Add in check to make sure that user has portfolio and app perms

tests/routes/portfolios/test_applications.py

@@ -157,6 +157,47 @@ def test_user_without_permission_cannot_update_application(client, user_session)
     assert application.description == "Cool stuff happening here!"
 
 
+def test_user_can_only_access_apps_in_their_portfolio(client, user_session):
+    portfolio = PortfolioFactory.create()
+    other_portfolio = PortfolioFactory.create(
+        applications=[
+            {
+                "name": "Awesome Application",
+                "description": "More cool stuff happening here!",
+                "environments": [{"name": "dev"}],
+            }
+        ]
+    )
+    other_application = other_portfolio.applications[0]
+    user_session(portfolio.owner)
+
+    # user can't view application edit form
+    response = client.get(
+        "/portfolios/{}/applications/{}/edit".format(portfolio.id, other_application.id)
+    )
+    assert response.status_code == 404
+
+    # user can't post update application form
+    response = client.post(
+        url_for(
+            "portfolios.update_application",
+            portfolio_id=portfolio.id,
+            application_id=other_application.id,
+        ),
+        data={"name": "New Name", "description": "A new description."},
+        follow_redirects=True,
+    )
+    assert response.status_code == 404
+
+    # user can't view application members
+    response = client.get(
+        "/portfolios/{}/applications/{}/members".format(
+            portfolio.id, other_application.id
+        )
+    )
+    assert response.status_code == 404
+
+
 def create_environment(user):
     portfolio = PortfolioFactory.create()
     portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=user)