apply access decorator to routes
This commit is contained in:
dandds
@@ -5,9 +5,12 @@ from . import task_orders_bp
|
||||
from atst.domain.task_orders import TaskOrders
|
||||
from atst.domain.exceptions import NotFoundError
|
||||
from atst.utils.docx import Docx
|
||||
from atst.domain.authz.decorator import user_can_access_decorator as user_can
|
||||
from atst.models.permissions import Permissions
|
||||
|
||||
|
||||
@task_orders_bp.route("/task_orders/download_summary/<task_order_id>")
|
||||
@user_can(Permissions.VIEW_TASK_ORDER_DETAILS)
|
||||
def download_summary(task_order_id):
|
||||
task_order = TaskOrders.get(g.current_user, task_order_id)
|
||||
byte_str = BytesIO()
|
||||
@@ -31,6 +34,7 @@ def send_file(attachment):
|
||||
|
||||
|
||||
@task_orders_bp.route("/task_orders/csp_estimate/<task_order_id>")
|
||||
@user_can(Permissions.VIEW_TASK_ORDER_DETAILS)
|
||||
def download_csp_estimate(task_order_id):
|
||||
task_order = TaskOrders.get(g.current_user, task_order_id)
|
||||
if task_order.csp_estimate:
|
||||
@@ -40,6 +44,7 @@ def download_csp_estimate(task_order_id):
|
||||
|
||||
|
||||
@task_orders_bp.route("/task_orders/pdf/<task_order_id>")
|
||||
@user_can(Permissions.VIEW_TASK_ORDER_DETAILS)
|
||||
def download_task_order_pdf(task_order_id):
|
||||
task_order = TaskOrders.get(g.current_user, task_order_id)
|
||||
if task_order.pdf:
|
||||
|
||||
@@ -4,9 +4,12 @@ from . import task_orders_bp
|
||||
from atst.domain.task_orders import TaskOrders
|
||||
from atst.utils.flash import formatted_flash as flash
|
||||
from atst.services.invitation import update_officer_invitations
|
||||
from atst.domain.authz.decorator import user_can_access_decorator as user_can
|
||||
from atst.models.permissions import Permissions
|
||||
|
||||
|
||||
@task_orders_bp.route("/task_orders/invite/<task_order_id>", methods=["POST"])
|
||||
@user_can(Permissions.EDIT_TASK_ORDER_DETAILS)
|
||||
def invite(task_order_id):
|
||||
task_order = TaskOrders.get(g.current_user, task_order_id)
|
||||
if TaskOrders.all_sections_complete(task_order):
|
||||
|
||||
@@ -14,6 +14,8 @@ from atst.domain.task_orders import TaskOrders
|
||||
from atst.domain.portfolios import Portfolios
|
||||
from atst.utils.flash import formatted_flash as flash
|
||||
import atst.forms.task_order as task_order_form
|
||||
from atst.domain.authz.decorator import user_can_access_decorator as user_can
|
||||
from atst.models.permissions import Permissions
|
||||
|
||||
|
||||
TASK_ORDER_SECTIONS = [
|
||||
@@ -249,9 +251,19 @@ def get_started():
|
||||
return render_template("task_orders/new/get_started.html") # pragma: no cover
|
||||
|
||||
|
||||
def is_new_task_order(*args, **kwargs):
|
||||
return (
|
||||
"screen" in kwargs
|
||||
and kwargs["screen"] == 1
|
||||
and "task_order_id" not in kwargs
|
||||
and "portfolio_id" not in kwargs
|
||||
)
|
||||
|
||||
|
||||
@task_orders_bp.route("/task_orders/new/<int:screen>")
|
||||
@task_orders_bp.route("/task_orders/new/<int:screen>/<task_order_id>")
|
||||
@task_orders_bp.route("/portfolios/<portfolio_id>/task_orders/new/<int:screen>")
|
||||
@user_can(Permissions.CREATE_TASK_ORDER, exceptions=[is_new_task_order])
|
||||
def new(screen, task_order_id=None, portfolio_id=None):
|
||||
workflow = ShowTaskOrderWorkflow(
|
||||
g.current_user, screen, task_order_id, portfolio_id
|
||||
@@ -298,6 +310,7 @@ def new(screen, task_order_id=None, portfolio_id=None):
|
||||
@task_orders_bp.route(
|
||||
"/portfolios/<portfolio_id>/task_orders/new/<int:screen>", methods=["POST"]
|
||||
)
|
||||
@user_can(Permissions.CREATE_TASK_ORDER, exceptions=[is_new_task_order])
|
||||
def update(screen, task_order_id=None, portfolio_id=None):
|
||||
form_data = {**http_request.form, **http_request.files}
|
||||
workflow = UpdateTaskOrderWorkflow(
|
||||
|
||||
@@ -8,11 +8,11 @@ from atst.domain.exceptions import NoAccessError
|
||||
from atst.domain.task_orders import TaskOrders
|
||||
from atst.forms.task_order import SignatureForm
|
||||
from atst.utils.flash import formatted_flash as flash
|
||||
from atst.domain.authz.decorator import user_can_access_decorator as user_can
|
||||
|
||||
|
||||
def find_unsigned_ko_to(task_order_id):
|
||||
task_order = TaskOrders.get(g.current_user, task_order_id)
|
||||
Authorization.check_is_ko(g.current_user, task_order)
|
||||
|
||||
if not TaskOrders.can_ko_sign(task_order):
|
||||
raise NoAccessError("task_order")
|
||||
@@ -20,7 +20,15 @@ def find_unsigned_ko_to(task_order_id):
|
||||
return task_order
|
||||
|
||||
|
||||
def wrap_check_is_ko(user, _perm, task_order_id=None, **_kwargs):
|
||||
task_order = TaskOrders.get(user, task_order_id)
|
||||
Authorization.check_is_ko(user, task_order)
|
||||
|
||||
return True
|
||||
|
||||
|
||||
@task_orders_bp.route("/task_orders/<task_order_id>/digital_signature", methods=["GET"])
|
||||
@user_can(None, exceptions=[wrap_check_is_ko])
|
||||
def signature_requested(task_order_id):
|
||||
task_order = find_unsigned_ko_to(task_order_id)
|
||||
|
||||
@@ -35,6 +43,7 @@ def signature_requested(task_order_id):
|
||||
@task_orders_bp.route(
|
||||
"/task_orders/<task_order_id>/digital_signature", methods=["POST"]
|
||||
)
|
||||
@user_can(None, exceptions=[wrap_check_is_ko])
|
||||
def record_signature(task_order_id):
|
||||
task_order = find_unsigned_ko_to(task_order_id)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user