check user is ccpo for request approval page

2018-09-06 10:36:06 -04:00
parent 0391348b5d
commit 8f97fc4cbf
3 changed files with 47 additions and 6 deletions
--- a/atst/domain/authz.py
+++ b/atst/domain/authz.py
@@ -25,6 +25,16 @@ class Authorization(object):

        return False

+    @classmethod
+    def check_can_approve_request(cls, user):
+        if (
+            Permissions.REVIEW_AND_APPROVE_JEDI_WORKSPACE_REQUEST
+            in user.atat_permissions
+        ):
+            return True
+        else:
+            raise UnauthorizedError(user, "cannot review and approve requests")
+
    @classmethod
    def check_workspace_permission(cls, user, workspace, permission, message):
        if not Authorization.has_workspace_permission(user, workspace, permission):
--- a/atst/routes/requests/approval.py
+++ b/atst/routes/requests/approval.py
@@ -4,6 +4,7 @@ from flask import current_app as app
 from . import requests_bp
 from atst.domain.requests import Requests
 from atst.domain.exceptions import NotFoundError
+from atst.domain.authz import Authorization


 def task_order_dictionary(task_order):
@@ -17,11 +18,18 @@ def task_order_dictionary(task_order):
@requests_bp.route("/requests/approval/<string:request_id>", methods=["GET"])
 def approval(request_id):
    request = Requests.get(g.current_user, request_id)
+    Authorization.check_can_approve_request(g.current_user)
+
    data = request.body
    if request.task_order:
        data["task_order"] = task_order_dictionary(request.task_order)

-    return render_template("requests/approval.html", data=data, request_id=request.id, financial_review=True)
+    return render_template(
+        "requests/approval.html",
+        data=data,
+        request_id=request.id,
+        financial_review=True,
+    )


@requests_bp.route("/requests/task_order_download/<string:request_id>", methods=["GET"])