Add in check to make sure that user has portfolio and app perms

2019-03-25 15:54:10 -04:00 · 2019-03-25 15:54:10 -04:00 · d152034e1b
commit d152034e1b
parent 2cb5cf6b9d
2 changed files with 46 additions and 0 deletions
--- a/atst/domain/authz/decorator.py
+++ b/atst/domain/authz/decorator.py
@ -5,6 +5,7 @@ from flask import g, current_app as app, request
 from . import user_can_access
 from atst.domain.portfolios import Portfolios
 from atst.domain.task_orders import TaskOrders
+from atst.domain.applications import Applications
 from atst.domain.exceptions import UnauthorizedError


@ -16,6 +17,10 @@ def check_access(permission, message, exception, *args, **kwargs):
            g.current_user, kwargs["portfolio_id"]
        )

+    if "application_id" in kwargs:
+        application = Applications.get(kwargs["application_id"])
+        access_args["portfolio"] = application.portfolio
+
    if "task_order_id" in kwargs:
        task_order = TaskOrders.get(kwargs["task_order_id"])
        access_args["portfolio"] = task_order.portfolio
--- a/tests/routes/portfolios/test_applications.py
+++ b/tests/routes/portfolios/test_applications.py
@ -157,6 +157,47 @@ def test_user_without_permission_cannot_update_application(client, user_session)
    assert application.description == "Cool stuff happening here!"


+def test_user_can_only_access_apps_in_their_portfolio(client, user_session):
+    portfolio = PortfolioFactory.create()
+    other_portfolio = PortfolioFactory.create(
+        applications=[
+            {
+                "name": "Awesome Application",
+                "description": "More cool stuff happening here!",
+                "environments": [{"name": "dev"}],
+            }
+        ]
+    )
+    other_application = other_portfolio.applications[0]
+    user_session(portfolio.owner)
+
+    # user can't view application edit form
+    response = client.get(
+        "/portfolios/{}/applications/{}/edit".format(portfolio.id, other_application.id)
+    )
+    assert response.status_code == 404
+
+    # user can't post update application form
+    response = client.post(
+        url_for(
+            "portfolios.update_application",
+            portfolio_id=portfolio.id,
+            application_id=other_application.id,
+        ),
+        data={"name": "New Name", "description": "A new description."},
+        follow_redirects=True,
+    )
+    assert response.status_code == 404
+
+    # user can't view application members
+    response = client.get(
+        "/portfolios/{}/applications/{}/members".format(
+            portfolio.id, other_application.id
+        )
+    )
+    assert response.status_code == 404
+
+
 def create_environment(user):
    portfolio = PortfolioFactory.create()
    portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=user)