Check permissions before viewing member edit page

2018-08-31 15:44:15 -04:00 · 2018-08-31 15:44:15 -04:00 · b379972446
commit b379972446
parent ea1a3926ac
4 changed files with 23 additions and 10 deletions
--- a/atst/domain/authz.py
+++ b/atst/domain/authz.py
@ -1,5 +1,6 @@
 from atst.domain.workspace_users import WorkspaceUsers
 from atst.models.permissions import Permissions
+from atst.domain.exceptions import UnauthorizedError


 class Authorization(object):
@ -23,3 +24,8 @@ class Authorization(object):
            return True

        return False
+
+    @classmethod
+    def check_workspace_permission(cls, user, workspace, permission, message):
+        if not Authorization.has_workspace_permission(user, workspace, permission):
+            raise UnauthorizedError(user, message)
--- a/atst/models/workspace.py
+++ b/atst/models/workspace.py
@ -69,4 +69,4 @@ class Workspace(Base, TimestampsMixin):

    @property
    def members(self):
-        return [ WorkspaceUser(role.user, role) for role in self.roles]
+        return [WorkspaceUser(role.user, role) for role in self.roles]
--- a/atst/models/workspace_user.py
+++ b/atst/models/workspace_user.py
@ -32,4 +32,3 @@ class WorkspaceUser(object):
    @property
    def status(self):
        return "radical"
-
--- a/atst/routes/workspaces.py
+++ b/atst/routes/workspaces.py
@ -127,12 +127,22 @@ def create_member(workspace_id):
@bp.route("/workspaces/<workspace_id>/members/<member_id>/member_edit")
 def view_member(workspace_id, member_id):
    workspace = Workspaces.get(g.current_user, workspace_id)
+    Authorization.check_workspace_permission(
+        g.current_user,
+        workspace,
+        Permissions.ASSIGN_AND_UNASSIGN_ATAT_ROLE,
+        "edit this workspace user",
+    )
    member = WorkspaceUsers.get(workspace_id, member_id)
    form = NewMemberForm(http_request.form)
+    return render_template(
+        "member_edit.html", form=form, workspace=workspace, member=member
+    )

-    return render_template("member_edit.html", form=form, workspace=workspace, member=member)

-@bp.route("/workspaces/<workspace_id>/members/<member_id>/member_edit", methods=['POST'])
+@bp.route(
+    "/workspaces/<workspace_id>/members/<member_id>/member_edit", methods=["POST"]
+)
 def update_member(workspace_id, member_id):
    workspace = Workspaces.get(g.current_user, workspace_id)
    member = WorkspaceUsers.get(workspace_id, member_id)
@ -140,11 +150,9 @@ def update_member(workspace_id, member_id):

    if form.validate():
        return redirect(
-            url_for(
-                "workspaces.workspace_members",
-                workspace_id=workspace.id,
-            )
+            url_for("workspaces.workspace_members", workspace_id=workspace.id)
        )
    else:
-        return render_template("member_edit.html", form=form, workspace=workspace, member=member)
-
+        return render_template(
+            "member_edit.html", form=form, workspace=workspace, member=member
+        )