0001-api-respect-only_allow_one-in-form-submit-API-10580.patch
tests/test_api.py | ||
---|---|---|
438 | 438 | |
439 | 439 |
data_class.wipe() |
440 | 440 | |
441 |
def test_formdef_submit_only_one(pub, local_user): |
|
442 |
Role.wipe() |
|
443 |
role = Role(name='test') |
|
444 |
role.store() |
|
445 |
local_user.roles = [role.id] |
|
446 |
local_user.store() |
|
447 | ||
448 |
FormDef.wipe() |
|
449 |
formdef = FormDef() |
|
450 |
formdef.name = 'test' |
|
451 |
formdef.only_allow_one = True |
|
452 |
formdef.fields = [fields.StringField(id='0', label='foobar')] |
|
453 |
formdef.store() |
|
454 |
data_class = formdef.data_class() |
|
455 | ||
456 |
signed_url = sign_url('http://example.net/api/formdefs/test/submit' + |
|
457 |
'?format=json&orig=coucou&email=%s' % urllib.quote(local_user.email), '1234') |
|
458 |
url = signed_url[len('http://example.net'):] |
|
459 |
resp = get_app(pub).post_json(url, {'data': {}}) |
|
460 |
assert data_class.get(resp.json['data']['id']).user_id == str(local_user.id) |
|
461 | ||
462 |
assert data_class.count() == 1 |
|
463 | ||
464 |
resp = get_app(pub).post_json(url, {'data': {}}, status=403) |
|
465 |
assert resp.json['err'] == 1 |
|
466 |
assert resp.json['err_desc'] == 'only one formdata by user is allowed' |
|
467 | ||
468 |
formdata = data_class.select()[0] |
|
469 |
formdata.user_id = '1000' # change owner |
|
470 |
formdata.store() |
|
471 | ||
472 |
resp = get_app(pub).post_json(url, {'data': {}}, status=200) |
|
473 |
assert data_class.get(resp.json['data']['id']).user_id == str(local_user.id) |
|
474 |
assert data_class.count() == 2 |
|
441 | 475 | |
442 | 476 |
def test_formdef_submit_with_varname(pub, local_user): |
443 | 477 |
NamedDataSource.wipe() |
wcs/api.py | ||
---|---|---|
219 | 219 |
formdata.submission_channel = formdata.submission_context.pop('channel', None) |
220 | 220 |
formdata.user_id = formdata.submission_context.pop('user_id', None) |
221 | 221 | |
222 |
if self.formdef.only_allow_one and formdata.user_id: |
|
223 |
user_id = formdata.user_id |
|
224 |
user_forms = self.formdef.data_class().get_with_indexed_value('user_id', user_id) |
|
225 |
if user_forms: |
|
226 |
raise AccessForbiddenError('only one formdata by user is allowed') |
|
227 | ||
222 | 228 |
if meta.get('backoffice-submission'): |
223 | 229 |
# keep track of the agent that did the submit |
224 | 230 |
if not formdata.submission_context: |
225 |
- |