0002-forms-enforce-authentication-on-user-drafts-38079.patch

Nicolas Roche, 29 novembre 2019 17:18

Voir les différences: en ligne côte à côte

Subject: [PATCH 2/2] forms: enforce authentication on user drafts (#38079)

 tests/test_form_pages.py    | 10 +++++++++-
 tests/test_tracking_code.py |  7 +++++--
 wcs/forms/root.py           |  5 +++--
 3 files changed, 17 insertions(+), 5 deletions(-)

         formdef.store()
         resp = app.get(formdata.get_url(), status=403)
         # agent access via a tracking code (stays in frontoffice)
         # agent access via a tracking code (redirected to lggin and next backoffice)
         formdef.workflow_roles = {'_receiver': role.id}
         formdef.enable_tracking_codes = True
         formdef.store()
-...
         code.store()
         resp = app.get('/code/%s/load' % code.id)
         resp = resp.follow() # -> /login/?ReturnUrl=.../test/1
         assert '<title>wcs - Login</title>' in resp.text
         resp.form['username'] = 'admin'
         resp.form['password'] = 'admin'
         resp = resp.form.submit()
         assert resp.status_int == 302
         resp = resp.follow() # -> /test/1
         assert not 'backoffice' in resp.location
         resp = resp.follow() # -> /test/1/
         assert 'backoffice' in resp.location
         resp = resp.follow() # -> /test/1/
         assert 'The form has been recorded' in resp.text
         # authorized access but not backoffice access

         +---------------------+-----------+-------+-------+--------+--------+--------+
         | anonymous           |  allow    | allow | allow | allow  | allow  | allow  |
         | agent1 (submiter))  |  allow    | allow | allow | allow  | allow  | allow  |
         | user1               |  login    | allow | allow | allow  | allow  | allow  |
         | user1               |  login    | allow | login | login  | login* | login* |
         (*) only receiver and admin will access the formdata using their credential,
         but this is not covered by this test.
         On restoring draft, the logged user become the new draft owner,
         this affect the computed and prefill fields.
-...
                 check_direct_access(users[i], expected[i])
         # access to formdata using the tracking code
         expected = ('login', 'allow', 'allow', 'allow', 'allow', 'allow')
         expected = ('login', 'allow', 'login', 'login', 'login', 'login')
         is_draft = False  # demands
         for i in range(len(users)):
             with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id):

                 raise errors.AccessForbiddenError()
             formdata_url = formdata.get_url().rstrip('/')
             if formdata.user_id and not get_request().user:
                 # anonymous user asked to load a tracking code associated with an user,
             if formdata.user_id and (not get_request().user
                     or str(get_request().user.id) != str(formdata.user_id)):
                 # asked to load a tracking code associated with another user
                 # don't load, ask for authentication instead
                 return redirect('/login/?ReturnUrl=%s' % formdata_url)
             get_session().mark_anonymous_formdata(formdata)
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0002-forms-enforce-authentication-on-user-drafts-38079.patch