From 8f97fc4cbf03499f817313fdab4be6785b59a4b5 Mon Sep 17 00:00:00 2001
From: dandds <dan-ctr@friends.dds.mil>
Date: Thu, 6 Sep 2018 10:36:06 -0400
Subject: [PATCH] check user is ccpo for request approval page

---
 atst/domain/authz.py                  | 10 ++++++++
 atst/routes/requests/approval.py      | 10 +++++++-
 tests/routes/test_request_approval.py | 33 +++++++++++++++++++++++----
 3 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/atst/domain/authz.py b/atst/domain/authz.py
index 65db9894..467d5150 100644
--- a/atst/domain/authz.py
+++ b/atst/domain/authz.py
@@ -25,6 +25,16 @@ class Authorization(object):
 
         return False
 
+    @classmethod
+    def check_can_approve_request(cls, user):
+        if (
+            Permissions.REVIEW_AND_APPROVE_JEDI_WORKSPACE_REQUEST
+            in user.atat_permissions
+        ):
+            return True
+        else:
+            raise UnauthorizedError(user, "cannot review and approve requests")
+
     @classmethod
     def check_workspace_permission(cls, user, workspace, permission, message):
         if not Authorization.has_workspace_permission(user, workspace, permission):
diff --git a/atst/routes/requests/approval.py b/atst/routes/requests/approval.py
index e9525ec7..fefea484 100644
--- a/atst/routes/requests/approval.py
+++ b/atst/routes/requests/approval.py
@@ -4,6 +4,7 @@ from flask import current_app as app
 from . import requests_bp
 from atst.domain.requests import Requests
 from atst.domain.exceptions import NotFoundError
+from atst.domain.authz import Authorization
 
 
 def task_order_dictionary(task_order):
@@ -17,11 +18,18 @@ def task_order_dictionary(task_order):
 @requests_bp.route("/requests/approval/<string:request_id>", methods=["GET"])
 def approval(request_id):
     request = Requests.get(g.current_user, request_id)
+    Authorization.check_can_approve_request(g.current_user)
+
     data = request.body
     if request.task_order:
         data["task_order"] = task_order_dictionary(request.task_order)
 
-    return render_template("requests/approval.html", data=data, request_id=request.id, financial_review=True)
+    return render_template(
+        "requests/approval.html",
+        data=data,
+        request_id=request.id,
+        financial_review=True,
+    )
 
 
 @requests_bp.route("/requests/task_order_download/<string:request_id>", methods=["GET"])
diff --git a/tests/routes/test_request_approval.py b/tests/routes/test_request_approval.py
index 7e89026f..5680e30c 100644
--- a/tests/routes/test_request_approval.py
+++ b/tests/routes/test_request_approval.py
@@ -2,11 +2,28 @@ import os
 from flask import url_for
 
 from atst.models.attachment import Attachment
+from atst.domain.roles import Roles
+
 from tests.factories import RequestFactory, TaskOrderFactory, UserFactory
 
 
-def test_approval():
-    pass
+def test_ccpo_can_view_approval(user_session, client):
+    ccpo = Roles.get("ccpo")
+    user = UserFactory.create(atat_role=ccpo)
+    user_session(user)
+
+    request = RequestFactory.create()
+    response = client.get(url_for("requests.approval", request_id=request.id))
+    assert response.status_code == 200
+
+
+def test_non_ccpo_cannot_view_approval(user_session, client):
+    user = UserFactory.create()
+    user_session(user)
+
+    request = RequestFactory.create(creator=user)
+    response = client.get(url_for("requests.approval", request_id=request.id))
+    assert response.status_code == 404
 
 
 def test_task_order_download(app, client, user_session, pdf_upload):
@@ -21,12 +38,16 @@ def test_task_order_download(app, client, user_session, pdf_upload):
     pdf_upload.seek(0)
     pdf_content = pdf_upload.read()
     pdf_upload.close()
-    full_path = os.path.join(app.config.get("STORAGE_CONTAINER"), attachment.object_name)
+    full_path = os.path.join(
+        app.config.get("STORAGE_CONTAINER"), attachment.object_name
+    )
     with open(full_path, "wb") as output_file:
         output_file.write(pdf_content)
         output_file.flush()
 
-    response = client.get(url_for("requests.task_order_pdf_download", request_id=request.id))
+    response = client.get(
+        url_for("requests.task_order_pdf_download", request_id=request.id)
+    )
     assert response.data == pdf_content
 
 
@@ -34,5 +55,7 @@ def test_task_order_download_does_not_exist(client, user_session):
     user = UserFactory.create()
     user_session(user)
     request = RequestFactory.create(creator=user)
-    response = client.get(url_for("requests.task_order_pdf_download", request_id=request.id))
+    response = client.get(
+        url_for("requests.task_order_pdf_download", request_id=request.id)
+    )
     assert response.status_code == 404