0001-api-limit-forms-sent-to-admin-when-backoffice-submis.patch
tests/test_api.py | ||
---|---|---|
433 | 433 |
formdef.fields = [] |
434 | 434 |
formdef.store() |
435 | 435 | |
436 |
formdef2 = FormDef() |
|
437 |
formdef2.name = 'ignore me' |
|
438 |
formdef2.fields = [] |
|
439 |
formdef2.store() |
|
440 | ||
436 | 441 |
resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on') |
437 | 442 |
assert resp.json['err'] == 0 |
438 | 443 |
assert len(resp.json['data']) == 0 |
... | ... | |
451 | 456 |
assert resp.json['err'] == 0 |
452 | 457 |
assert len(resp.json['data']) == 0 |
453 | 458 | |
459 |
# ... unless user is admin |
|
460 |
local_user.is_admin = True |
|
461 |
local_user.store() |
|
462 |
resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' % |
|
463 |
local_user.name_identifiers[0])) |
|
464 |
assert resp.json['err'] == 0 |
|
465 |
assert len(resp.json['data']) == 1 |
|
466 |
local_user.is_admin = False |
|
467 |
local_user.store() |
|
468 | ||
454 | 469 |
# ... unless user has correct roles |
455 | 470 |
local_user.roles = [role.id] |
456 | 471 |
local_user.store() |
wcs/api.py | ||
---|---|---|
388 | 388 |
if not formdef.always_advertise: |
389 | 389 |
continue |
390 | 390 |
authentication_required = True |
391 |
elif backoffice_submission and not list_all_forms:
|
|
391 |
elif backoffice_submission: |
|
392 | 392 |
if not formdef.backoffice_submission_roles: |
393 | 393 |
continue |
394 |
for role in user.roles or []: |
|
395 |
if role in formdef.backoffice_submission_roles: |
|
396 |
break |
|
397 |
else: |
|
398 |
continue |
|
394 |
if not list_all_forms: |
|
395 |
for role in user.roles or []: |
|
396 |
if role in formdef.backoffice_submission_roles: |
|
397 |
break |
|
398 |
else: |
|
399 |
continue |
|
399 | 400 |
elif formdef.roles and user is None and list_all_forms: |
400 | 401 |
# anonymous API call, mark authentication as required |
401 | 402 |
authentication_required = True |
402 |
- |