fixing reviewer access to assigned engagements (#1979)

met-api/src/met_api/services/engagement_service.py

@@ -43,7 +43,8 @@ def get_engagement(engagement_id) -> EngagementSchema:
             if engagement_model.status_id in (Status.Draft.value, Status.Scheduled.value):
                 one_of_roles = (
                     MembershipType.TEAM_MEMBER.name,
-                    Role.VIEW_ENGAGEMENT.value
+                    MembershipType.REVIEWER.name,
+                    Role.VIEW_ALL_ENGAGEMENTS.value
                 )
                 authorization.check_auth(one_of_roles=one_of_roles, engagement_id=engagement_id)
 

met-api/src/met_api/utils/roles.py

@@ -52,3 +52,4 @@ class Role(Enum):
     VIEW_APPROVED_COMMENTS = 'view_approved_comments'
     VIEW_UNAPPROVED_COMMENTS = 'view_unapproved_comments'
     VIEW_FEEDBACKS = 'view_feedbacks'
+    VIEW_ALL_ENGAGEMENTS = 'view_all_engagements'  # Allows user access to all engagements including draft

met-api/tests/unit/api/test_engagement.py

@@ -128,10 +128,10 @@ def test_get_engagements_reviewer(client, jwt, session, engagement_info):  # pyl
 
     factory_membership_model(user_id=user.id, engagement_id=eng_id, member_type='REVIEWER')
 
-    # Reveiwer has no access to draft engagement
+    # Reveiwer has access to draft engagement if he is assigned
     rv = client.get(f'/api/engagements/{eng_id}',
                     headers=headers, content_type=ContentType.JSON.value)
-    assert rv.status_code == HTTPStatus.FORBIDDEN.value
+    assert rv.status_code == HTTPStatus.OK.value
 
 
 @pytest.mark.parametrize('engagement_info', [TestEngagementInfo.engagement1])

met-api/tests/utilities/factory_scenarios.py

@@ -297,6 +297,7 @@ class TestJwtClaims(dict, Enum):
                 'edit_members',
                 'review_comments',
                 'review_all_comments',
+                'view_all_engagements',
             ]
         }
     }