I completely missed pushing up my changes last night before handing back over to Carlos. Sorry about that.

Added checks to assure the approver matches g.uid of the current user - otherwise don't modify the approval record.
2025-02-22 20:58:28 +00:00 · 2020-06-02 07:43:19 -04:00 · 2020-06-02 07:43:19 -04:00 · d8329e9eff
commit d8329e9eff
parent 4090667a5d
3 changed files with 53 additions and 45 deletions
--- a/crc/api/approval.py
+++ b/crc/api/approval.py
@ -34,6 +34,9 @@ def update_approval(approval_id, body):
        raise ApiError('unknown_approval', 'The approval "' + str(approval_id) + '" is not recognized.')
    approval: Approval = ApprovalSchema().load(body)
    if approval_model.approver_uid != g.user.uid:
        raise ApiError("not_your_approval", "You may not modify this approval. It belongs to another user.")
    approval.update_model(approval_model)
    session.commit()
--- a/crc/models/approval.py
+++ b/crc/models/approval.py
@ -128,8 +128,8 @@ class ApprovalSchema(ma.Schema):
    class Meta:
        model = Approval
        fields = ["id", "study_id", "workflow_id", "version", "title",
-            "version", "status", "message", "approver", "primary_investigator",
+                  "status", "message", "approver", "primary_investigator",
-            "associated_files", "date_created"]
+                  "associated_files", "date_created"]
        unknown = INCLUDE
    @marshmallow.post_load
--- a/tests/test_approvals_api.py
+++ b/tests/test_approvals_api.py
@ -5,35 +5,6 @@ from crc import app, db, session
 from crc.models.approval import ApprovalModel, ApprovalSchema, ApprovalStatus
 APPROVAL_PAYLOAD = {
    'id': None,
    'approver': {
      'uid': 'bgb22',
      'display_name': 'Billy Bob (bgb22)',
      'title': 'E42:He\'s a hoopy frood',
      'department': 'E0:EN-Eng Study of Parallel Universes'
    },
    'title': 'El Study',
    'status': 'DECLINED',
    'version': 1,
    'message': 'Incorrect documents',
    'associated_files': [
      {
        'id': 42,
        'name': 'File 1',
        'content_type': 'document'
      },
      {
        'id': 43,
        'name': 'File 2',
        'content_type': 'document'
      }
    ],
    'workflow_id': 1,
    'study_id': 1
 }
 class TestApprovals(BaseTest):
    def setUp(self):
        """Initial setup shared by all TestApprovals tests"""
@ -98,25 +69,59 @@ class TestApprovals(BaseTest):
        response_count = len(response)
        self.assertEqual(1, response_count)
    def test_update_approval_fails_if_not_the_approver(self):
        approval = session.query(ApprovalModel).filter_by(approver_uid='arc93').first()
        data = {'id': approval.id,
                "approver_uid": "dhf8r",
                'message': "Approved.  I like the cut of your jib.",
                'status': ApprovalStatus.APPROVED.value}
        self.assertEqual(approval.status, ApprovalStatus.PENDING.value)
-
+        rv = self.app.put(f'/v1.0/approval/{approval.id}',
    def test_update_approval(self):
        """Approval status will be updated"""
        approval_id = self.approval.id
        data = dict(APPROVAL_PAYLOAD)
        data['id'] = approval_id
        self.assertEqual(self.approval.status, ApprovalStatus.PENDING.value)
        rv = self.app.put(f'/v1.0/approval/{approval_id}',
                          content_type="application/json",
-                          headers=self.logged_in_headers(),
+                          headers=self.logged_in_headers(),  # As dhf8r
                          data=json.dumps(data))
        self.assert_failure(rv)
    def test_accept_approval(self):
        approval = session.query(ApprovalModel).filter_by(approver_uid='dhf8r').first()
        data = {'id': approval.id,
                "approver_uid": "dhf8r",
                'message': "Approved.  I like the cut of your jib.",
                'status': ApprovalStatus.APPROVED.value}
        self.assertEqual(approval.status, ApprovalStatus.PENDING.value)
        rv = self.app.put(f'/v1.0/approval/{approval.id}',
                          content_type="application/json",
                          headers=self.logged_in_headers(),  # As dhf8r
                          data=json.dumps(data))
        self.assert_success(rv)
-        session.refresh(self.approval)
+        session.refresh(approval)
        # Updated record should now have the data sent to the endpoint
-        self.assertEqual(self.approval.message, data['message'])
+        self.assertEqual(approval.message, data['message'])
-        self.assertEqual(self.approval.status, ApprovalStatus.DECLINED.value)
+        self.assertEqual(approval.status, ApprovalStatus.APPROVED.value)
    def test_decline_approval(self):
        approval = session.query(ApprovalModel).filter_by(approver_uid='dhf8r').first()
        data = {'id': approval.id,
                "approver_uid": "dhf8r",
                'message': "Approved.  I find the cut of your jib lacking.",
                'status': ApprovalStatus.DECLINED.value}
        self.assertEqual(approval.status, ApprovalStatus.PENDING.value)
        rv = self.app.put(f'/v1.0/approval/{approval.id}',
                          content_type="application/json",
                          headers=self.logged_in_headers(),  # As dhf8r
                          data=json.dumps(data))
        self.assert_success(rv)
        session.refresh(approval)
        # Updated record should now have the data sent to the endpoint
        self.assertEqual(approval.message, data['message'])
        self.assertEqual(approval.status, ApprovalStatus.DECLINED.value)