0001-forms-forbidden-direct-anonymous-acces-to-anonymous-.patch

Nicolas Roche, 29 novembre 2019 16:23

Voir les différences: en ligne côte à côte

Subject: [PATCH] forms: forbidden direct anonymous acces to anonymous formdata
 on frontoffice (#37808)

 tests/test_form_pages.py    | 12 ++++++------
 tests/test_tracking_code.py | 12 ++++++------
 wcs/forms/common.py         |  5 ++++-
 wcs/forms/root.py           |  4 +++-
 4 files changed, 19 insertions(+), 14 deletions(-)

         formdata_user.user_id = user.id
         formdata_user.store()
         resp = get_app(pub).get('/test/%s/' % formdata.id)
         assert resp.location.startswith('http://example.net/login/?next=')
         resp = get_app(pub).get('/test/%s/' % formdata.id, status=403)
         assert 'Access Forbidden' in resp.text
         resp = get_app(pub).get('/test/%s/' % formdata_user.id)
         assert resp.location.startswith('http://example.net/login/?next=')
-...
         # check anonymous user can't get to it from the URL
         pub.session_manager.session_class.wipe()
         resp = get_app(pub).get('http://example.net/test/%s' % formdata_id)
         assert resp.location.startswith('http://example.net/login')
         resp = get_app(pub).get('http://example.net/test/%s' % formdata_id, status=403)
         assert 'Access Forbidden' in resp.text
         # or logged users that didn't enter the code:
         user = create_user(pub)
-...
         formdata.status = 'draft'
         formdata.store()
         resp = get_app(pub).get('/test/%s' % formdata.id, status=302)
         assert resp.location.startswith('http://example.net/login')
         resp = get_app(pub).get('/test/%s' % formdata.id, status=403)
         assert 'Access Forbidden' in resp.text
         formdata.user_id = user.id
         formdata.store()

         | sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 |
         +---------------------+-----------+-------+-------+--------+--------+--------+
         | anonymous           |  login    | deny  | deny  | deny   | (*)    | (*)    |
         | agent1 (submiter))  |  login    | deny  | deny  | deny   | (*)    | (*)    |
         | anonymous           |  deny     | deny  | deny  | deny   | (*)    | (*)    |
         | agent1 (submiter))  |  deny     | deny  | deny  | deny   | (*)    | (*)    |
         | user1               |  login    | allow | deny  | deny   | (*)    | (*)    |
         (*) Agent2 is the receiver.
-...
         # direct access to formdata
         is_draft = False  # demands
         with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id):
             expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
             expected = ('forbidden', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
             for i in range(len(users)):
                 check_direct_access(users[i], expected[i])
         with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id):
             expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
             expected = ('forbidden', 'forbidden', 'forbidden', 'forbidden', 'backoffice', 'backoffice')
             for i in range(len(users)):
                 check_direct_access(users[i], expected[i])
         with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id):
-...
         is_draft = True  # drafts
         with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id):
             expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
             expected = ('forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
             for i in range(len(users)):
                 check_direct_access(users[i], expected[i])
         with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id):
             expected = ('login', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
             expected = ('forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden', 'forbidden')
             for i in range(len(users)):
                 check_direct_access(users[i], expected[i])
         with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id):

             session = get_session()
             if not session or not session.user:
                 if not self.filled.formdef.is_user_allowed_read(None, self.filled):
                     raise errors.AccessUnauthorizedError()
                     if self.filled.user_id:
                         raise errors.AccessUnauthorizedError()
                     else:
                         raise errors.AccessForbiddenError()
             user = get_request().user
             if self.filled.formdef is None:
                 raise errors.AccessForbiddenError()

                 elif session.user:
                     if str(session.user) != str(filled.user_id):
                         raise errors.AccessUnauthorizedError()
                 else:
                 elif filled.user_id:
                     raise errors.AccessUnauthorizedError()
                 else:
                     raise errors.AccessForbiddenError()
             if get_request().get_query() == 'remove-draft':
                 filled.remove_self()
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-forms-forbidden-direct-anonymous-acces-to-anonymous-.patch