0001-api-do-not-advertise-all-forms-for-backoffice-submis.patch
tests/test_api.py | ||
---|---|---|
464 | 464 |
assert resp.json['err'] == 0 |
465 | 465 |
assert len(resp.json['data']) == 0 |
466 | 466 | |
467 |
# ... unless user is admin
|
|
467 |
# even if user is admin
|
|
468 | 468 |
local_user.is_admin = True |
469 | 469 |
local_user.store() |
470 | 470 |
resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' % |
471 | 471 |
local_user.name_identifiers[0])) |
472 | 472 |
assert resp.json['err'] == 0 |
473 |
assert len(resp.json['data']) == 1
|
|
473 |
assert len(resp.json['data']) == 0
|
|
474 | 474 |
local_user.is_admin = False |
475 | 475 |
local_user.store() |
476 | 476 |
wcs/api.py | ||
---|---|---|
464 | 464 |
elif backoffice_submission: |
465 | 465 |
if not formdef.backoffice_submission_roles: |
466 | 466 |
continue |
467 |
if not list_all_forms: |
|
468 |
for role in user.get_roles(): |
|
469 |
if role in formdef.backoffice_submission_roles: |
|
470 |
break |
|
471 |
else: |
|
472 |
continue |
|
467 |
for role in user.get_roles(): |
|
468 |
if role in formdef.backoffice_submission_roles: |
|
469 |
break |
|
470 |
else: |
|
471 |
continue |
|
473 | 472 |
elif formdef.roles and user is None and list_all_forms: |
474 | 473 |
# anonymous API call, mark authentication as required |
475 | 474 |
authentication_required = True |
... | ... | |
529 | 528 |
user = False |
530 | 529 |
list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None) |
531 | 530 |
backoffice_submission = get_request().form.get('backoffice-submission') == 'on' |
531 |
if backoffice_submission: |
|
532 |
list_all_forms = True |
|
532 | 533 | |
533 | 534 |
list_forms = self.get_list_forms(user, list_all_forms, |
534 | 535 |
backoffice_submission=backoffice_submission) |
535 |
- |