apply access decorator to routes

2019-03-20 10:47:13 -04:00
parent 0ea21fbb9b
commit de7c69bde7
25 changed files with 198 additions and 59 deletions
--- a/atst/domain/applications.py
+++ b/atst/domain/applications.py
@@ -1,7 +1,6 @@
 from atst.database import db
 from atst.domain.environments import Environments
 from atst.domain.exceptions import NotFoundError
-from atst.models.permissions import Permissions
 from atst.models.application import Application
 from atst.models.environment import Environment
 from atst.models.environment_role import EnvironmentRole
--- a/atst/domain/authz/decorator.py
+++ b/atst/domain/authz/decorator.py
@@ -4,6 +4,15 @@ from flask import g

 from . import user_can_access
 from atst.domain.portfolios import Portfolios
+from atst.domain.task_orders import TaskOrders
+
+
+def evaluate_exceptions(user, permission, exceptions, **kwargs):
+    return (
+        True
+        if True in [exc(g.current_user, permission, **kwargs) for exc in exceptions]
+        else False
+    )


 def user_can_access_decorator(permission, message=None, exceptions=None):
@@ -16,13 +25,14 @@ def user_can_access_decorator(permission, message=None, exceptions=None):
                access_args["portfolio"] = Portfolios.get(
                    g.current_user, kwargs["portfolio_id"]
                )
+            elif "task_order_id" in kwargs:
+                task_order = TaskOrders.get(g.current_user, kwargs["task_order_id"])
+                access_args["portfolio"] = task_order.portfolio

-            if exceptions:
-                evaluated = [
-                    exc(g.current_user, permission, **access_args) for exc in exceptions
-                ]
-                if True in evaluated:
-                    return True
+            if exceptions and evaluate_exceptions(
+                g.current_user, permission, exceptions, **access_args, **kwargs
+            ):
+                return f(*args, **kwargs)

            user_can_access(g.current_user, permission, **access_args)

--- a/atst/domain/invitations.py
+++ b/atst/domain/invitations.py
@@ -4,7 +4,6 @@ from sqlalchemy.orm.exc import NoResultFound
 from atst.database import db
 from atst.models.invitation import Invitation, Status as InvitationStatus
 from atst.domain.portfolio_roles import PortfolioRoles
-from atst.domain.portfolios import Portfolios

 from .exceptions import NotFoundError

@@ -118,7 +117,6 @@ class Invitations(object):

    @classmethod
    def resend(cls, user, portfolio_id, token):
-        portfolio = Portfolios.get(user, portfolio_id)
        previous_invitation = Invitations._get(token)
        Invitations._update_status(previous_invitation, InvitationStatus.REVOKED)