From 0d00f7668f7f567edf8b9bebb0b8fb946cb97a90 Mon Sep 17 00:00:00 2001
From: edmondsgarrett <43251554+edmondsgarrett@users.noreply.github.com>
Date: Thu, 2 Nov 2023 10:28:27 -0500
Subject: [PATCH] task/WP-347: Restrict registration renewal access (#239)

* Check user role and if queried reg_id is within registrations associated w/ user's submitter code

* Some linting + code cleanup

* Redirect to register/request-to-submit if not authorized
---
 apcd-cms/src/apps/registrations/views.py      | 24 +++++++++++++------
 .../list_submitter_registrations.html         |  7 +++---
 .../apps/submitter_renewals_listing/views.py  |  8 +++----
 3 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/apcd-cms/src/apps/registrations/views.py b/apcd-cms/src/apps/registrations/views.py
index 5f3d21ef..9a2b63aa 100644
--- a/apcd-cms/src/apps/registrations/views.py
+++ b/apcd-cms/src/apps/registrations/views.py
@@ -1,13 +1,16 @@
 from apps.utils import apcd_database
 from apps.utils.apcd_groups import has_apcd_group
 from apps.utils.registrations_data_formatting import _set_registration
+from apps.submitter_renewals_listing.views import get_submitter_code
 from django.conf import settings
 from django.http import HttpResponse, HttpResponseRedirect
 from django.template import loader
 from django.views.generic import View
+from django.shortcuts import redirect
 from requests.auth import HTTPBasicAuth
 import logging
 import rt
+import json
 
 logger = logging.getLogger(__name__)
 
@@ -21,13 +24,20 @@ class SubmissionFormView(View):
     def get(self, request):
         formatted_reg_data = []
         renew = False
-        if 'reg_id' in request.GET:
-            reg_id = request.GET.get('reg_id')
-            renew = True
-            registration_content = apcd_database.get_registrations(reg_id)[0]
-            registration_entities = apcd_database.get_registration_entities(reg_id)
-            registration_contacts = apcd_database.get_registration_contacts(reg_id)
-            formatted_reg_data = _set_registration(registration_content, registration_entities, registration_contacts)
+        reg_id = request.GET.get('reg_id', None)
+        if reg_id and (apcd_database.get_user_role(request.user.username) in ['APCD_ADMIN', 'SUBMITTER_ADMIN']):
+            try:
+                response = get_submitter_code(request.user)
+                submitter_code = json.loads(response.content)['submitter_code']
+                submitter_registrations = apcd_database.get_registrations(submitter_code=submitter_code)
+                registration_content = [registration for registration in submitter_registrations if registration[0] == int(reg_id)][0]
+                registration_entities = apcd_database.get_registration_entities(reg_id=reg_id)
+                registration_contacts = apcd_database.get_registration_contacts(reg_id=reg_id)
+                renew = True
+                formatted_reg_data = _set_registration(registration_content, registration_entities, registration_contacts)
+            except Exception as exception:
+                logger.error(exception)
+                return redirect('/register/request-to-submit/')
         if (request.user.is_authenticated and has_apcd_group(request.user)):
             template = loader.get_template('submission_form/submission_form.html')
             return HttpResponse(template.render({'r': formatted_reg_data, 'renew': renew}, request))
diff --git a/apcd-cms/src/apps/submitter_renewals_listing/templates/list_submitter_registrations.html b/apcd-cms/src/apps/submitter_renewals_listing/templates/list_submitter_registrations.html
index 7ac98c05..86e5ba4d 100644
--- a/apcd-cms/src/apps/submitter_renewals_listing/templates/list_submitter_registrations.html
+++ b/apcd-cms/src/apps/submitter_renewals_listing/templates/list_submitter_registrations.html
@@ -114,11 +114,12 @@ <h1>Registration Information</h1>
       $(`#${modal_id}`).modal({backdrop: "static"}); /* modal appears manually */
       actionsDropdown.selectedIndex = 0; /* resets dropdown to display 'Select Action' again */
       if (selectedOption == "renewRegistration") {
-        var xhr;
+        var xhr, url;
+        url = `/register/request-to-submit/?reg_id=${reg_id}`
         xhr = new XMLHttpRequest();
-        xhr.open('GET', `/register/request-to-submit/?reg_id=${reg_id}`)
+        xhr.open('GET', url)
         xhr.send()
-        window.location.href = `/register/request-to-submit/?reg_id=${reg_id}`;
+        window.location.href = url;
         window.location.load();
       }
     }
diff --git a/apcd-cms/src/apps/submitter_renewals_listing/views.py b/apcd-cms/src/apps/submitter_renewals_listing/views.py
index fb766c34..5ce41325 100644
--- a/apcd-cms/src/apps/submitter_renewals_listing/views.py
+++ b/apcd-cms/src/apps/submitter_renewals_listing/views.py
@@ -1,5 +1,4 @@
 from django.http import HttpResponse, HttpResponseRedirect, JsonResponse
-from django.views.generic.base import TemplateView
 from django.template import loader
 from apps.utils.apcd_database import get_registrations, get_registration_contacts, get_user_role, get_submitter_info, get_registration_entities
 from apps.admin_regis_table.views import RegistrationsTable
@@ -39,9 +38,10 @@ def get_context_data(self, registrations_content, registrations_entities, regist
         context['header'] = ['Business Name', 'Year', 'Type', 'Location', 'Registration Status', 'Actions']
         context['pagination_url_namespaces'] = 'register:submitter_regis_table'
         return context
-    
+
+
 def get_submitter_code(request):
     submitter = get_submitter_info(str(request))
     for i in submitter:
-        submitter_code =  i[1]
-    return JsonResponse(({'submitter_code' : submitter_code } if submitter_code else ""), safe=False)
+        submitter_code = i[1]
+    return JsonResponse(({'submitter_code' : submitter_code} if submitter_code else ""), safe=False)