pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

authorization checks for task orders

Browse Source
This commit is contained in:
dandds
2019-01-09 15:25:50 -05:00
parent a3bac44371
commit ccf1ff2024
9 changed files with 135 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
atst/domain/authz.py
View File

@@ -33,3 +33,24 @@ class Authorization(object):
@classmethod
def is_ccpo(cls, user):
return user.atat_role.name == "ccpo"
@classmethod
def check_task_order_permission(cls, user, task_order, permission, message):
if Authorization._check_is_task_order_officer(task_order, user):
return True
Authorization.check_workspace_permission(
user, task_order.workspace, permission, message
)
@classmethod
def _check_is_task_order_officer(cls, task_order, user):
for officer in [
"contracting_officer",
"contracting_officer_representative",
"security_officer",
]:
if getattr(task_order, officer, None) == user:
return True
return False

6
atst/domain/roles.py
View File

@@ -86,6 +86,9 @@ WORKSPACE_ROLES = [
Permissions.VIEW_ENVIRONMENT_IN_APPLICATION,
Permissions.RENAME_ENVIRONMENT_IN_APPLICATION,
Permissions.VIEW_WORKSPACE_AUDIT_LOG,
Permissions.VIEW_TASK_ORDER,
Permissions.UPDATE_TASK_ORDER,
Permissions.ADD_TASK_ORDER_OFFICER,
],
},
{
@@ -114,6 +117,9 @@ WORKSPACE_ROLES = [
Permissions.VIEW_ENVIRONMENT_IN_APPLICATION,
Permissions.RENAME_ENVIRONMENT_IN_APPLICATION,
Permissions.VIEW_WORKSPACE_AUDIT_LOG,
Permissions.VIEW_TASK_ORDER,
Permissions.UPDATE_TASK_ORDER,
Permissions.ADD_TASK_ORDER_OFFICER,
],
},
{

29
atst/domain/task_orders.py
View File

@@ -2,7 +2,9 @@ from sqlalchemy.orm.exc import NoResultFound
from atst.database import db
from atst.models.task_order import TaskOrder
from atst.models.permissions import Permissions
from atst.domain.workspaces import Workspaces
from atst.domain.authz import Authorization
from .exceptions import NotFoundError
@@ -46,27 +48,35 @@ class TaskOrders(object):
}
@classmethod
def get(cls, task_order_id):
def get(cls, user, task_order_id):
try:
task_order = db.session.query(TaskOrder).filter_by(id=task_order_id).one()
Authorization.check_task_order_permission(
user, task_order, Permissions.VIEW_TASK_ORDER, "view task order"
)
return task_order
except NoResultFound:
raise NotFoundError("task_order")
@classmethod
def create(cls, workspace, creator, commit=False):
def create(cls, creator, workspace):
Authorization.check_workspace_permission(
creator, workspace, Permissions.UPDATE_TASK_ORDER, "add task order"
)
task_order = TaskOrder(workspace=workspace, creator=creator)
db.session.add(task_order)
if commit:
db.session.commit()
db.session.commit()
return task_order
@classmethod
def update(cls, task_order, **kwargs):
def update(cls, user, task_order, **kwargs):
Authorization.check_task_order_permission(
user, task_order, Permissions.UPDATE_TASK_ORDER, "update task order"
)
for key, value in kwargs.items():
setattr(task_order, key, value)
@@ -103,6 +113,13 @@ class TaskOrders(object):
@classmethod
def add_officer(cls, user, task_order, officer_type, officer_data):
Authorization.check_workspace_permission(
user,
task_order.workspace,
Permissions.ADD_TASK_ORDER_OFFICER,
"add task order officer",
)
if officer_type in TaskOrders.OFFICERS:
workspace = task_order.workspace

4
atst/models/permissions.py
View File

@@ -43,3 +43,7 @@ class Permissions(object):
ADD_TAG_TO_WORKSPACE = "add_tag_to_workspace"
REMOVE_TAG_FROM_WORKSPACE = "remove_tag_from_workspace"
VIEW_TASK_ORDER = "view_task_order"
UPDATE_TASK_ORDER = "update_task_order"
ADD_TASK_ORDER_OFFICER = "add_task_order_officers"

4
atst/routes/task_orders/index.py
View File

@@ -1,5 +1,5 @@
from io import BytesIO
from flask import Response
from flask import g, Response
from . import task_orders_bp
from atst.domain.task_orders import TaskOrders
@@ -8,7 +8,7 @@ from atst.utils.docx import Docx
@task_orders_bp.route("/task_orders/download_summary/<task_order_id>")
def download_summary(task_order_id):
task_order = TaskOrders.get(task_order_id)
task_order = TaskOrders.get(g.current_user, task_order_id)
byte_str = BytesIO()
Docx.render(byte_str, data=task_order.to_dictionary())
filename = "{}.docx".format(task_order.portfolio_name)

13
atst/routes/task_orders/new.py
View File

@@ -47,7 +47,8 @@ TASK_ORDER_SECTIONS = [
class ShowTaskOrderWorkflow:
def __init__(self, screen=1, task_order_id=None):
def __init__(self, user, screen=1, task_order_id=None):
self.user = user
self.screen = screen
self.task_order_id = task_order_id
self._section = TASK_ORDER_SECTIONS[screen - 1]
@@ -57,7 +58,7 @@ class ShowTaskOrderWorkflow:
@property
def task_order(self):
if not self._task_order and self.task_order_id:
self._task_order = TaskOrders.get(self.task_order_id)
self._task_order = TaskOrders.get(self.user, self.task_order_id)
return self._task_order
@@ -122,13 +123,13 @@ class UpdateTaskOrderWorkflow(ShowTaskOrderWorkflow):
def _update_task_order(self):
if self.task_order:
TaskOrders.update(self.task_order, **self.form.data)
TaskOrders.update(self.user, self.task_order, **self.form.data)
else:
ws = Workspaces.create(self.user, self.form.portfolio_name.data)
to_data = self.form.data.copy()
to_data.pop("portfolio_name")
self._task_order = TaskOrders.create(workspace=ws, creator=self.user)
TaskOrders.update(self.task_order, **to_data)
self._task_order = TaskOrders.create(self.user, ws)
TaskOrders.update(self.user, self.task_order, **to_data)
OFFICER_INVITATIONS = [
{
@@ -189,7 +190,7 @@ class UpdateTaskOrderWorkflow(ShowTaskOrderWorkflow):
@task_orders_bp.route("/task_orders/new/<int:screen>")
@task_orders_bp.route("/task_orders/new/<int:screen>/<task_order_id>")
def new(screen, task_order_id=None):
workflow = ShowTaskOrderWorkflow(screen, task_order_id)
workflow = ShowTaskOrderWorkflow(g.current_user, screen, task_order_id)
return render_template(
workflow.template,
current=screen,