authorization checks for task orders

2019-01-09 15:25:50 -05:00
parent a3bac44371
commit ccf1ff2024
9 changed files with 135 additions and 43 deletions
--- a/atst/routes/task_orders/index.py
+++ b/atst/routes/task_orders/index.py
@@ -1,5 +1,5 @@
 from io import BytesIO
-from flask import Response
+from flask import g, Response

 from . import task_orders_bp
 from atst.domain.task_orders import TaskOrders
@@ -8,7 +8,7 @@ from atst.utils.docx import Docx

@task_orders_bp.route("/task_orders/download_summary/<task_order_id>")
 def download_summary(task_order_id):
-    task_order = TaskOrders.get(task_order_id)
+    task_order = TaskOrders.get(g.current_user, task_order_id)
    byte_str = BytesIO()
    Docx.render(byte_str, data=task_order.to_dictionary())
    filename = "{}.docx".format(task_order.portfolio_name)
--- a/atst/routes/task_orders/new.py
+++ b/atst/routes/task_orders/new.py
@@ -47,7 +47,8 @@ TASK_ORDER_SECTIONS = [


 class ShowTaskOrderWorkflow:
-    def __init__(self, screen=1, task_order_id=None):
+    def __init__(self, user, screen=1, task_order_id=None):
+        self.user = user
        self.screen = screen
        self.task_order_id = task_order_id
        self._section = TASK_ORDER_SECTIONS[screen - 1]
@@ -57,7 +58,7 @@ class ShowTaskOrderWorkflow:
    @property
    def task_order(self):
        if not self._task_order and self.task_order_id:
-            self._task_order = TaskOrders.get(self.task_order_id)
+            self._task_order = TaskOrders.get(self.user, self.task_order_id)

        return self._task_order

@@ -122,13 +123,13 @@ class UpdateTaskOrderWorkflow(ShowTaskOrderWorkflow):

    def _update_task_order(self):
        if self.task_order:
-            TaskOrders.update(self.task_order, **self.form.data)
+            TaskOrders.update(self.user, self.task_order, **self.form.data)
        else:
            ws = Workspaces.create(self.user, self.form.portfolio_name.data)
            to_data = self.form.data.copy()
            to_data.pop("portfolio_name")
-            self._task_order = TaskOrders.create(workspace=ws, creator=self.user)
-            TaskOrders.update(self.task_order, **to_data)
+            self._task_order = TaskOrders.create(self.user, ws)
+            TaskOrders.update(self.user, self.task_order, **to_data)

    OFFICER_INVITATIONS = [
        {
@@ -189,7 +190,7 @@ class UpdateTaskOrderWorkflow(ShowTaskOrderWorkflow):
@task_orders_bp.route("/task_orders/new/<int:screen>")
@task_orders_bp.route("/task_orders/new/<int:screen>/<task_order_id>")
 def new(screen, task_order_id=None):
-    workflow = ShowTaskOrderWorkflow(screen, task_order_id)
+    workflow = ShowTaskOrderWorkflow(g.current_user, screen, task_order_id)
    return render_template(
        workflow.template,
        current=screen,