Projet

Général

Profil

0001-api-respect-only_allow_one-in-form-submit-API-10580.patch

Frédéric Péters, 25 mai 2016 09:33

Télécharger (2,72 ko)

Voir les différences: 

Subject: [PATCH] api: respect only_allow_one in form submit API (#10580)


 tests/test_api.py | 34 ++++++++++++++++++++++++++++++++++
 wcs/api.py        |  6 ++++++
 2 files changed, 40 insertions(+)
tests/test_api.py
438 438 

  		




  439
  439
  
    
    data_class.wipe()

  		




  440
  440
  
    

  		




  
  441
  
    
def test_formdef_submit_only_one(pub, local_user):

  		




  
  442
  
    
    Role.wipe()

  		




  
  443
  
    
    role = Role(name='test')

  		




  
  444
  
    
    role.store()

  		




  
  445
  
    
    local_user.roles = [role.id]

  		




  
  446
  
    
    local_user.store()

  		




  
  447
  
    

  		




  
  448
  
    
    FormDef.wipe()

  		




  
  449
  
    
    formdef = FormDef()

  		




  
  450
  
    
    formdef.name = 'test'

  		




  
  451
  
    
    formdef.only_allow_one = True

  		




  
  452
  
    
    formdef.fields = [fields.StringField(id='0', label='foobar')]

  		




  
  453
  
    
    formdef.store()

  		




  
  454
  
    
    data_class = formdef.data_class()

  		




  
  455
  
    

  		




  
  456
  
    
    signed_url = sign_url('http://example.net/api/formdefs/test/submit' +

  		




  
  457
  
    
            '?format=json&orig=coucou&email=%s' % urllib.quote(local_user.email), '1234')

  		




  
  458
  
    
    url = signed_url[len('http://example.net'):]

  		




  
  459
  
    
    resp = get_app(pub).post_json(url, {'data': {}})

  		




  
  460
  
    
    assert data_class.get(resp.json['data']['id']).user_id == str(local_user.id)

  		




  
  461
  
    

  		




  
  462
  
    
    assert data_class.count() == 1

  		




  
  463
  
    

  		




  
  464
  
    
    resp = get_app(pub).post_json(url, {'data': {}}, status=403)

  		




  
  465
  
    
    assert resp.json['err'] == 1

  		




  
  466
  
    
    assert resp.json['err_desc'] == 'only one formdata by user is allowed'

  		




  
  467
  
    

  		




  
  468
  
    
    formdata = data_class.select()[0]

  		




  
  469
  
    
    formdata.user_id = '1000' # change owner

  		




  
  470
  
    
    formdata.store()

  		




  
  471
  
    

  		




  
  472
  
    
    resp = get_app(pub).post_json(url, {'data': {}}, status=200)

  		




  
  473
  
    
    assert data_class.get(resp.json['data']['id']).user_id == str(local_user.id)

  		




  
  474
  
    
    assert data_class.count() == 2

  		




  441
  475
  
    

  		




  442
  476
  
    
def test_formdef_submit_with_varname(pub, local_user):

  		




  443
  477
  
    
    NamedDataSource.wipe()

  		












  

    
      wcs/api.py
    
  





  219
  219
  
    
            formdata.submission_channel = formdata.submission_context.pop('channel', None)

  		




  220
  220
  
    
            formdata.user_id = formdata.submission_context.pop('user_id', None)

  		




  221
  221
  
    

  		




  
  222
  
    
        if self.formdef.only_allow_one and formdata.user_id:

  		




  
  223
  
    
            user_id = formdata.user_id

  		




  
  224
  
    
            user_forms = self.formdef.data_class().get_with_indexed_value('user_id', user_id)

  		




  
  225
  
    
            if user_forms:

  		




  
  226
  
    
                raise AccessForbiddenError('only one formdata by user is allowed')

  		




  
  227
  
    

  		




  222
  228
  
    
        if meta.get('backoffice-submission'):

  		




  223
  229
  
    
            # keep track of the agent that did the submit

  		




  224
  230
  
    
            if not formdata.submission_context:

  		




  225
  
  
    
-