Check permissions before viewing member edit page
This commit is contained in:
Montana
@@ -1,5 +1,6 @@
|
|||||||
from atst.domain.workspace_users import WorkspaceUsers
|
from atst.domain.workspace_users import WorkspaceUsers
|
||||||
from atst.models.permissions import Permissions
|
from atst.models.permissions import Permissions
|
||||||
|
from atst.domain.exceptions import UnauthorizedError
|
||||||
|
|
||||||
|
|
||||||
class Authorization(object):
|
class Authorization(object):
|
||||||
@@ -23,3 +24,8 @@ class Authorization(object):
|
|||||||
return True
|
return True
|
||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def check_workspace_permission(cls, user, workspace, permission, message):
|
||||||
|
if not Authorization.has_workspace_permission(user, workspace, permission):
|
||||||
|
raise UnauthorizedError(user, message)
|
||||||
|
|||||||
@@ -32,4 +32,3 @@ class WorkspaceUser(object):
|
|||||||
@property
|
@property
|
||||||
def status(self):
|
def status(self):
|
||||||
return "radical"
|
return "radical"
|
||||||
|
|
||||||
|
|||||||
@@ -127,12 +127,22 @@ def create_member(workspace_id):
|
|||||||
@bp.route("/workspaces/<workspace_id>/members/<member_id>/member_edit")
|
@bp.route("/workspaces/<workspace_id>/members/<member_id>/member_edit")
|
||||||
def view_member(workspace_id, member_id):
|
def view_member(workspace_id, member_id):
|
||||||
workspace = Workspaces.get(g.current_user, workspace_id)
|
workspace = Workspaces.get(g.current_user, workspace_id)
|
||||||
|
Authorization.check_workspace_permission(
|
||||||
|
g.current_user,
|
||||||
|
workspace,
|
||||||
|
Permissions.ASSIGN_AND_UNASSIGN_ATAT_ROLE,
|
||||||
|
"edit this workspace user",
|
||||||
|
)
|
||||||
member = WorkspaceUsers.get(workspace_id, member_id)
|
member = WorkspaceUsers.get(workspace_id, member_id)
|
||||||
form = NewMemberForm(http_request.form)
|
form = NewMemberForm(http_request.form)
|
||||||
|
return render_template(
|
||||||
|
"member_edit.html", form=form, workspace=workspace, member=member
|
||||||
|
)
|
||||||
|
|
||||||
return render_template("member_edit.html", form=form, workspace=workspace, member=member)
|
|
||||||
|
|
||||||
@bp.route("/workspaces/<workspace_id>/members/<member_id>/member_edit", methods=['POST'])
|
@bp.route(
|
||||||
|
"/workspaces/<workspace_id>/members/<member_id>/member_edit", methods=["POST"]
|
||||||
|
)
|
||||||
def update_member(workspace_id, member_id):
|
def update_member(workspace_id, member_id):
|
||||||
workspace = Workspaces.get(g.current_user, workspace_id)
|
workspace = Workspaces.get(g.current_user, workspace_id)
|
||||||
member = WorkspaceUsers.get(workspace_id, member_id)
|
member = WorkspaceUsers.get(workspace_id, member_id)
|
||||||
@@ -140,11 +150,9 @@ def update_member(workspace_id, member_id):
|
|||||||
|
|
||||||
if form.validate():
|
if form.validate():
|
||||||
return redirect(
|
return redirect(
|
||||||
url_for(
|
url_for("workspaces.workspace_members", workspace_id=workspace.id)
|
||||||
"workspaces.workspace_members",
|
|
||||||
workspace_id=workspace.id,
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
return render_template("member_edit.html", form=form, workspace=workspace, member=member)
|
return render_template(
|
||||||
|
"member_edit.html", form=form, workspace=workspace, member=member
|
||||||
|
)
|
||||||
|
|||||||
Reference in New Issue
Block a user