0001-forms-forbidden-direct-anonymous-acces-to-anonymous-.patch
tests/test_form_pages.py | ||
---|---|---|
1305 | 1305 |
formdata_user.user_id = user.id |
1306 | 1306 |
formdata_user.store() |
1307 | 1307 | |
1308 |
resp = get_app(pub).get('/test/%s/' % formdata.id) |
|
1309 |
assert resp.location.startswith('http://example.net/login/?next=') |
|
1308 |
resp = get_app(pub).get('/test/%s/' % formdata.id, status=403) |
|
1309 |
assert 'Access Forbidden' in resp.text |
|
1310 |
assert 'This page should be accessed by using a tracking code' in resp.text |
|
1310 | 1311 | |
1311 | 1312 |
resp = get_app(pub).get('/test/%s/' % formdata_user.id) |
1312 | 1313 |
assert resp.location.startswith('http://example.net/login/?next=') |
... | ... | |
1430 | 1431 | |
1431 | 1432 |
# check anonymous user can't get to it from the URL |
1432 | 1433 |
pub.session_manager.session_class.wipe() |
1433 |
resp = get_app(pub).get('http://example.net/test/%s' % formdata_id) |
|
1434 |
assert resp.location.startswith('http://example.net/login') |
|
1434 |
resp = get_app(pub).get('http://example.net/test/%s' % formdata_id, status=403) |
|
1435 |
assert 'Access Forbidden' in resp.text |
|
1436 |
assert 'This page should be accessed by using a tracking code' in resp.text |
|
1435 | 1437 | |
1436 | 1438 |
# or logged users that didn't enter the code: |
1437 | 1439 |
user = create_user(pub) |
... | ... | |
2007 | 2009 |
formdata.status = 'draft' |
2008 | 2010 |
formdata.store() |
2009 | 2011 | |
2010 |
resp = get_app(pub).get('/test/%s' % formdata.id, status=302) |
|
2011 |
assert resp.location.startswith('http://example.net/login') |
|
2012 |
resp = get_app(pub).get('/test/%s' % formdata.id, status=403) |
|
2013 |
assert 'Access Forbidden' in resp.text |
|
2014 |
assert 'This page should be accessed by using a tracking code' in resp.text |
|
2012 | 2015 | |
2013 | 2016 |
formdata.user_id = user.id |
2014 | 2017 |
formdata.store() |
tests/test_tracking_code.py | ||
---|---|---|
171 | 171 | |
172 | 172 |
| sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 | |
173 | 173 |
+---------------------+-----------+-------+-------+--------+--------+--------+ |
174 |
| anonymous | login | deny | deny | deny | deny | deny |
|
|
175 |
| agent1 (submiter)) | login | deny | deny | deny | deny | deny |
|
|
174 |
| anonymous | deny | deny | deny | deny | deny | deny |
|
|
175 |
| agent1 (submiter)) | deny | deny | deny | deny | deny | deny |
|
|
176 | 176 |
| user1 | login | allow | deny | deny | deny | deny | |
177 | 177 | |
178 | 178 |
b- Demands |
179 | 179 | |
180 | 180 |
| sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 | |
181 | 181 |
+---------------------+-----------+-------+-------+--------+--------+--------+ |
182 |
| anonymous | login | deny | deny | deny | back | back |
|
|
183 |
| agent1 (submiter) | login | deny | deny | deny | back | back |
|
|
182 |
| anonymous | deny | deny | deny | deny | back | back |
|
|
183 |
| agent1 (submiter) | deny | deny | deny | deny | back | back |
|
|
184 | 184 |
| user1 | login | allow | deny | deny | back | back | |
185 | 185 | |
186 | 186 |
2- New user on prefill fields when accessing using tracking code : |
... | ... | |
407 | 407 |
# direct access to formdata |
408 | 408 |
is_draft = True # drafts |
409 | 409 |
with submit(anonymous, is_front=True) as (tracking_code, formdata_id): |
410 |
access = ('login', 'deny', 'deny', 'deny', 'deny', 'deny')
|
|
410 |
access = ('deny', 'deny', 'deny', 'deny', 'deny', 'deny')
|
|
411 | 411 |
for i in range(len(users)): |
412 | 412 |
check_direct_access(users[i], access[i]) |
413 | 413 |
with submit(agent1, is_front=False) as (tracking_code, formdata_id): |
414 |
access = ('login', 'deny', 'deny', 'deny', 'deny', 'deny')
|
|
414 |
access = ('deny', 'deny', 'deny', 'deny', 'deny', 'deny')
|
|
415 | 415 |
for i in range(len(users)): |
416 | 416 |
check_direct_access(users[i], access[i]) |
417 | 417 |
with submit(user1, is_front=True) as (tracking_code, formdata_id): |
... | ... | |
421 | 421 | |
422 | 422 |
is_draft = False # demands |
423 | 423 |
with submit(anonymous, is_front=True) as (tracking_code, formdata_id): |
424 |
access = ('login', 'deny', 'deny', 'deny', 'back', 'back')
|
|
424 |
access = ('deny', 'deny', 'deny', 'deny', 'back', 'back')
|
|
425 | 425 |
for i in range(len(users)): |
426 | 426 |
check_direct_access(users[i], access[i]) |
427 | 427 |
with submit(agent1, is_front=False) as (tracking_code, formdata_id): |
428 |
access = ('login', 'deny', 'deny', 'deny', 'back', 'back')
|
|
428 |
access = ('deny', 'deny', 'deny', 'deny', 'back', 'back')
|
|
429 | 429 |
for i in range(len(users)): |
430 | 430 |
check_direct_access(users[i], access[i]) |
431 | 431 |
with submit(user1, is_front=True) as (tracking_code, formdata_id): |
wcs/forms/common.py | ||
---|---|---|
322 | 322 |
session = get_session() |
323 | 323 |
if not session or not session.user: |
324 | 324 |
if not self.filled.formdef.is_user_allowed_read(None, self.filled): |
325 |
raise errors.AccessUnauthorizedError() |
|
325 |
if self.filled.user_id: |
|
326 |
raise errors.AccessUnauthorizedError() |
|
327 |
else: |
|
328 |
raise errors.AccessForbiddenError( |
|
329 |
_('This page should be accessed by using a tracking code')) |
|
326 | 330 |
user = get_request().user |
327 | 331 |
if self.filled.formdef is None: |
328 | 332 |
raise errors.AccessForbiddenError() |
wcs/forms/root.py | ||
---|---|---|
1301 | 1301 |
elif session.user: |
1302 | 1302 |
if str(session.user) != str(filled.user_id): |
1303 | 1303 |
raise errors.AccessUnauthorizedError() |
1304 |
else:
|
|
1304 |
elif filled.user_id:
|
|
1305 | 1305 |
raise errors.AccessUnauthorizedError() |
1306 |
else: |
|
1307 |
raise errors.AccessForbiddenError( |
|
1308 |
_('This page should be accessed by using a tracking code')) |
|
1306 | 1309 | |
1307 | 1310 |
if get_request().get_query() == 'remove-draft': |
1308 | 1311 |
filled.remove_self() |
1309 |
- |