pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enforce authorization when getting a request

Browse Source
This commit is contained in:
Patrick Smith
2018-08-30 13:19:12 -04:00
parent e7aed35054
commit d785f19b5b
8 changed files with 65 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
atst/routes/requests/financial_verification.py
View File

@@ -1,4 +1,4 @@
from flask import render_template, redirect, url_for
from flask import g, render_template, redirect, url_for
from flask import request as http_request
from . import requests_bp
@@ -15,7 +15,7 @@ def financial_form(data):
@requests_bp.route("/requests/verify/<string:request_id>", methods=["GET"])
def financial_verification(request_id=None):
request = Requests.get(request_id)
request = Requests.get(g.current_user, request_id)
form = financial_form(request.body.get("financial_verification"))
return render_template(
"requests/financial_verification.html",
@@ -28,7 +28,7 @@ def financial_verification(request_id=None):
@requests_bp.route("/requests/verify/<string:request_id>", methods=["POST"])
def update_financial_verification(request_id):
post_data = http_request.form
existing_request = Requests.get(request_id)
existing_request = Requests.get(g.current_user, request_id)
form = financial_form(post_data)
rerender_args = dict(
request_id=request_id, f=form, extended=http_request.args.get("extended")

8
atst/routes/requests/requests_form.py
View File

@@ -46,7 +46,7 @@ def requests_form_update(screen=1, request_id=None):
if request_id:
_check_can_view_request(request_id)
request = Requests.get(request_id) if request_id is not None else None
request = Requests.get(g.current_user, request_id) if request_id is not None else None
jedi_flow = JEDIRequestFlow(
screen, request=request, request_id=request_id, current_user=g.current_user
)
@@ -72,7 +72,7 @@ def requests_update(screen=1, request_id=None):
screen = int(screen)
post_data = http_request.form
current_user = g.current_user
existing_request = Requests.get(request_id) if request_id is not None else None
existing_request = Requests.get(g.current_user, request_id) if request_id is not None else None
jedi_flow = JEDIRequestFlow(
screen,
post_data=post_data,
@@ -110,7 +110,7 @@ def requests_update(screen=1, request_id=None):
@requests_bp.route("/requests/submit/<string:request_id>", methods=["POST"])
def requests_submit(request_id=None):
request = Requests.get(request_id)
request = Requests.get(g.current_user, request_id)
Requests.submit(request)
if request.status == RequestStatus.PENDING_FINANCIAL_VERIFICATION:
@@ -122,7 +122,7 @@ def requests_submit(request_id=None):
@requests_bp.route("/requests/pending/<string:request_id>", methods=["GET"])
def view_pending_request(request_id=None):
request = Requests.get(request_id)
request = Requests.get(g.current_user, request_id)
return render_template("requests/view_pending.html", data=request.body)