restrict workspace information updates to owner and admins

2018-09-17 13:30:25 -04:00 · 2018-09-17 13:30:25 -04:00 · bba2a2b283
commit bba2a2b283
parent c3f89ba149
4 changed files with 63 additions and 3 deletions
--- a/alembic/versions/4c425f17bfe8_add_edit_workspace_information_.py
+++ b/alembic/versions/4c425f17bfe8_add_edit_workspace_information_.py
@ -0,0 +1,43 @@
+"""add edit workspace information permission
+
+Revision ID: 4c425f17bfe8
+Revises: 2572be7fb7fc
+Create Date: 2018-09-17 13:14:38.781744
+
+"""
+from alembic import op
+from sqlalchemy.orm.session import Session
+
+from atst.models.role import Role
+from atst.models.permissions import Permissions
+
+
+# revision identifiers, used by Alembic.
+revision = '4c425f17bfe8'
+down_revision = '2572be7fb7fc'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    session = Session(bind=op.get_bind())
+
+    owner_and_admin = session.query(Role).filter(Role.name.in_(["owner", "admin"])).all()
+    for role in owner_and_admin:
+        role.add_permission(Permissions.EDIT_WORKSPACE_INFORMATION)
+        session.add(role)
+
+    session.flush()
+    session.commit()
+
+
+def downgrade():
+    session = Session(bind=op.get_bind())
+
+    owner_and_admin = session.query(Role).filter(Role.name.in_(["owner", "admin"])).all()
+    for role in owner_and_ccpo:
+        role.remove_permission(Permissions.EDIT_WORKSPACE_INFORMATION)
+        session.add(role)
+
+    session.flush()
+    session.commit()
--- a/atst/domain/workspaces/workspaces.py
+++ b/atst/domain/workspaces/workspaces.py
@ -38,9 +38,9 @@ class Workspaces(object):
    @classmethod
    def get_for_update_information(cls, user, workspace_id):
        workspace = WorkspacesQuery.get(workspace_id)
-        # Authorization.check_workspace_permission(
-        #     user, workspace, TBD, "update workspace information"
-        # )
+        Authorization.check_workspace_permission(
+            user, workspace, Permissions.EDIT_WORKSPACE_INFORMATION, "update workspace information"
+        )

        return workspace

--- a/atst/models/permissions.py
+++ b/atst/models/permissions.py
@ -20,6 +20,7 @@ class Permissions(object):
    VIEW_ASSIGNED_ATAT_ROLE_CONFIGURATIONS = "view_assigned_atat_role_configurations"
    VIEW_ASSIGNED_CSP_ROLE_CONFIGURATIONS = "view_assigned_csp_role_configurations"

+    EDIT_WORKSPACE_INFORMATION = "edit_workspace_information"
    DEACTIVATE_WORKSPACE = "deactivate_workspace"
    VIEW_ATAT_PERMISSIONS = "view_atat_permissions"
    TRANSFER_OWNERSHIP_OF_WORKSPACE = "transfer_ownership_of_workspace"
--- a/tests/domain/test_workspaces.py
+++ b/tests/domain/test_workspaces.py
@ -234,3 +234,19 @@ def test_for_user_returns_all_workspaces_for_ccpo(workspace, workspace_owner):

    sams_workspaces = Workspaces.for_user(sam)
    assert len(sams_workspaces) == 2
+
+
+def test_get_for_update_information():
+    workspace_owner = UserFactory.create()
+    workspace = Workspaces.create(RequestFactory.create(creator=workspace_owner))
+    owner_ws = Workspaces.get_for_update_information(workspace_owner, workspace.id)
+    assert workspace == owner_ws
+
+    admin = UserFactory.create()
+    Workspaces.add_member(workspace, admin, "admin")
+    admin_ws = Workspaces.get_for_update_information(admin, workspace.id)
+    assert workspace == admin_ws
+
+    ccpo = UserFactory.from_atat_role("ccpo")
+    with pytest.raises(UnauthorizedError):
+        Workspaces.get_for_update_information(ccpo, workspace.id)