Scope access to applications, task orders, and environment roles.

These resources should be scoped to the portfolio when accessed from route functions.
2019-04-16 10:32:42 -04:00
parent eaeeed0b05
commit c1df245800
8 changed files with 95 additions and 20 deletions
--- a/atst/routes/task_orders/new.py
+++ b/atst/routes/task_orders/new.py
@@ -61,7 +61,12 @@ class ShowTaskOrderWorkflow:
    @property
    def task_order(self):
        if not self._task_order and self.task_order_id:
-            self._task_order = TaskOrders.get(self.task_order_id)
+            if self.portfolio_id:
+                self._task_order = TaskOrders.get(
+                    self.task_order_id, portfolio_id=self.portfolio_id
+                )
+            else:
+                self._task_order = TaskOrders.get(self.task_order_id)

        return self._task_order

@@ -260,6 +265,7 @@ def is_new_task_order(*_args, **kwargs):
    )


+# TODO: /task_orders/new/<int:screen>/<task_order_id> should not exist
@task_orders_bp.route("/task_orders/new/<int:screen>")
@task_orders_bp.route("/task_orders/new/<int:screen>/<task_order_id>")
@task_orders_bp.route("/portfolios/<portfolio_id>/task_orders/new/<int:screen>")
@@ -309,6 +315,7 @@ def new(screen, task_order_id=None, portfolio_id=None):
    return render_template(workflow.template, **template_args)


+# TODO: /task_orders/new/<int:screen>/<task_order_id> should not exist
@task_orders_bp.route("/task_orders/new/<int:screen>", methods=["POST"])
@task_orders_bp.route("/task_orders/new/<int:screen>/<task_order_id>", methods=["POST"])
@task_orders_bp.route(
--- a/atst/routes/task_orders/signing.py
+++ b/atst/routes/task_orders/signing.py
@@ -27,6 +27,7 @@ def wrap_check_is_ko(user, task_order_id=None, **_kwargs):
    return True


+# TODO: this route needs to be moved under the portfolio blueprint
@task_orders_bp.route("/task_orders/<task_order_id>/digital_signature", methods=["GET"])
@user_can(
    None, override=wrap_check_is_ko, message="view contracting officer signature page"
@@ -42,6 +43,7 @@ def signature_requested(task_order_id):
    )


+# TODO: this route needs to be moved under the portfolio blueprint
@task_orders_bp.route(
    "/task_orders/<task_order_id>/digital_signature", methods=["POST"]
 )