0001-forms-force-authentication-on-user-drafts-37095.patch
| tests/test_form_pages.py | ||
|---|---|---|
| 1559 | 1559 |
resp = resp.forms[0].submit() |
| 1560 | 1560 |
assert formdef.data_class().get(formdata_id).evolution[-1].comment == 'hello world' |
| 1561 | 1561 | |
| 1562 |
# and check we can also get back to it as anonymous
|
|
| 1562 |
# check we can't get back to it as anonymous
|
|
| 1563 | 1563 |
app = get_app(pub) |
| 1564 | 1564 |
resp = app.get('/')
|
| 1565 | 1565 |
resp.forms[0]['code'] = tracking_code |
| 1566 | 1566 |
resp = resp.forms[0].submit() |
| 1567 | 1567 |
assert resp.location == 'http://example.net/code/%s/load' % tracking_code |
| 1568 | 1568 |
resp = resp.follow() |
| 1569 |
assert resp.location == 'http://example.net/test/%s' % formdata_id |
|
| 1570 |
resp = resp.follow() |
|
| 1571 |
resp = resp.follow() |
|
| 1572 |
assert 'form_comment' in resp.text # makes sure user is treated as submitter |
|
| 1569 |
assert resp.location == 'http://example.net/login/?ReturnUrl=http://example.net/test/%s' % formdata_id |
|
| 1573 | 1570 | |
| 1574 | 1571 |
# and check a bot is not allowed to get it |
| 1575 | 1572 |
app = get_app(pub) |
| wcs/forms/root.py | ||
|---|---|---|
| 174 | 174 |
raise errors.TraversalError() |
| 175 | 175 |
if BotFilter.is_bot(): |
| 176 | 176 |
raise errors.AccessForbiddenError() |
| 177 | ||
| 178 |
formdata_url = formdata.get_url().rstrip('/')
|
|
| 179 |
if formdata.user_id and not get_request().user: |
|
| 180 |
# anonymous user asked to load a tracking code associated with an user, |
|
| 181 |
# don't load, ask for authentication instead |
|
| 182 |
return redirect('/login/?ReturnUrl=%s' % formdata_url)
|
|
| 177 | 183 |
get_session().mark_anonymous_formdata(formdata) |
| 178 |
return redirect(formdata.get_url().rstrip('/'))
|
|
| 184 |
return redirect(formdata_url)
|
|
| 179 | 185 | |
| 180 | 186 | |
| 181 | 187 |
class TrackingCodesDirectory(Directory): |
| 182 |
- |
|