Add in check to make sure that user has portfolio and app perms
This commit is contained in:
leigh-mil
parent
2cb5cf6b9d
commit
d152034e1b
@ -5,6 +5,7 @@ from flask import g, current_app as app, request
|
|||||||
from . import user_can_access
|
from . import user_can_access
|
||||||
from atst.domain.portfolios import Portfolios
|
from atst.domain.portfolios import Portfolios
|
||||||
from atst.domain.task_orders import TaskOrders
|
from atst.domain.task_orders import TaskOrders
|
||||||
|
from atst.domain.applications import Applications
|
||||||
from atst.domain.exceptions import UnauthorizedError
|
from atst.domain.exceptions import UnauthorizedError
|
||||||
|
|
||||||
|
|
||||||
@ -16,6 +17,10 @@ def check_access(permission, message, exception, *args, **kwargs):
|
|||||||
g.current_user, kwargs["portfolio_id"]
|
g.current_user, kwargs["portfolio_id"]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
if "application_id" in kwargs:
|
||||||
|
application = Applications.get(kwargs["application_id"])
|
||||||
|
access_args["portfolio"] = application.portfolio
|
||||||
|
|
||||||
if "task_order_id" in kwargs:
|
if "task_order_id" in kwargs:
|
||||||
task_order = TaskOrders.get(kwargs["task_order_id"])
|
task_order = TaskOrders.get(kwargs["task_order_id"])
|
||||||
access_args["portfolio"] = task_order.portfolio
|
access_args["portfolio"] = task_order.portfolio
|
||||||
|
|||||||
@ -157,6 +157,47 @@ def test_user_without_permission_cannot_update_application(client, user_session)
|
|||||||
assert application.description == "Cool stuff happening here!"
|
assert application.description == "Cool stuff happening here!"
|
||||||
|
|
||||||
|
|
||||||
|
def test_user_can_only_access_apps_in_their_portfolio(client, user_session):
|
||||||
|
portfolio = PortfolioFactory.create()
|
||||||
|
other_portfolio = PortfolioFactory.create(
|
||||||
|
applications=[
|
||||||
|
{
|
||||||
|
"name": "Awesome Application",
|
||||||
|
"description": "More cool stuff happening here!",
|
||||||
|
"environments": [{"name": "dev"}],
|
||||||
|
}
|
||||||
|
]
|
||||||
|
)
|
||||||
|
other_application = other_portfolio.applications[0]
|
||||||
|
user_session(portfolio.owner)
|
||||||
|
|
||||||
|
# user can't view application edit form
|
||||||
|
response = client.get(
|
||||||
|
"/portfolios/{}/applications/{}/edit".format(portfolio.id, other_application.id)
|
||||||
|
)
|
||||||
|
assert response.status_code == 404
|
||||||
|
|
||||||
|
# user can't post update application form
|
||||||
|
response = client.post(
|
||||||
|
url_for(
|
||||||
|
"portfolios.update_application",
|
||||||
|
portfolio_id=portfolio.id,
|
||||||
|
application_id=other_application.id,
|
||||||
|
),
|
||||||
|
data={"name": "New Name", "description": "A new description."},
|
||||||
|
follow_redirects=True,
|
||||||
|
)
|
||||||
|
assert response.status_code == 404
|
||||||
|
|
||||||
|
# user can't view application members
|
||||||
|
response = client.get(
|
||||||
|
"/portfolios/{}/applications/{}/members".format(
|
||||||
|
portfolio.id, other_application.id
|
||||||
|
)
|
||||||
|
)
|
||||||
|
assert response.status_code == 404
|
||||||
|
|
||||||
|
|
||||||
def create_environment(user):
|
def create_environment(user):
|
||||||
portfolio = PortfolioFactory.create()
|
portfolio = PortfolioFactory.create()
|
||||||
portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=user)
|
portfolio_role = PortfolioRoleFactory.create(portfolio=portfolio, user=user)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user