From b379972446d02e973891bb71c8c7014c4fdf5008 Mon Sep 17 00:00:00 2001
From: Montana <montana-ctr@friends.dds.mil>
Date: Fri, 31 Aug 2018 15:44:15 -0400
Subject: [PATCH] Check permissions before viewing member edit page

---
 atst/domain/authz.py          |  6 ++++++
 atst/models/workspace.py      |  2 +-
 atst/models/workspace_user.py |  1 -
 atst/routes/workspaces.py     | 24 ++++++++++++++++--------
 4 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/atst/domain/authz.py b/atst/domain/authz.py
index 20bd539f..65db9894 100644
--- a/atst/domain/authz.py
+++ b/atst/domain/authz.py
@@ -1,5 +1,6 @@
 from atst.domain.workspace_users import WorkspaceUsers
 from atst.models.permissions import Permissions
+from atst.domain.exceptions import UnauthorizedError
 
 
 class Authorization(object):
@@ -23,3 +24,8 @@ class Authorization(object):
             return True
 
         return False
+
+    @classmethod
+    def check_workspace_permission(cls, user, workspace, permission, message):
+        if not Authorization.has_workspace_permission(user, workspace, permission):
+            raise UnauthorizedError(user, message)
diff --git a/atst/models/workspace.py b/atst/models/workspace.py
index 1128079a..9052e204 100644
--- a/atst/models/workspace.py
+++ b/atst/models/workspace.py
@@ -69,4 +69,4 @@ class Workspace(Base, TimestampsMixin):
 
     @property
     def members(self):
-        return [ WorkspaceUser(role.user, role) for role in self.roles]
+        return [WorkspaceUser(role.user, role) for role in self.roles]
diff --git a/atst/models/workspace_user.py b/atst/models/workspace_user.py
index 59576a17..3c92707e 100644
--- a/atst/models/workspace_user.py
+++ b/atst/models/workspace_user.py
@@ -32,4 +32,3 @@ class WorkspaceUser(object):
     @property
     def status(self):
         return "radical"
-
diff --git a/atst/routes/workspaces.py b/atst/routes/workspaces.py
index f6e8a5f1..7506aa45 100644
--- a/atst/routes/workspaces.py
+++ b/atst/routes/workspaces.py
@@ -127,12 +127,22 @@ def create_member(workspace_id):
 @bp.route("/workspaces/<workspace_id>/members/<member_id>/member_edit")
 def view_member(workspace_id, member_id):
     workspace = Workspaces.get(g.current_user, workspace_id)
+    Authorization.check_workspace_permission(
+        g.current_user,
+        workspace,
+        Permissions.ASSIGN_AND_UNASSIGN_ATAT_ROLE,
+        "edit this workspace user",
+    )
     member = WorkspaceUsers.get(workspace_id, member_id)
     form = NewMemberForm(http_request.form)
+    return render_template(
+        "member_edit.html", form=form, workspace=workspace, member=member
+    )
 
-    return render_template("member_edit.html", form=form, workspace=workspace, member=member)
 
-@bp.route("/workspaces/<workspace_id>/members/<member_id>/member_edit", methods=['POST'])
+@bp.route(
+    "/workspaces/<workspace_id>/members/<member_id>/member_edit", methods=["POST"]
+)
 def update_member(workspace_id, member_id):
     workspace = Workspaces.get(g.current_user, workspace_id)
     member = WorkspaceUsers.get(workspace_id, member_id)
@@ -140,11 +150,9 @@ def update_member(workspace_id, member_id):
 
     if form.validate():
         return redirect(
-            url_for(
-                "workspaces.workspace_members",
-                workspace_id=workspace.id,
-            )
+            url_for("workspaces.workspace_members", workspace_id=workspace.id)
         )
     else:
-        return render_template("member_edit.html", form=form, workspace=workspace, member=member)
-
+        return render_template(
+            "member_edit.html", form=form, workspace=workspace, member=member
+        )