0001-forms-force-authentication-if-anonymous-use-user-tra.patch

Nicolas Roche, 07 janvier 2020 19:06

Voir les différences: en ligne côte à côte

Subject: [PATCH] forms: force authentication if anonymous use user tracking
 code (#38239)

 tests/test_form_pages.py    |  7 ++-----
 tests/test_tracking_code.py | 30 ++++++++++++++++++++++++------
 wcs/forms/root.py           |  8 +++++++-
 3 files changed, 33 insertions(+), 12 deletions(-)

         resp = resp.forms[0].submit()
         assert formdef.data_class().get(formdata_id).evolution[-1].comment == 'hello world'
         # and check we can also get back to it as anonymous
         # check we can't get back to it as anonymous
         app = get_app(pub)
         resp = app.get('/')
         resp.forms[0]['code'] = tracking_code
         resp = resp.forms[0].submit()
         assert resp.location == 'http://example.net/code/%s/load' % tracking_code
         resp = resp.follow()
         assert resp.location == 'http://example.net/test/%s' % formdata_id
         resp = resp.follow()
         resp = resp.follow()
         assert 'form_comment' in resp.text # makes sure user is treated as submitter
         assert resp.location == 'http://example.net/login/?ReturnUrl=http://example.net/test/%s' % formdata_id
         # and check a bot is not allowed to get it
         app = get_app(pub)

         | agent1 (submiter)   |  login    | deny  | deny  | deny   | back   | back   |
         | user1               |  login    | allow | deny  | deny   | back   | back   |
 - New user on prefill fields when accessing using tracking code :
 - Access using tracking code :
         | sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 |
         +---------------------+-----------+-------+-------+--------+--------+--------+
         | anonymous           |  allow    | allow | allow | allow  | allow  | allow  |
         | agent1 (submiter))  |  allow    | allow | allow | allow  | allow  | allow  |
         | user1               |  login    | allow | allow | allow  | allow  | allow  |
 - New user on prefill fields when accessing using tracking code :
          a-  Drafts
         | sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 |
         +---------------------+-----------+-------+-------+--------+--------+--------+
         | anonymous           | anonymous | user1 | user2 | agent1 | agent2 | admin  |
         | agent1 (submiter)   | anonymous | user1 | user2 | agent1 | agent2 | admin  |
         | user1               | anonymous | user1 | user2 | agent1 | agent2 | admin  |
         | user1               |           | user1 | user2 | agent1 | agent2 | admin  |
          b-  Demands (evolving into Workflows forms)
-...
         +---------------------+-----------+-------+-------+--------+--------+--------+
         | anonymous           | anonymous | user1 | user2 | agent1 | agent2 | admin  |
         | agent1 (submiter)   | anonymous | user1 | user2 | agent1 | agent2 | admin  |
         | user1               | anonymous | user1 | user2 | agent1 | agent2 | admin  |
         | user1               |           | user1 | user2 | agent1 | agent2 | admin  |
         """
         (anonymous, user1, user2, agent1, agent2, admin1) = users
         tracking_code = None
-...
                 else:
                     assert expected in ('login', 'deny', 'front',  'back')
         def check_tracking_code_access(user, owner=None, new_owner=None):
         def check_tracking_code_access(user, owner=None, new_owner=None, expected='allow'):
             """
             load the formdata using the tracking code and prefill user name fields.
             new_owner is used to show that user fields change on drafts.
-...
             resp.forms[0]['code'] = tracking_code
             resp = resp.forms[0].submit()
             resp = resp.follow()
             if expected == 'login':
                 assert resp.location == (
                     'http://example.net/login/?ReturnUrl='
                     + 'http://example.net/test/%s') % formdata_id
                 return
             resp = resp.follow()
             resp = resp.follow()
             assert '<title>Forms - test</title>' in resp.text
-...
                 check_direct_access(users[i], expected[i])
         # access to formdata using the tracking code
         expected = ('login', 'allow', 'allow', 'allow', 'allow', 'allow')
         is_draft = True  # drafts
         i = 0
         for user in users:
             with submit(anonymous, is_front=True) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=anonymous, new_owner=user)
             with submit(agent1, is_front=False) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=anonymous, new_owner=user)
             with submit(user1, is_front=True) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=user1, new_owner=user)
                 check_tracking_code_access(user, owner=user1, new_owner=user, expected=expected[i])
             i += 1
         is_draft = False  # demands
         i = 0
         for user in users:
             with submit(anonymous, is_front=True) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=anonymous, new_owner=user)
             with submit(agent1, is_front=False) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=anonymous, new_owner=user)
             with submit(user1, is_front=True) as (tracking_code, formdata_id):
                 check_tracking_code_access(user, owner=user1, new_owner=user)
                 check_tracking_code_access(user, owner=user1, new_owner=user, expected=expected[i])
             i += 1

                 raise errors.TraversalError()
             if BotFilter.is_bot():
                 raise errors.AccessForbiddenError()
             formdata_url = formdata.get_url().rstrip('/')
             if formdata.user_id and not get_request().user:
                 # anonymous user asked to load a tracking code associated with an user,
                 # don't load, ask for authentication instead
                 return redirect('/login/?ReturnUrl=%s' % formdata_url)
             get_session().mark_anonymous_formdata(formdata)
             return redirect(formdata.get_url().rstrip('/'))
             return redirect(formdata_url)
     class TrackingCodesDirectory(Directory):
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0001-forms-force-authentication-if-anonymous-use-user-tra.patch