Projet

Général

Profil

0001-forms-forbidden-direct-anonymous-acces-to-anonymous-.patch

Nicolas Roche (absent jusqu'au 3 avril), 08 janvier 2020 14:24

Télécharger (6,83 ko)

Voir les différences:

Subject: [PATCH] forms: forbidden direct anonymous acces to anonymous formdata
 on frontoffice (#37808)

 tests/test_form_pages.py    | 15 +++++++++------
 tests/test_tracking_code.py | 16 ++++++++--------
 wcs/forms/common.py         |  6 +++++-
 wcs/forms/root.py           |  5 ++++-
 4 files changed, 26 insertions(+), 16 deletions(-)
tests/test_form_pages.py
1305 1305
    formdata_user.user_id = user.id
1306 1306
    formdata_user.store()
1307 1307

  
1308
    resp = get_app(pub).get('/test/%s/' % formdata.id)
1309
    assert resp.location.startswith('http://example.net/login/?next=')
1308
    resp = get_app(pub).get('/test/%s/' % formdata.id, status=403)
1309
    assert 'Access Forbidden' in resp.text
1310
    assert 'This page should be accessed by using a tracking code' in resp.text
1310 1311

  
1311 1312
    resp = get_app(pub).get('/test/%s/' % formdata_user.id)
1312 1313
    assert resp.location.startswith('http://example.net/login/?next=')
......
1430 1431

  
1431 1432
    # check anonymous user can't get to it from the URL
1432 1433
    pub.session_manager.session_class.wipe()
1433
    resp = get_app(pub).get('http://example.net/test/%s' % formdata_id)
1434
    assert resp.location.startswith('http://example.net/login')
1434
    resp = get_app(pub).get('http://example.net/test/%s' % formdata_id, status=403)
1435
    assert 'Access Forbidden' in resp.text
1436
    assert 'This page should be accessed by using a tracking code' in resp.text
1435 1437

  
1436 1438
    # or logged users that didn't enter the code:
1437 1439
    user = create_user(pub)
......
2007 2009
    formdata.status = 'draft'
2008 2010
    formdata.store()
2009 2011

  
2010
    resp = get_app(pub).get('/test/%s' % formdata.id, status=302)
2011
    assert resp.location.startswith('http://example.net/login')
2012
    resp = get_app(pub).get('/test/%s' % formdata.id, status=403)
2013
    assert 'Access Forbidden' in resp.text
2014
    assert 'This page should be accessed by using a tracking code' in resp.text
2012 2015

  
2013 2016
    formdata.user_id = user.id
2014 2017
    formdata.store()
tests/test_tracking_code.py
171 171

  
172 172
    | sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 |
173 173
    +---------------------+-----------+-------+-------+--------+--------+--------+
174
    | anonymous           |  login    | deny  | deny  | deny   | deny   | deny   |
175
    | agent1 (submiter))  |  login    | deny  | deny  | deny   | deny   | deny   |
174
    | anonymous           |  deny     | deny  | deny  | deny   | deny   | deny   |
175
    | agent1 (submiter))  |  deny     | deny  | deny  | deny   | deny   | deny   |
176 176
    | user1               |  login    | allow | deny  | deny   | deny   | deny   |
177 177

  
178 178
     b-  Demands
179 179

  
180 180
    | sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 |
181 181
    +---------------------+-----------+-------+-------+--------+--------+--------+
182
    | anonymous           |  login    | deny  | deny  | deny   | back   | back   |
183
    | agent1 (submiter)   |  login    | deny  | deny  | deny   | back   | back   |
182
    | anonymous           |  deny     | deny  | deny  | deny   | back   | back   |
183
    | agent1 (submiter)   |  deny     | deny  | deny  | deny   | back   | back   |
184 184
    | user1               |  login    | allow | deny  | deny   | back   | back   |
185 185

  
186 186
    2- New user on prefill fields when accessing using tracking code :
......
407 407
    # direct access to formdata
408 408
    is_draft = True  # drafts
409 409
    with submit(anonymous, is_front=True) as (tracking_code, formdata_id):
410
        access = ('login', 'deny', 'deny', 'deny', 'deny', 'deny')
410
        access = ('deny', 'deny', 'deny', 'deny', 'deny', 'deny')
411 411
        for i in range(len(users)):
412 412
            check_direct_access(users[i], access[i])
413 413
    with submit(agent1, is_front=False) as (tracking_code, formdata_id):
414
        access = ('login', 'deny', 'deny', 'deny', 'deny', 'deny')
414
        access = ('deny', 'deny', 'deny', 'deny', 'deny', 'deny')
415 415
        for i in range(len(users)):
416 416
            check_direct_access(users[i], access[i])
417 417
    with submit(user1, is_front=True) as (tracking_code, formdata_id):
......
421 421

  
422 422
    is_draft = False  # demands
423 423
    with submit(anonymous, is_front=True) as (tracking_code, formdata_id):
424
        access = ('login', 'deny', 'deny', 'deny', 'back', 'back')
424
        access = ('deny', 'deny', 'deny', 'deny', 'back', 'back')
425 425
        for i in range(len(users)):
426 426
            check_direct_access(users[i], access[i])
427 427
    with submit(agent1, is_front=False) as (tracking_code, formdata_id):
428
        access = ('login', 'deny', 'deny', 'deny', 'back', 'back')
428
        access = ('deny', 'deny', 'deny', 'deny', 'back', 'back')
429 429
        for i in range(len(users)):
430 430
            check_direct_access(users[i], access[i])
431 431
    with submit(user1, is_front=True) as (tracking_code, formdata_id):
wcs/forms/common.py
322 322
        session = get_session()
323 323
        if not session or not session.user:
324 324
            if not self.filled.formdef.is_user_allowed_read(None, self.filled):
325
                raise errors.AccessUnauthorizedError()
325
                if self.filled.user_id:
326
                    raise errors.AccessUnauthorizedError()
327
                else:
328
                    raise errors.AccessForbiddenError(
329
                        _('This page should be accessed by using a tracking code'))
326 330
        user = get_request().user
327 331
        if self.filled.formdef is None:
328 332
            raise errors.AccessForbiddenError()
wcs/forms/root.py
1301 1301
            elif session.user:
1302 1302
                if str(session.user) != str(filled.user_id):
1303 1303
                    raise errors.AccessUnauthorizedError()
1304
            else:
1304
            elif filled.user_id:
1305 1305
                raise errors.AccessUnauthorizedError()
1306
            else:
1307
                raise errors.AccessForbiddenError(
1308
                    _('This page should be accessed by using a tracking code'))
1306 1309

  
1307 1310
        if get_request().get_query() == 'remove-draft':
1308 1311
            filled.remove_self()
1309
-