0001-api-limit-forms-sent-to-admin-when-backoffice-submis.patch
tests/test_api.py | ||
---|---|---|
419 | 419 |
assert resp1.json['data'][0]['redirection'] == True |
420 | 420 |
assert 'count' not in resp1.json['data'][0] |
421 | 421 | |
422 |
def test_backoffice_submission_formdef_list(pub, local_user): |
|
422 |
def test_backoffice_submission_formdef_list(pub, admin_user, local_user):
|
|
423 | 423 |
Role.wipe() |
424 | 424 |
role = Role(name='Foo bar') |
425 | 425 |
role.id = '14' |
... | ... | |
433 | 433 |
formdef.fields = [] |
434 | 434 |
formdef.store() |
435 | 435 | |
436 |
formdef2 = FormDef() |
|
437 |
formdef2.name = 'ignore me' |
|
438 |
formdef2.fields = [] |
|
439 |
formdef2.store() |
|
440 | ||
436 | 441 |
resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on') |
437 | 442 |
assert resp.json['err'] == 0 |
438 | 443 |
assert len(resp.json['data']) == 0 |
... | ... | |
451 | 456 |
assert resp.json['err'] == 0 |
452 | 457 |
assert len(resp.json['data']) == 0 |
453 | 458 | |
459 |
# ... unless user is admin |
|
460 |
resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' % |
|
461 |
admin_user.name_identifiers[0])) |
|
462 |
assert resp.json['err'] == 0 |
|
463 |
assert len(resp.json['data']) == 1 |
|
464 | ||
454 | 465 |
# ... unless user has correct roles |
455 | 466 |
local_user.roles = [role.id] |
456 | 467 |
local_user.store() |
wcs/api.py | ||
---|---|---|
388 | 388 |
if not formdef.always_advertise: |
389 | 389 |
continue |
390 | 390 |
authentication_required = True |
391 |
elif backoffice_submission and not list_all_forms:
|
|
391 |
elif backoffice_submission: |
|
392 | 392 |
if not formdef.backoffice_submission_roles: |
393 | 393 |
continue |
394 |
for role in user.roles or []: |
|
395 |
if role in formdef.backoffice_submission_roles: |
|
396 |
break |
|
397 |
else: |
|
398 |
continue |
|
394 |
if list_all_forms: |
|
395 |
for role in user.roles or []: |
|
396 |
if role in formdef.backoffice_submission_roles: |
|
397 |
break |
|
398 |
else: |
|
399 |
continue |
|
399 | 400 |
elif formdef.roles and user is None and list_all_forms: |
400 | 401 |
# anonymous API call, mark authentication as required |
401 | 402 |
authentication_required = True |
402 |
- |