0001-forms-forbidden-direct-anonymous-acces-to-anonymous-.patch
tests/test_form_pages.py | ||
---|---|---|
1283 | 1283 |
formdata_user.user_id = user.id |
1284 | 1284 |
formdata_user.store() |
1285 | 1285 | |
1286 |
resp = get_app(pub).get('/test/%s/' % formdata.id) |
|
1287 |
assert resp.location.startswith('http://example.net/login/?next=')
|
|
1286 |
resp = get_app(pub).get('/test/%s/' % formdata.id, status=403)
|
|
1287 |
assert 'Access Forbidden' in resp.text
|
|
1288 | 1288 | |
1289 | 1289 |
resp = get_app(pub).get('/test/%s/' % formdata_user.id) |
1290 | 1290 |
assert resp.location.startswith('http://example.net/login/?next=') |
... | ... | |
1408 | 1408 | |
1409 | 1409 |
# check anonymous user can't get to it from the URL |
1410 | 1410 |
pub.session_manager.session_class.wipe() |
1411 |
resp = get_app(pub).get('http://example.net/test/%s' % formdata_id) |
|
1412 |
assert resp.location.startswith('http://example.net/login')
|
|
1411 |
resp = get_app(pub).get('http://example.net/test/%s' % formdata_id, status=403)
|
|
1412 |
assert 'Access Forbidden' in resp.text
|
|
1413 | 1413 | |
1414 | 1414 |
# or logged users that didn't enter the code: |
1415 | 1415 |
user = create_user(pub) |
... | ... | |
1984 | 1984 |
formdata.status = 'draft' |
1985 | 1985 |
formdata.store() |
1986 | 1986 | |
1987 |
resp = get_app(pub).get('/test/%s' % formdata.id, status=302)
|
|
1988 |
assert resp.location.startswith('http://example.net/login')
|
|
1987 |
resp = get_app(pub).get('/test/%s' % formdata.id, status=403)
|
|
1988 |
assert 'Access Forbidden' in resp.text
|
|
1989 | 1989 | |
1990 | 1990 |
formdata.user_id = user.id |
1991 | 1991 |
formdata.store() |
wcs/forms/common.py | ||
---|---|---|
322 | 322 |
session = get_session() |
323 | 323 |
if not session or not session.user: |
324 | 324 |
if not self.filled.formdef.is_user_allowed_read(None, self.filled): |
325 |
raise errors.AccessUnauthorizedError() |
|
325 |
if self.filled.user_id: |
|
326 |
raise errors.AccessUnauthorizedError() |
|
327 |
else: |
|
328 |
raise errors.AccessForbiddenError() |
|
326 | 329 |
user = get_request().user |
327 | 330 |
if self.filled.formdef is None: |
328 | 331 |
raise errors.AccessForbiddenError() |
wcs/forms/root.py | ||
---|---|---|
1301 | 1301 |
elif session.user: |
1302 | 1302 |
if str(session.user) != str(filled.user_id): |
1303 | 1303 |
raise errors.AccessUnauthorizedError() |
1304 |
else:
|
|
1304 |
elif filled.user_id:
|
|
1305 | 1305 |
raise errors.AccessUnauthorizedError() |
1306 |
else: |
|
1307 |
raise errors.AccessForbiddenError() |
|
1306 | 1308 | |
1307 | 1309 |
if get_request().get_query() == 'remove-draft': |
1308 | 1310 |
filled.remove_self() |
1309 |
- |