check user is ccpo for request approval page

atst/domain/authz.py

@@ -25,6 +25,16 @@ class Authorization(object):
 
         return False
 
+    @classmethod
+    def check_can_approve_request(cls, user):
+        if (
+            Permissions.REVIEW_AND_APPROVE_JEDI_WORKSPACE_REQUEST
+            in user.atat_permissions
+        ):
+            return True
+        else:
+            raise UnauthorizedError(user, "cannot review and approve requests")
+
     @classmethod
     def check_workspace_permission(cls, user, workspace, permission, message):
         if not Authorization.has_workspace_permission(user, workspace, permission):

atst/routes/requests/approval.py

@@ -4,6 +4,7 @@ from flask import current_app as app
 from . import requests_bp
 from atst.domain.requests import Requests
 from atst.domain.exceptions import NotFoundError
+from atst.domain.authz import Authorization
 
 
 def task_order_dictionary(task_order):
@@ -17,11 +18,18 @@ def task_order_dictionary(task_order):
 @requests_bp.route("/requests/approval/<string:request_id>", methods=["GET"])
 def approval(request_id):
     request = Requests.get(g.current_user, request_id)
+    Authorization.check_can_approve_request(g.current_user)
+
     data = request.body
     if request.task_order:
         data["task_order"] = task_order_dictionary(request.task_order)
 
-    return render_template("requests/approval.html", data=data, request_id=request.id, financial_review=True)
+    return render_template(
+        "requests/approval.html",
+        data=data,
+        request_id=request.id,
+        financial_review=True,
+    )
 
 
 @requests_bp.route("/requests/task_order_download/<string:request_id>", methods=["GET"])

tests/routes/test_request_approval.py

@@ -2,11 +2,28 @@ import os
 from flask import url_for
 
 from atst.models.attachment import Attachment
+from atst.domain.roles import Roles
+
 from tests.factories import RequestFactory, TaskOrderFactory, UserFactory
 
 
-def test_approval():
+def test_ccpo_can_view_approval(user_session, client):
-    pass
+    ccpo = Roles.get("ccpo")
+    user = UserFactory.create(atat_role=ccpo)
+    user_session(user)
+
+    request = RequestFactory.create()
+    response = client.get(url_for("requests.approval", request_id=request.id))
+    assert response.status_code == 200
+
+
+def test_non_ccpo_cannot_view_approval(user_session, client):
+    user = UserFactory.create()
+    user_session(user)
+
+    request = RequestFactory.create(creator=user)
+    response = client.get(url_for("requests.approval", request_id=request.id))
+    assert response.status_code == 404
 
 
 def test_task_order_download(app, client, user_session, pdf_upload):
@@ -21,12 +38,16 @@ def test_task_order_download(app, client, user_session, pdf_upload):
     pdf_upload.seek(0)
     pdf_content = pdf_upload.read()
     pdf_upload.close()
-    full_path = os.path.join(app.config.get("STORAGE_CONTAINER"), attachment.object_name)
+    full_path = os.path.join(
+        app.config.get("STORAGE_CONTAINER"), attachment.object_name
+    )
     with open(full_path, "wb") as output_file:
         output_file.write(pdf_content)
         output_file.flush()
 
-    response = client.get(url_for("requests.task_order_pdf_download", request_id=request.id))
+    response = client.get(
+        url_for("requests.task_order_pdf_download", request_id=request.id)
+    )
     assert response.data == pdf_content
 
 
@@ -34,5 +55,7 @@ def test_task_order_download_does_not_exist(client, user_session):
     user = UserFactory.create()
     user_session(user)
     request = RequestFactory.create(creator=user)
-    response = client.get(url_for("requests.task_order_pdf_download", request_id=request.id))
+    response = client.get(
+        url_for("requests.task_order_pdf_download", request_id=request.id)
+    )
     assert response.status_code == 404