0001-forms-force-authentication-if-anonymous-use-user-tra.patch
tests/test_form_pages.py | ||
---|---|---|
1582 | 1582 |
resp = resp.forms[0].submit() |
1583 | 1583 |
assert formdef.data_class().get(formdata_id).evolution[-1].comment == 'hello world' |
1584 | 1584 | |
1585 |
# and check we can also get back to it as anonymous
|
|
1585 |
# check we can't get back to it as anonymous
|
|
1586 | 1586 |
app = get_app(pub) |
1587 | 1587 |
resp = app.get('/') |
1588 | 1588 |
resp.forms[0]['code'] = tracking_code |
1589 | 1589 |
resp = resp.forms[0].submit() |
1590 | 1590 |
assert resp.location == 'http://example.net/code/%s/load' % tracking_code |
1591 | 1591 |
resp = resp.follow() |
1592 |
assert resp.location == 'http://example.net/test/%s' % formdata_id |
|
1593 |
resp = resp.follow() |
|
1594 |
resp = resp.follow() |
|
1595 |
assert 'form_comment' in resp.text # makes sure user is treated as submitter |
|
1592 |
assert resp.location == 'http://example.net/login/?ReturnUrl=http://example.net/test/%s' % formdata_id |
|
1596 | 1593 | |
1597 | 1594 |
# and check a bot is not allowed to get it |
1598 | 1595 |
app = get_app(pub) |
... | ... | |
6020 | 6017 |
formdef.store() |
6021 | 6018 |
resp = app.get(formdata.get_url(), status=403) |
6022 | 6019 | |
6023 |
# agent access via a tracking code (stays in frontoffice)
|
|
6020 |
# agent access via a tracking code (redirected to login and next backoffice)
|
|
6024 | 6021 |
formdef.workflow_roles = {'_receiver': role.id} |
6025 | 6022 |
formdef.enable_tracking_codes = True |
6026 | 6023 |
formdef.store() |
... | ... | |
6030 | 6027 |
code.store() |
6031 | 6028 | |
6032 | 6029 |
resp = app.get('/code/%s/load' % code.id) |
6030 |
resp = resp.follow() # -> /login/?ReturnUrl=.../test/1 |
|
6031 |
assert '<title>wcs - Login</title>' in resp.text |
|
6032 |
resp.form['username'] = 'admin' |
|
6033 |
resp.form['password'] = 'admin' |
|
6034 |
resp = resp.form.submit() |
|
6035 |
assert resp.status_int == 302 |
|
6033 | 6036 |
resp = resp.follow() # -> /test/1 |
6034 | 6037 |
assert not 'backoffice' in resp.location |
6035 | 6038 |
resp = resp.follow() # -> /test/1/ |
6039 |
assert 'backoffice' in resp.location |
|
6040 |
resp = resp.follow() # -> /test/1/ |
|
6036 | 6041 |
assert 'The form has been recorded' in resp.text |
6037 | 6042 | |
6038 | 6043 |
# authorized access but not backoffice access |
tests/test_tracking_code.py | ||
---|---|---|
183 | 183 |
| agent1 (submiter) | login | deny | deny | deny | back | back | |
184 | 184 |
| user1 | login | allow | deny | deny | back | back | |
185 | 185 | |
186 |
2- New user on prefill fields when accessing using tracking code : |
|
186 |
2- Access using tracking code : |
|
187 | ||
188 |
| sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 | |
|
189 |
+---------------------+-----------+-------+-------+--------+--------+--------+ |
|
190 |
| anonymous | allow | allow | allow | allow | allow | allow | |
|
191 |
| agent1 (submiter)) | allow | allow | allow | allow | allow | allow | |
|
192 |
| user1 | login | allow | login | login | login | login | |
|
193 | ||
194 |
3- New user on prefill fields when accessing using tracking code : |
|
187 | 195 |
a- Drafts |
188 | 196 | |
189 | 197 |
| sumitter / accesser | anonymous | user1 | user2 | agent1 | agent2 | admin1 | |
190 | 198 |
+---------------------+-----------+-------+-------+--------+--------+--------+ |
191 | 199 |
| anonymous | anonymous | user1 | user2 | agent1 | agent2 | admin | |
192 | 200 |
| agent1 (submiter) | anonymous | user1 | user2 | agent1 | agent2 | admin | |
193 |
| user1 | anonymous | user1 | user2 | agent1 | agent2 | admin |
|
|
201 |
| user1 | | user1 | user2 | agent1 | agent2 | admin |
|
|
194 | 202 | |
195 | 203 |
b- Demands (evolving into Workflows forms) |
196 | 204 | |
... | ... | |
198 | 206 |
+---------------------+-----------+-------+-------+--------+--------+--------+ |
199 | 207 |
| anonymous | anonymous | user1 | user2 | agent1 | agent2 | admin | |
200 | 208 |
| agent1 (submiter) | anonymous | user1 | user2 | agent1 | agent2 | admin | |
201 |
| user1 | anonymous | user1 | user2 | agent1 | agent2 | admin |
|
|
209 |
| user1 | | user1 | user2 | agent1 | agent2 | admin |
|
|
202 | 210 |
""" |
203 | 211 |
(anonymous, user1, user2, agent1, agent2, admin1) = users |
204 | 212 |
tracking_code = None |
... | ... | |
338 | 346 |
else: |
339 | 347 |
assert access in ('login', 'deny', 'front', 'back') |
340 | 348 | |
341 |
def check_tracking_code_access(user, owner=None, new_owner=None): |
|
349 |
def check_tracking_code_access(user, owner=None, new_owner=None, access='allow'):
|
|
342 | 350 |
""" |
343 | 351 |
load the formdata using the tracking code and prefill user name fields. |
344 | 352 |
new_owner is used to show that user fields change on drafts. |
... | ... | |
353 | 361 |
resp.forms[0]['code'] = tracking_code |
354 | 362 |
resp = resp.forms[0].submit() |
355 | 363 |
resp = resp.follow() |
364 |
if access == 'login': |
|
365 |
assert resp.location == ( |
|
366 |
'http://example.net/login/?ReturnUrl=' |
|
367 |
+ 'http://example.net/test/%s') % formdata_id |
|
368 |
return |
|
356 | 369 |
resp = resp.follow() |
357 | 370 |
resp = resp.follow() |
358 | 371 |
assert '<title>Forms - test</title>' in resp.text |
... | ... | |
434 | 447 |
check_direct_access(users[i], access[i]) |
435 | 448 | |
436 | 449 |
# access to formdata using the tracking code |
450 |
access = ('login', 'allow', 'login', 'login', 'login', 'login') |
|
437 | 451 |
is_draft = True # drafts |
452 |
i = 0 |
|
438 | 453 |
for user in users: |
439 | 454 |
with submit(anonymous, is_front=True) as (tracking_code, formdata_id): |
440 | 455 |
check_tracking_code_access(user, owner=anonymous, new_owner=user) |
441 | 456 |
with submit(agent1, is_front=False) as (tracking_code, formdata_id): |
442 | 457 |
check_tracking_code_access(user, owner=anonymous, new_owner=user) |
443 | 458 |
with submit(user1, is_front=True) as (tracking_code, formdata_id): |
444 |
check_tracking_code_access(user, owner=user1, new_owner=user) |
|
459 |
check_tracking_code_access(user, owner=user1, new_owner=user, access=access[i]) |
|
460 |
i += 1 |
|
445 | 461 | |
446 | 462 |
is_draft = False # demands |
463 |
i = 0 |
|
447 | 464 |
for user in users: |
448 | 465 |
with submit(anonymous, is_front=True) as (tracking_code, formdata_id): |
449 | 466 |
check_tracking_code_access(user, owner=anonymous, new_owner=user) |
450 | 467 |
with submit(agent1, is_front=False) as (tracking_code, formdata_id): |
451 | 468 |
check_tracking_code_access(user, owner=anonymous, new_owner=user) |
452 | 469 |
with submit(user1, is_front=True) as (tracking_code, formdata_id): |
453 |
check_tracking_code_access(user, owner=user1, new_owner=user) |
|
470 |
check_tracking_code_access(user, owner=user1, new_owner=user, access=access[i]) |
|
471 |
i += 1 |
wcs/forms/root.py | ||
---|---|---|
174 | 174 |
raise errors.TraversalError() |
175 | 175 |
if BotFilter.is_bot(): |
176 | 176 |
raise errors.AccessForbiddenError() |
177 | ||
178 |
formdata_url = formdata.get_url().rstrip('/') |
|
179 |
if formdata.user_id and (not get_request().user |
|
180 |
or str(get_request().user.id) != str(formdata.user_id)): |
|
181 |
# asked to load a tracking code associated with another user |
|
182 |
# don't load, ask for authentication instead |
|
183 |
return redirect('/login/?ReturnUrl=%s' % formdata_url) |
|
177 | 184 |
get_session().mark_anonymous_formdata(formdata) |
178 |
return redirect(formdata.get_url().rstrip('/'))
|
|
185 |
return redirect(formdata_url)
|
|
179 | 186 | |
180 | 187 | |
181 | 188 |
class TrackingCodesDirectory(Directory): |
182 |
- |