0002-forms-enforce-authentication-on-user-drafts-38079.patch
tests/test_form_pages.py | ||
---|---|---|
5994 | 5994 |
formdef.store() |
5995 | 5995 |
resp = app.get(formdata.get_url(), status=403) |
5996 | 5996 | |
5997 |
# agent access via a tracking code (stays in frontoffice)
|
|
5997 |
# agent access via a tracking code (redirected to lggin and next backoffice)
|
|
5998 | 5998 |
formdef.workflow_roles = {'_receiver': role.id} |
5999 | 5999 |
formdef.enable_tracking_codes = True |
6000 | 6000 |
formdef.store() |
... | ... | |
6004 | 6004 |
code.store() |
6005 | 6005 | |
6006 | 6006 |
resp = app.get('/code/%s/load' % code.id) |
6007 |
resp = resp.follow() # -> /login/?ReturnUrl=.../test/1 |
|
6008 |
assert '<title>wcs - Login</title>' in resp.text |
|
6009 |
resp.form['username'] = 'admin' |
|
6010 |
resp.form['password'] = 'admin' |
|
6011 |
resp = resp.form.submit() |
|
6012 |
assert resp.status_int == 302 |
|
6007 | 6013 |
resp = resp.follow() # -> /test/1 |
6008 | 6014 |
assert not 'backoffice' in resp.location |
6009 | 6015 |
resp = resp.follow() # -> /test/1/ |
6016 |
assert 'backoffice' in resp.location |
|
6017 |
resp = resp.follow() # -> /test/1/ |
|
6010 | 6018 |
assert 'The form has been recorded' in resp.text |
6011 | 6019 | |
6012 | 6020 |
# authorized access but not backoffice access |
tests/test_tracking_code.py | ||
---|---|---|
164 | 164 |
+---------------------+-----------+-------+-------+--------+--------+--------+ |
165 | 165 |
| anonymous | allow | allow | allow | allow | allow | allow | |
166 | 166 |
| agent1 (submiter)) | allow | allow | allow | allow | allow | allow | |
167 |
| user1 | login | allow | allow | allow | allow | allow | |
|
167 |
| user1 | login | allow | login | login | login* | login* | |
|
168 | ||
169 |
(*) only receiver and admin will access the formdata using their credential, |
|
170 |
but this is not covered by this test. |
|
168 | 171 | |
169 | 172 |
On restoring draft, the logged user become the new draft owner, |
170 | 173 |
this affect the computed and prefill fields. |
... | ... | |
351 | 354 |
check_direct_access(users[i], expected[i]) |
352 | 355 | |
353 | 356 |
# access to formdata using the tracking code |
354 |
expected = ('login', 'allow', 'allow', 'allow', 'allow', 'allow')
|
|
357 |
expected = ('login', 'allow', 'login', 'login', 'login', 'login')
|
|
355 | 358 |
is_draft = False # demands |
356 | 359 |
for i in range(len(users)): |
357 | 360 |
with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id): |
wcs/forms/root.py | ||
---|---|---|
176 | 176 |
raise errors.AccessForbiddenError() |
177 | 177 | |
178 | 178 |
formdata_url = formdata.get_url().rstrip('/') |
179 |
if formdata.user_id and not get_request().user: |
|
180 |
# anonymous user asked to load a tracking code associated with an user, |
|
179 |
if formdata.user_id and (not get_request().user |
|
180 |
or str(get_request().user.id) != str(formdata.user_id)): |
|
181 |
# asked to load a tracking code associated with another user |
|
181 | 182 |
# don't load, ask for authentication instead |
182 | 183 |
return redirect('/login/?ReturnUrl=%s' % formdata_url) |
183 | 184 |
get_session().mark_anonymous_formdata(formdata) |
184 |
- |