.NotFound)
    @app.errorhandler(exceptions.NotFoundError)
    @app.errorhandler(exceptions.UnauthorizedError)
+    @app.errorhandler(WorkspaceError)
    # pylint: disable=unused-variable
    def not_found(e):
        return handle_error(e)