0001-forms-forbidden-direct-anonymous-acces-to-anonymous-.patch
tests/test_form_pages.py | ||
---|---|---|
1283 | 1283 |
formdata_user.user_id = user.id |
1284 | 1284 |
formdata_user.store() |
1285 | 1285 | |
1286 |
resp = get_app(pub).get('/test/%s/' % formdata.id) |
|
1287 |
assert resp.location.startswith('http://example.net/login/?next=')
|
|
1286 |
resp = get_app(pub).get('/test/%s/' % formdata.id, status=403)
|
|
1287 |
assert 'Access Forbidden' in resp.text
|
|
1288 | 1288 | |
1289 | 1289 |
resp = get_app(pub).get('/test/%s/' % formdata_user.id) |
1290 | 1290 |
assert resp.location.startswith('http://example.net/login/?next=') |
... | ... | |
1408 | 1408 | |
1409 | 1409 |
# check anonymous user can't get to it from the URL |
1410 | 1410 |
pub.session_manager.session_class.wipe() |
1411 |
resp = get_app(pub).get('http://example.net/test/%s' % formdata_id) |
|
1412 |
assert resp.location.startswith('http://example.net/login')
|
|
1411 |
resp = get_app(pub).get('http://example.net/test/%s' % formdata_id, status=403)
|
|
1412 |
assert 'Access Forbidden' in resp.text
|
|
1413 | 1413 | |
1414 | 1414 |
# or logged users that didn't enter the code: |
1415 | 1415 |
user = create_user(pub) |
... | ... | |
1984 | 1984 |
formdata.status = 'draft' |
1985 | 1985 |
formdata.store() |
1986 | 1986 | |
1987 |
resp = get_app(pub).get('/test/%s' % formdata.id, status=302)
|
|
1988 |
assert resp.location.startswith('http://example.net/login')
|
|
1987 |
resp = get_app(pub).get('/test/%s' % formdata.id, status=403)
|
|
1988 |
assert 'Access Forbidden' in resp.text
|
|
1989 | 1989 | |
1990 | 1990 |
formdata.user_id = user.id |
1991 | 1991 |
formdata.store() |
tests/test_tracking_code.py | ||
---|---|---|
150 | 150 | |
151 | 151 |
| sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 | |
152 | 152 |
+---------------------+-----------+-------+-------+--------+--------+--------+ |
153 |
| anonymous | login | deny | deny | deny | (*) | (*) |
|
|
154 |
| agent1 (submiter)) | login | deny | deny | deny | (*) | (*) |
|
|
153 |
| anonymous | deny | deny | deny | deny | (*) | (*) |
|
|
154 |
| agent1 (submiter)) | deny | deny | deny | deny | (*) | (*) |
|
|
155 | 155 |
| user1 | login | allow | deny | deny | (*) | (*) | |
156 | 156 | |
157 | 157 |
(*) Agent2 is the receiver. |
... | ... | |
313 | 313 |
# direct access to formdata |
314 | 314 |
is_draft = False # demands |
315 | 315 |
with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id): |
316 |
expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
|
|
316 |
expected = ('forbidden', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
|
|
317 | 317 |
for i in range(len(users)): |
318 | 318 |
check_direct_access(users[i], expected[i]) |
319 | 319 |
with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id): |
320 |
expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
|
|
320 |
expected = ('forbidden', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
|
|
321 | 321 |
for i in range(len(users)): |
322 | 322 |
check_direct_access(users[i], expected[i]) |
323 | 323 |
with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id): |
... | ... | |
327 | 327 | |
328 | 328 |
is_draft = True # drafts |
329 | 329 |
with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id): |
330 |
expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
|
|
330 |
expected = ('forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
|
|
331 | 331 |
for i in range(len(users)): |
332 | 332 |
check_direct_access(users[i], expected[i]) |
333 | 333 |
with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id): |
334 |
expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
|
|
334 |
expected = ('forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
|
|
335 | 335 |
for i in range(len(users)): |
336 | 336 |
check_direct_access(users[i], expected[i]) |
337 | 337 |
with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id): |
wcs/forms/common.py | ||
---|---|---|
322 | 322 |
session = get_session() |
323 | 323 |
if not session or not session.user: |
324 | 324 |
if not self.filled.formdef.is_user_allowed_read(None, self.filled): |
325 |
raise errors.AccessUnauthorizedError() |
|
325 |
if self.filled.user_id: |
|
326 |
raise errors.AccessUnauthorizedError() |
|
327 |
else: |
|
328 |
raise errors.AccessForbiddenError() |
|
326 | 329 |
user = get_request().user |
327 | 330 |
if self.filled.formdef is None: |
328 | 331 |
raise errors.AccessForbiddenError() |
wcs/forms/root.py | ||
---|---|---|
1301 | 1301 |
elif session.user: |
1302 | 1302 |
if str(session.user) != str(filled.user_id): |
1303 | 1303 |
raise errors.AccessUnauthorizedError() |
1304 |
else:
|
|
1304 |
elif filled.user_id:
|
|
1305 | 1305 |
raise errors.AccessUnauthorizedError() |
1306 |
else: |
|
1307 |
raise errors.AccessForbiddenError() |
|
1306 | 1308 | |
1307 | 1309 |
if get_request().get_query() == 'remove-draft': |
1308 | 1310 |
filled.remove_self() |
1309 |
- |