4105 |
4105 |
|
4106 |
4106 |
Role.wipe()
|
4107 |
4107 |
role = Role(name='xxx')
|
|
4108 |
role.allows_backoffice_access = False
|
4108 |
4109 |
role.store()
|
4109 |
4110 |
|
4110 |
4111 |
jump.by = [role.id]
|
... | ... | |
4919 |
4920 |
resp = resp.form.submit('submit')
|
4920 |
4921 |
resp = resp.form.submit('submit')
|
4921 |
4922 |
assert emails.get('New form2 (test condition on action)')
|
|
4923 |
|
|
4924 |
def test_manager_public_access(pub):
|
|
4925 |
user, manager = create_user_and_admin(pub)
|
|
4926 |
|
|
4927 |
Role.wipe()
|
|
4928 |
role = Role(name='xxx')
|
|
4929 |
role.store()
|
|
4930 |
|
|
4931 |
manager.is_admin = False
|
|
4932 |
manager.roles = [role.id]
|
|
4933 |
manager.store()
|
|
4934 |
assert manager.can_go_in_backoffice()
|
|
4935 |
|
|
4936 |
formdef = create_formdef()
|
|
4937 |
formdef.workflow_roles = {'_receiver': role.id}
|
|
4938 |
formdef.store()
|
|
4939 |
|
|
4940 |
formdata = formdef.data_class()()
|
|
4941 |
formdata.user_id = user.id
|
|
4942 |
formdata.data = {}
|
|
4943 |
formdata.just_created()
|
|
4944 |
formdata.store()
|
|
4945 |
|
|
4946 |
# user access to own formdata
|
|
4947 |
app = login(get_app(pub), username='foo', password='foo')
|
|
4948 |
resp = app.get(formdata.get_url())
|
|
4949 |
assert 'The form has been recorded' in resp.body
|
|
4950 |
|
|
4951 |
# agent access to formdata
|
|
4952 |
app = login(get_app(pub), username='admin', password='admin')
|
|
4953 |
resp = app.get(formdata.get_url())
|
|
4954 |
assert resp.location == formdata.get_url(backoffice=True)
|
|
4955 |
resp = resp.follow()
|
|
4956 |
assert 'The form has been recorded' in resp.body
|
|
4957 |
|
|
4958 |
# agent access to an unauthorized formdata
|
|
4959 |
formdef.workflow_roles = {'_receiver': None}
|
|
4960 |
formdef.store()
|
|
4961 |
resp = app.get(formdata.get_url(), status=403)
|
|
4962 |
|
|
4963 |
# agent access via a tracking code (stays in frontoffice)
|
|
4964 |
formdef.workflow_roles = {'_receiver': role.id}
|
|
4965 |
formdef.enable_tracking_codes = True
|
|
4966 |
formdef.store()
|
|
4967 |
|
|
4968 |
code = pub.tracking_code_class()
|
|
4969 |
code.formdata = formdata
|
|
4970 |
code.store()
|
|
4971 |
|
|
4972 |
resp = app.get('/code/%s/load' % code.id)
|
|
4973 |
resp = resp.follow() # -> /test/1
|
|
4974 |
assert not 'backoffice' in resp.location
|
|
4975 |
resp = resp.follow() # -> /test/1/
|
|
4976 |
assert 'The form has been recorded' in resp.body
|
|
4977 |
|
|
4978 |
# authorized access but not backoffice access
|
|
4979 |
app = login(get_app(pub), username='admin', password='admin') # reset session
|
|
4980 |
resp = app.get(formdata.get_url())
|
|
4981 |
assert resp.location == formdata.get_url(backoffice=True) # check tracking code is no longer effective
|
|
4982 |
role.allows_backoffice_access = False
|
|
4983 |
role.store()
|
|
4984 |
resp = app.get(formdata.get_url())
|
|
4985 |
assert 'The form has been recorded' in resp.body
|
|
4986 |
|
|
4987 |
# agent access to own formdata (stays in frontoffice)
|
|
4988 |
formdata = formdef.data_class()()
|
|
4989 |
formdata.user_id = manager.id
|
|
4990 |
formdata.data = {}
|
|
4991 |
formdata.just_created()
|
|
4992 |
formdata.store()
|
|
4993 |
resp = app.get(formdata.get_url())
|
|
4994 |
assert 'The form has been recorded' in resp.body
|