0001-forms-allow-loggedin-user-to-use-an-anonymous-tracki.patch

Frédéric Péters, 19 décembre 2018 16:17

Voir les différences: en ligne côte à côte

Subject: [PATCH] forms: allow loggedin user to use an anonymous tracking code
 (#29218)

 tests/test_form_pages.py | 35 ++++++++++++++++++++++++++++++++++-
 wcs/forms/root.py        | 10 +++++-----
 2 files changed, 39 insertions(+), 6 deletions(-)

         resp = resp.follow()
         assert resp.location.startswith('http://example.net/test/?mt=')
         resp = resp.follow()
         # check anonymous user can't get to it from the URL
         pub.session_manager.session_class.wipe()
         resp = get_app(pub).get('http://example.net/test/%s' % formdata_id)
         assert resp.location.startswith('http://example.net/login')
         # or logged users that didn't enter the code:
         user = create_user(pub)
         login(get_app(pub), username='foo', password='foo').get(
                 'http://example.net/test/%s' % formdata_id, status=403)
         # check we can also get to it as a logged user
         pub.session_manager.session_class.wipe()
         resp = login(get_app(pub), username='foo', password='foo').get('/')
         resp.forms[0]['code'] = tracking_code.lower()
         resp = resp.forms[0].submit()
         assert resp.location == 'http://example.net/code/%s/load' % tracking_code.lower()
         resp = resp.follow()
         assert resp.location == 'http://example.net/test/%s' % formdata_id
         resp = resp.follow()
         # go back as anonymous
         pub.session_manager.session_class.wipe()
         resp = get_app(pub).get('/')
         resp.forms[0]['code'] = tracking_code
         resp = resp.forms[0].submit()
         assert resp.location == 'http://example.net/code/%s/load' % tracking_code
         resp = resp.follow()
         assert resp.location == 'http://example.net/test/%s' % formdata_id
         resp = resp.follow()
         assert resp.location.startswith('http://example.net/test/?mt=')
         resp = resp.follow()
         resp = resp.forms[1].submit('previous')
         assert resp.forms[1]['f0'].value == 'foobar'
-...
         assert formdef.data_class().get(formdata_id).evolution[-1].comment == 'hello world'
         # check we can also use it with lowercase letters.
         # check we can still go back to it
         app = get_app(pub)
         resp = app.get('/')
         resp.forms[0]['code'] = tracking_code.lower()
-...
         assert resp.location == 'http://example.net/code/%s/load' % tracking_code.lower()
         resp = resp.follow()
         assert resp.location == 'http://example.net/test/%s' % formdata_id
         resp = resp.follow()
     def test_form_tracking_code_as_user(pub):
         user = create_user(pub)

             session = get_session()
             if not (get_request().is_in_backoffice() and filled.backoffice_submission):
                 if session.user:
                     if str(session.user) != str(filled.user_id):
                         raise errors.AccessForbiddenError()
                 if session.is_anonymous_submitter(filled):
                     pass
                 elif session.user and str(session.user) != str(filled.user_id):
                     raise errors.AccessUnauthorizedError()
                 else:
                     if not session.is_anonymous_submitter(filled):
                         raise errors.AccessUnauthorizedError()
                     raise errors.AccessUnauthorizedError()
             if get_request().get_query() == 'remove-draft':
                 filled.remove_self()
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-forms-allow-loggedin-user-to-use-an-anonymous-tracki.patch