0001-api-do-not-advertise-all-forms-for-backoffice-submis.patch
| tests/test_api.py | ||
|---|---|---|
| 464 | 464 |
assert resp.json['err'] == 0 |
| 465 | 465 |
assert len(resp.json['data']) == 0 |
| 466 | 466 | |
| 467 |
# ... unless user is admin
|
|
| 467 |
# even if user is admin
|
|
| 468 | 468 |
local_user.is_admin = True |
| 469 | 469 |
local_user.store() |
| 470 | 470 |
resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' %
|
| 471 | 471 |
local_user.name_identifiers[0])) |
| 472 | 472 |
assert resp.json['err'] == 0 |
| 473 |
assert len(resp.json['data']) == 1
|
|
| 473 |
assert len(resp.json['data']) == 0
|
|
| 474 | 474 |
local_user.is_admin = False |
| 475 | 475 |
local_user.store() |
| 476 | 476 | |
| wcs/api.py | ||
|---|---|---|
| 464 | 464 |
elif backoffice_submission: |
| 465 | 465 |
if not formdef.backoffice_submission_roles: |
| 466 | 466 |
continue |
| 467 |
if not list_all_forms: |
|
| 468 |
for role in user.get_roles(): |
|
| 469 |
if role in formdef.backoffice_submission_roles: |
|
| 470 |
break |
|
| 471 |
else: |
|
| 472 |
continue |
|
| 467 |
for role in user.get_roles(): |
|
| 468 |
if role in formdef.backoffice_submission_roles: |
|
| 469 |
break |
|
| 470 |
else: |
|
| 471 |
continue |
|
| 473 | 472 |
elif formdef.roles and user is None and list_all_forms: |
| 474 | 473 |
# anonymous API call, mark authentication as required |
| 475 | 474 |
authentication_required = True |
| ... | ... | |
| 529 | 528 |
user = False |
| 530 | 529 |
list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None) |
| 531 | 530 |
backoffice_submission = get_request().form.get('backoffice-submission') == 'on'
|
| 531 |
if backoffice_submission: |
|
| 532 |
list_all_forms = True |
|
| 532 | 533 | |
| 533 | 534 |
list_forms = self.get_list_forms(user, list_all_forms, |
| 534 | 535 |
backoffice_submission=backoffice_submission) |
| 535 |
- |
|