0001-api-check-status-visibility-against-authenticated-AP.patch

Benjamin Dauvergne, 04 mars 2019 09:48

Voir les différences: en ligne côte à côte

Subject: [PATCH] api: check status visibility against authenticated API user
 (#29588)

* thread user through get_json_export_dict() and get_visible_status()
* modify test_api_list_formdata to get forms with the just_submitted
  status.

 tests/test_api.py            |  7 +++++--
 wcs/api.py                   |  2 +-
 wcs/backoffice/management.py |  2 +-
 wcs/formdata.py              | 12 ++++++------
 4 files changed, 13 insertions(+), 10 deletions(-)

             formdata.just_created()
             if i%3 == 0:
                 formdata.jump_status('new')
             elif i%3 == 1:
                 formdata.jump_status('just_submitted')
             else:
                 formdata.jump_status('finished')
             if i%7 == 0:
-...
         assert 'time' in resp.json[0]['evolution'][0]
         assert resp.json[0]['evolution'][0]['who']['id'] == local_user.id
         assert all('status' in x['workflow'] for x in resp.json)
         assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 0'][0]['submission']['backoffice'] is True
         assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 0'][0]['submission']['channel'] == 'mail'
         assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 1'][0]['submission']['backoffice'] is False
-...
         # check filter on status
         resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=pending', user=local_user))
         assert len(resp.json) == 10
         resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=done', user=local_user))
         assert len(resp.json) == 20
         resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=done', user=local_user))
         assert len(resp.json) == 10
         resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=all', user=local_user))
         assert len(resp.json) == 30

         d.update(formdata.get_static_substitution_variables(minimal=True))
         if get_request().form.get('full') == 'on':
             d.update(formdata.get_json_export_dict(include_files=False))
             d.update(formdata.get_json_export_dict(include_files=False, user=user))
         return d

             if get_publisher().is_using_postgresql():
                 self.formdef.data_class().load_all_evolutions(items)
             if get_request().form.get('full') == 'on':
                 output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise)
                 output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise, user=user)
                           for filled in items]
             else:
                 output = [{'id': filled.id,

             status = self.get_status()
             return status.name if status else _('Unknown')
         def is_hidden(self):
         def is_hidden(self, user=None):
             status = self.get_status()
             if status:
                 return not status.is_visible(self.formdata, get_request().user)
                 return not status.is_visible(self.formdata, user or get_request().user)
             return True
-...
                 return wf_status
             return None
         def get_visible_evolution_parts(self):
         def get_visible_evolution_parts(self, user=None):
             last_seen_status = None
             last_seen_author = None
             for evolution_part in self.evolution or []:
                 if evolution_part.is_hidden():
                 if evolution_part.is_hidden(user=user):
                     continue
                 if (evolution_part.status is None or last_seen_status == evolution_part.status) and (
                         evolution_part.who is None or last_seen_author == evolution_part.who):
-...
                     'name': self.formdef.name,
                     'id': self.get_display_id()}
         def get_json_export_dict(self, include_files=True, anonymise=False):
         def get_json_export_dict(self, include_files=True, anonymise=False, user=None):
             data = {}
             data['id'] = str(self.id)
             data['display_id'] = self.get_display_id()
-...
                     include_files=include_files, anonymise=anonymise)
             data['workflow'] = {}
             wf_status = self.get_visible_status()
             wf_status = self.get_visible_status(user)
             if wf_status:
                 data['workflow']['status'] = {'id': wf_status.id, 'name': wf_status.name}
             # Workflow data have unknown purpose, do not store them in anonymised export
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-api-check-status-visibility-against-authenticated-AP.patch