Scope access to applications, task orders, and environment roles.

These resources should be scoped to the portfolio when accessed from
route functions.

tests/domain/test_environment_roles.py

@@ -0,0 +1,27 @@
+import pytest
+
+from atst.domain.environment_roles import EnvironmentRoles
+from atst.domain.exceptions import NotFoundError
+
+from tests.factories import *
+
+
+def test_get_for_portfolio():
+    user = UserFactory.create()
+    portfolio = PortfolioFactory.create()
+    application = ApplicationFactory.create(portfolio=portfolio)
+    environment = EnvironmentFactory.create(application=application)
+    env_role = EnvironmentRoleFactory.create(
+        environment=environment, user=user, role="basic access"
+    )
+
+    assert (
+        EnvironmentRoles.get_for_portfolio(
+            user.id, environment.id, portfolio_id=portfolio.id
+        )
+        == env_role
+    )
+    with pytest.raises(NotFoundError):
+        EnvironmentRoles.get_for_portfolio(
+            user.id, environment.id, portfolio_id=application.id
+        )

tests/routes/portfolios/test_applications.py

@@ -329,3 +329,19 @@ def test_delete_application(client, user_session):
     # app and envs are soft deleted
     assert len(port.applications) == 0
     assert len(application.environments) == 0
+
+
+def test_edit_application_scope(client, user_session):
+    owner = UserFactory.create()
+    port1 = PortfolioFactory.create(owner=owner, applications=[{"name": "first app"}])
+    port2 = PortfolioFactory.create(owner=owner, applications=[{"name": "second app"}])
+
+    user_session(owner)
+    response = client.get(
+        url_for(
+            "portfolios.edit_application",
+            portfolio_id=port2.id,
+            application_id=port1.applications[0].id,
+        )
+    )
+    assert response.status_code == 404