apply access decorator to routes

2019-03-20 10:47:13 -04:00
parent 0ea21fbb9b
commit de7c69bde7
25 changed files with 198 additions and 59 deletions
--- a/tests/routes/portfolios/test_applications.py
+++ b/tests/routes/portfolios/test_applications.py
@@ -175,7 +175,6 @@ def test_user_with_permission_can_update_application(client, user_session):
    assert application.description == "A very cool application."


-@pytest.mark.auth
 def test_user_without_permission_cannot_update_application(client, user_session):
    dev = UserFactory.create()
    owner = UserFactory.create()
--- a/tests/routes/portfolios/test_invitations.py
+++ b/tests/routes/portfolios/test_invitations.py
@@ -95,7 +95,6 @@ def test_member_accepts_invalid_invite(client, user_session):
    assert response.status_code == 404


-@pytest.mark.auth
 def test_user_who_has_not_accepted_portfolio_invite_cannot_view(client, user_session):
    user = UserFactory.create()
    portfolio = PortfolioFactory.create()
--- a/tests/routes/portfolios/test_members.py
+++ b/tests/routes/portfolios/test_members.py
@@ -60,7 +60,6 @@ def test_user_with_permission_has_add_member_link(client, user_session):
    )


-@pytest.mark.auth
 def test_user_without_permission_has_no_add_member_link(client, user_session):
    user = UserFactory.create()
    portfolio = PortfolioFactory.create()
@@ -73,7 +72,6 @@ def test_user_without_permission_has_no_add_member_link(client, user_session):
    )


-@pytest.mark.auth
 def test_permissions_for_view_member(client, user_session):
    user = UserFactory.create()
    portfolio = PortfolioFactory.create()
--- a/tests/routes/portfolios/test_task_orders.py
+++ b/tests/routes/portfolios/test_task_orders.py
@@ -371,27 +371,6 @@ def test_mo_redirected_to_build_page(client, user_session, portfolio):
    assert response.status_code == 200


-def test_cor_redirected_to_build_page(client, user_session, portfolio):
-    cor = UserFactory.create()
-    PortfolioRoleFactory.create(
-        portfolio=portfolio,
-        user=cor,
-        status=PortfolioStatus.ACTIVE,
-        permission_sets=[
-            PermissionSets.get(PermissionSets.VIEW_PORTFOLIO),
-            PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING),
-        ],
-    )
-    task_order = TaskOrderFactory.create(
-        portfolio=portfolio, contracting_officer_representative=cor
-    )
-    user_session(cor)
-    response = client.get(
-        url_for("task_orders.new", screen=1, task_order_id=task_order.id)
-    )
-    assert response.status_code == 200
-
-
 def test_submit_completed_ko_review_page_as_cor(
    client, user_session, pdf_upload, portfolio, user
 ):
@@ -620,6 +599,7 @@ def test_resend_invite_when_officer_type_missing(
    assert len(queue.get_queue()) == queue_length


+@pytest.mark.skip(reason="KO should not be able to resend invites")
 def test_resend_invite_when_ko(app, client, user_session, portfolio, user):
    queue_length = len(queue.get_queue())

--- a/tests/routes/task_orders/test_index.py
+++ b/tests/routes/task_orders/test_index.py
@@ -63,7 +63,6 @@ class TestDownloadCSPEstimate:
        )
        assert response.status_code == 404

-    @pytest.mark.auth
    def test_download_with_wrong_user(self, client, user_session):
        other_user = UserFactory.create()
        user_session(other_user)
--- a/tests/routes/task_orders/test_new_task_order.py
+++ b/tests/routes/task_orders/test_new_task_order.py
@@ -2,11 +2,17 @@ import pytest
 from flask import url_for

 from atst.domain.task_orders import TaskOrders
+from atst.domain.permission_sets import PermissionSets
 from atst.models.attachment import Attachment
 from atst.routes.task_orders.new import ShowTaskOrderWorkflow, UpdateTaskOrderWorkflow
 from atst.utils.localization import translate

-from tests.factories import UserFactory, TaskOrderFactory, PortfolioFactory
+from tests.factories import (
+    UserFactory,
+    TaskOrderFactory,
+    PortfolioFactory,
+    PortfolioRoleFactory,
+)


 class TestShowTaskOrderWorkflow:
@@ -93,8 +99,6 @@ def test_to_on_pf_cannot_edit_pf_attributes():
    assert second_workflow.pf_attributes_read_only


-# TODO: this test will need to be more complicated when we add validation to
-# the forms
 def test_create_new_task_order(client, user_session, pdf_upload):
    creator = UserFactory.create()
    user_session(creator)
@@ -296,6 +300,11 @@ def test_update_task_order_with_existing_task_order(task_order):
 def test_update_to_redirects_to_ko_review(client, user_session, task_order):
    ko = UserFactory.create()
    task_order.contracting_officer = ko
+    PortfolioRoleFactory.create(
+        user=ko,
+        portfolio=task_order.portfolio,
+        permission_sets=[PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_FUNDING)],
+    )
    user_session(ko)
    url = url_for(
        "portfolios.ko_review",
--- a/tests/routes/test_auth.py
+++ b/tests/routes/test_auth.py
@@ -4,7 +4,7 @@ from urllib.parse import quote
 from tests.factories import UserFactory


-PROTECTED_URL = "/portfolios"
+PROTECTED_URL = "/task_orders/new/get_started"


 def test_request_page_with_complete_profile(client, user_session):
--- a/tests/routes/test_authz.py
+++ b/tests/routes/test_authz.py