From dee14b98bea537442c4b51578e91dd96a74be637 Mon Sep 17 00:00:00 2001
From: George Drummond <george-ctr@friends.dds.mil>
Date: Mon, 1 Apr 2019 10:44:53 -0400
Subject: [PATCH] Remove portfolio permissions when role is disabled

---
 atst/domain/authz/__init__.py                    | 4 +++-
 tests/domain/test_authz.py                       | 9 +++++++++
 tests/routes/portfolios/test_portfolios_index.py | 3 ++-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/atst/domain/authz/__init__.py b/atst/domain/authz/__init__.py
index 6e8cdfea..37e06ab8 100644
--- a/atst/domain/authz/__init__.py
+++ b/atst/domain/authz/__init__.py
@@ -1,6 +1,8 @@
 from atst.utils import first_or_none
 from atst.models.permissions import Permissions
 from atst.domain.exceptions import UnauthorizedError
+from atst.domain.portfolio_roles import PortfolioRoles
+from atst.models.portfolio_role import Status as PortfolioRoleStatus
 
 
 class Authorization(object):
@@ -9,7 +11,7 @@ class Authorization(object):
         port_role = first_or_none(
             lambda pr: pr.portfolio == portfolio, user.portfolio_roles
         )
-        if port_role:
+        if port_role and port_role.status is not PortfolioRoleStatus.DISABLED:
             return permission in port_role.permissions
         else:
             return False
diff --git a/tests/domain/test_authz.py b/tests/domain/test_authz.py
index bbd6ecba..37749533 100644
--- a/tests/domain/test_authz.py
+++ b/tests/domain/test_authz.py
@@ -11,6 +11,7 @@ from atst.domain.authz.decorator import user_can_access_decorator
 from atst.domain.permission_sets import PermissionSets
 from atst.domain.exceptions import UnauthorizedError
 from atst.models.permissions import Permissions
+from atst.domain.portfolio_roles import PortfolioRoles
 
 from tests.utils import FakeLogger
 
@@ -101,6 +102,14 @@ def test_user_can_access():
             view_admin, Permissions.EDIT_PORTFOLIO_NAME, portfolio=portfolio
         )
 
+    # check when portfolio_role is disabled
+    view_admin_pr = PortfolioRoles.get(portfolio_id=portfolio.id, user_id=view_admin.id)
+    PortfolioRoles.disable(portfolio_role=view_admin_pr)
+    with pytest.raises(UnauthorizedError):
+        user_can_access(
+            view_admin, Permissions.EDIT_PORTFOLIO_NAME, portfolio=portfolio
+        )
+
 
 @pytest.fixture
 def set_current_user(request_ctx):
diff --git a/tests/routes/portfolios/test_portfolios_index.py b/tests/routes/portfolios/test_portfolios_index.py
index d7d6b4dd..29672f9c 100644
--- a/tests/routes/portfolios/test_portfolios_index.py
+++ b/tests/routes/portfolios/test_portfolios_index.py
@@ -2,7 +2,8 @@ from flask import url_for
 
 from atst.domain.permission_sets import PermissionSets
 from atst.models.permissions import Permissions
-from atst.domain.portfolio_roles import PortfolioRoles, Status as PortfolioRoleStatus
+from atst.domain.portfolio_roles import PortfolioRoles
+from atst.models.portfolio_role import Status as PortfolioRoleStatus
 
 from tests.factories import (
     random_future_date,