0001-forms-force-authentication-if-anonymous-use-user-tra.patch

Nicolas Roche, 05 décembre 2019 18:08

Voir les différences: en ligne côte à côte

Subject: [PATCH] forms: force authentication if anonymous use user tracking
 code (#38239)

 tests/test_form_pages.py    |  7 ++-----
 tests/test_tracking_code.py | 29 +++++++++++++++++++++--------
 wcs/forms/root.py           |  8 +++++++-
 3 files changed, 30 insertions(+), 14 deletions(-)

         resp = resp.forms[0].submit()
         assert formdef.data_class().get(formdata_id).evolution[-1].comment == 'hello world'
         # and check we can also get back to it as anonymous
         # check we can't get back to it as anonymous
         app = get_app(pub)
         resp = app.get('/')
         resp.forms[0]['code'] = tracking_code
         resp = resp.forms[0].submit()
         assert resp.location == 'http://example.net/code/%s/load' % tracking_code
         resp = resp.follow()
         assert resp.location == 'http://example.net/test/%s' % formdata_id
         resp = resp.follow()
         resp = resp.follow()
         assert 'form_comment' in resp.text # makes sure user is treated as submitter
         assert resp.location == 'http://example.net/login/?ReturnUrl=http://example.net/test/%s' % formdata_id
         # and check a bot is not allowed to get it
         app = get_app(pub)

 - Access using tracking code :
         All access is granted,
         | sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 |
         +---------------------+-----------+-------+-------+--------+--------+--------+
         | anonymous           |  allow    | allow | allow | allow  | allow  | allow  |
         | agent1 (submiter))  |  allow    | allow | allow | allow  | allow  | allow  |
         | user1               |  login    | allow | allow | allow  | allow  | allow  |
         On restoring draft, the logged user become the new draft owner,
         this affect the computed and prefill fields.
         """
-...
                 else:
                     assert expected in ('login', 'forbidden', 'frontoffice',  'backoffice')
         def check_tracking_code_access(user, owner=None, new_owner=None):
         def check_tracking_code_access(user, owner=None, new_owner=None,
                                        expected='allow'):
             """load the formdata using the tracking code"""
             pub.session_manager.session_class.wipe()
             app = get_app(pub)
-...
             resp = resp.forms[0].submit()
             assert resp.location == 'http://example.net/code/%s/load' % tracking_code
             resp = resp.follow()
             if expected == 'login':
                 assert resp.location == (
                     'http://example.net/login/?ReturnUrl='
                     + 'http://example.net/test/%s') % formdata_id
                 return
             assert resp.location == 'http://example.net/test/%s' % formdata_id
             resp = resp.follow()
             if is_draft:
-...
                 check_direct_access(users[i], expected[i])
         # access to formdata using the tracking code
         expected = ('login', 'allow', 'allow', 'allow', 'allow', 'allow')
         is_draft = False  # demands
         for user in users:
         for i in range(len(users)):
             with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=anonymous)
                 check_tracking_code_access(users[i], owner=anonymous)
             with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=anonymous)
                 check_tracking_code_access(users[i], owner=anonymous)
             with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=user1)
                 check_tracking_code_access(users[i], owner=user1, expected=expected[i])
         is_draft = True  # drafts
         for user in users:
         for i in range(len(users)):
             user = users[i]
             with submission(anonymous, is_frontoffice=True) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=anonymous, new_owner=user)
             with submission(agent1, is_frontoffice=False) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=anonymous, new_owner=user)
             with submission(user1, is_frontoffice=True) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=user1, new_owner=user)
                 check_tracking_code_access(user, owner=user1, new_owner=user, expected=expected[i])

                 raise errors.TraversalError()
             if BotFilter.is_bot():
                 raise errors.AccessForbiddenError()
             formdata_url = formdata.get_url().rstrip('/')
             if formdata.user_id and not get_request().user:
                 # anonymous user asked to load a tracking code associated with an user,
                 # don't load, ask for authentication instead
                 return redirect('/login/?ReturnUrl=%s' % formdata_url)
             get_session().mark_anonymous_formdata(formdata)
             return redirect(formdata.get_url().rstrip('/'))
             return redirect(formdata_url)
     class TrackingCodesDirectory(Directory):
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-forms-force-authentication-if-anonymous-use-user-tra.patch