0001-forms-forbidden-direct-anonymous-acces-to-anonymous-.patch

Nicolas Roche, 23 novembre 2019 09:28

Voir les différences: en ligne côte à côte

Subject: [PATCH] forms: forbidden direct anonymous acces to anonymous formdata
 on frontoffice (#37808)

 tests/test_form_pages.py | 12 ++++++------
 wcs/forms/common.py      |  5 ++++-
 wcs/forms/root.py        |  4 +++-
 3 files changed, 13 insertions(+), 8 deletions(-)

         formdata_user.user_id = user.id
         formdata_user.store()
         resp = get_app(pub).get('/test/%s/' % formdata.id)
         assert resp.location.startswith('http://example.net/login/?next=')
         resp = get_app(pub).get('/test/%s/' % formdata.id, status=403)
         assert 'Access Forbidden' in resp.text
         resp = get_app(pub).get('/test/%s/' % formdata_user.id)
         assert resp.location.startswith('http://example.net/login/?next=')
-...
         # check anonymous user can't get to it from the URL
         pub.session_manager.session_class.wipe()
         resp = get_app(pub).get('http://example.net/test/%s' % formdata_id)
         assert resp.location.startswith('http://example.net/login')
         resp = get_app(pub).get('http://example.net/test/%s' % formdata_id, status=403)
         assert 'Access Forbidden' in resp.text
         # or logged users that didn't enter the code:
         user = create_user(pub)
-...
         formdata.status = 'draft'
         formdata.store()
         resp = get_app(pub).get('/test/%s' % formdata.id, status=302)
         assert resp.location.startswith('http://example.net/login')
         resp = get_app(pub).get('/test/%s' % formdata.id, status=403)
         assert 'Access Forbidden' in resp.text
         formdata.user_id = user.id
         formdata.store()

             session = get_session()
             if not session or not session.user:
                 if not self.filled.formdef.is_user_allowed_read(None, self.filled):
                     raise errors.AccessUnauthorizedError()
                     if self.filled.user_id:
                         raise errors.AccessUnauthorizedError()
                     else:
                         raise errors.AccessForbiddenError()
             user = get_request().user
             if self.filled.formdef is None:
                 raise errors.AccessForbiddenError()

                 elif session.user:
                     if str(session.user) != str(filled.user_id):
                         raise errors.AccessUnauthorizedError()
                 else:
                 elif filled.user_id:
                     raise errors.AccessUnauthorizedError()
                 else:
                     raise errors.AccessForbiddenError()
             if get_request().get_query() == 'remove-draft':
                 filled.remove_self()
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-forms-forbidden-direct-anonymous-acces-to-anonymous-.patch