59a02572ea
- Adds override to portfolio landing page access check to see if user has access to any applications within the portfolio. - Route for accepting an application invitation redirects directly to portfolio applications route. - Tests ensure application user only sees apps the user has access to on the portfolio landing page.
26 lines
802 B
Python
26 lines
802 B
Python
from flask import render_template
|
|
|
|
from . import applications_bp
|
|
from atst.domain.authz.decorator import user_can_access_decorator as user_can
|
|
from atst.models.permissions import Permissions
|
|
|
|
|
|
def has_portfolio_applications(_user, portfolio=None, **_kwargs):
|
|
"""
|
|
If the portfolio exists and the user has access to applications
|
|
within the scoped portfolio, the user has access to the
|
|
portfolio landing page.
|
|
"""
|
|
if portfolio and portfolio.applications:
|
|
return True
|
|
|
|
|
|
@applications_bp.route("/portfolios/<portfolio_id>/applications")
|
|
@user_can(
|
|
Permissions.VIEW_APPLICATION,
|
|
override=has_portfolio_applications,
|
|
message="view portfolio applications",
|
|
)
|
|
def portfolio_applications(portfolio_id):
|
|
return render_template("portfolios/applications/index.html")
|