Enforce authorization when getting a request
This commit is contained in:
Patrick Smith
@@ -1,4 +1,5 @@
|
||||
from atst.domain.workspace_users import WorkspaceUsers
|
||||
from atst.models.permissions import Permissions
|
||||
|
||||
|
||||
class Authorization(object):
|
||||
@@ -10,3 +11,15 @@ class Authorization(object):
|
||||
@classmethod
|
||||
def is_in_workspace(cls, user, workspace):
|
||||
return user in workspace.users
|
||||
|
||||
@classmethod
|
||||
def can_view_request(cls, user, request):
|
||||
if (
|
||||
Permissions.REVIEW_AND_APPROVE_JEDI_WORKSPACE_REQUEST
|
||||
in user.atat_permissions
|
||||
):
|
||||
return True
|
||||
elif request.creator == user:
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
@@ -5,13 +5,14 @@ from sqlalchemy.orm.exc import NoResultFound
|
||||
from sqlalchemy.orm.attributes import flag_modified
|
||||
from werkzeug.datastructures import FileStorage
|
||||
|
||||
from atst.database import db
|
||||
from atst.domain.authz import Authorization
|
||||
from atst.domain.task_orders import TaskOrders
|
||||
from atst.domain.workspaces import Workspaces
|
||||
from atst.models.request import Request
|
||||
from atst.models.request_status_event import RequestStatusEvent, RequestStatus
|
||||
from atst.domain.workspaces import Workspaces
|
||||
from atst.database import db
|
||||
from atst.domain.task_orders import TaskOrders
|
||||
|
||||
from .exceptions import NotFoundError
|
||||
from .exceptions import NotFoundError, UnauthorizedError
|
||||
|
||||
|
||||
def deep_merge(source, destination: dict):
|
||||
@@ -59,12 +60,15 @@ class Requests(object):
|
||||
return False
|
||||
|
||||
@classmethod
|
||||
def get(cls, request_id):
|
||||
def get(cls, user, request_id):
|
||||
try:
|
||||
request = db.session.query(Request).filter_by(id=request_id).one()
|
||||
except NoResultFound:
|
||||
raise NotFoundError("request")
|
||||
|
||||
if not Authorization.can_view_request(user, request):
|
||||
raise UnauthorizedError(user, "get request")
|
||||
|
||||
return request
|
||||
|
||||
@classmethod
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
from flask import render_template, redirect, url_for
|
||||
from flask import g, render_template, redirect, url_for
|
||||
from flask import request as http_request
|
||||
|
||||
from . import requests_bp
|
||||
@@ -15,7 +15,7 @@ def financial_form(data):
|
||||
|
||||
@requests_bp.route("/requests/verify/<string:request_id>", methods=["GET"])
|
||||
def financial_verification(request_id=None):
|
||||
request = Requests.get(request_id)
|
||||
request = Requests.get(g.current_user, request_id)
|
||||
form = financial_form(request.body.get("financial_verification"))
|
||||
return render_template(
|
||||
"requests/financial_verification.html",
|
||||
@@ -28,7 +28,7 @@ def financial_verification(request_id=None):
|
||||
@requests_bp.route("/requests/verify/<string:request_id>", methods=["POST"])
|
||||
def update_financial_verification(request_id):
|
||||
post_data = http_request.form
|
||||
existing_request = Requests.get(request_id)
|
||||
existing_request = Requests.get(g.current_user, request_id)
|
||||
form = financial_form(post_data)
|
||||
rerender_args = dict(
|
||||
request_id=request_id, f=form, extended=http_request.args.get("extended")
|
||||
|
||||
@@ -46,7 +46,7 @@ def requests_form_update(screen=1, request_id=None):
|
||||
if request_id:
|
||||
_check_can_view_request(request_id)
|
||||
|
||||
request = Requests.get(request_id) if request_id is not None else None
|
||||
request = Requests.get(g.current_user, request_id) if request_id is not None else None
|
||||
jedi_flow = JEDIRequestFlow(
|
||||
screen, request=request, request_id=request_id, current_user=g.current_user
|
||||
)
|
||||
@@ -72,7 +72,7 @@ def requests_update(screen=1, request_id=None):
|
||||
screen = int(screen)
|
||||
post_data = http_request.form
|
||||
current_user = g.current_user
|
||||
existing_request = Requests.get(request_id) if request_id is not None else None
|
||||
existing_request = Requests.get(g.current_user, request_id) if request_id is not None else None
|
||||
jedi_flow = JEDIRequestFlow(
|
||||
screen,
|
||||
post_data=post_data,
|
||||
@@ -110,7 +110,7 @@ def requests_update(screen=1, request_id=None):
|
||||
|
||||
@requests_bp.route("/requests/submit/<string:request_id>", methods=["POST"])
|
||||
def requests_submit(request_id=None):
|
||||
request = Requests.get(request_id)
|
||||
request = Requests.get(g.current_user, request_id)
|
||||
Requests.submit(request)
|
||||
|
||||
if request.status == RequestStatus.PENDING_FINANCIAL_VERIFICATION:
|
||||
@@ -122,7 +122,7 @@ def requests_submit(request_id=None):
|
||||
|
||||
@requests_bp.route("/requests/pending/<string:request_id>", methods=["GET"])
|
||||
def view_pending_request(request_id=None):
|
||||
request = Requests.get(request_id)
|
||||
request = Requests.get(g.current_user, request_id)
|
||||
return render_template("requests/view_pending.html", data=request.body)
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user