Projet

Général

Profil

0001-api-limit-forms-sent-to-admin-when-backoffice-submis.patch

Frédéric Péters, 10 août 2018 11:58

Télécharger (2,68 ko)

Voir les différences: 

Subject: [PATCH] api: limit forms sent to admin when backoffice submission is
 requested (#25626)


 tests/test_api.py | 15 +++++++++++++++
 wcs/api.py        | 13 +++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)
tests/test_api.py
433 433 
    formdef.fields = []
434 434 
    formdef.store()
435 435 

  		




  
  436
  
    
    formdef2 = FormDef()

  		




  
  437
  
    
    formdef2.name = 'ignore me'

  		




  
  438
  
    
    formdef2.fields = []

  		




  
  439
  
    
    formdef2.store()

  		




  
  440
  
    

  		




  436
  441
  
    
    resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')

  		




  437
  442
  
    
    assert resp.json['err'] == 0

  		




  438
  443
  
    
    assert len(resp.json['data']) == 0

  		




  ......




  451
  456
  
    
    assert resp.json['err'] == 0

  		




  452
  457
  
    
    assert len(resp.json['data']) == 0

  		




  453
  458
  
    

  		




  
  459
  
    
    # ... unless user is admin

  		




  
  460
  
    
    local_user.is_admin = True

  		




  
  461
  
    
    local_user.store()

  		




  
  462
  
    
    resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' %

  		




  
  463
  
    
                                     local_user.name_identifiers[0]))

  		




  
  464
  
    
    assert resp.json['err'] == 0

  		




  
  465
  
    
    assert len(resp.json['data']) == 1

  		




  
  466
  
    
    local_user.is_admin = False

  		




  
  467
  
    
    local_user.store()

  		




  
  468
  
    

  		




  454
  469
  
    
    # ... unless user has correct roles

  		




  455
  470
  
    
    local_user.roles = [role.id]

  		




  456
  471
  
    
    local_user.store()

  		












  

    
      wcs/api.py
    
  





  388
  388
  
    
                        if not formdef.always_advertise:

  		




  389
  389
  
    
                            continue

  		




  390
  390
  
    
                        authentication_required = True

  		




  391
  
  
    
            elif backoffice_submission and not list_all_forms:

  		




  
  391
  
    
            elif backoffice_submission:

  		




  392
  392
  
    
                if not formdef.backoffice_submission_roles:

  		




  393
  393
  
    
                    continue

  		




  394
  
  
    
                for role in user.roles or []:

  		




  395
  
  
    
                    if role in formdef.backoffice_submission_roles:

  		




  396
  
  
    
                        break

  		




  397
  
  
    
                else:

  		




  398
  
  
    
                    continue

  		




  
  394
  
    
                if not list_all_forms:

  		




  
  395
  
    
                    for role in user.roles or []:

  		




  
  396
  
    
                        if role in formdef.backoffice_submission_roles:

  		




  
  397
  
    
                            break

  		




  
  398
  
    
                    else:

  		




  
  399
  
    
                        continue

  		




  399
  400
  
    
            elif formdef.roles and user is None and list_all_forms:

  		




  400
  401
  
    
                # anonymous API call, mark authentication as required

  		




  401
  402
  
    
                authentication_required = True

  		




  402
  
  
    
-