Projet

Général

Profil

0002-forms-force-authentication-if-anonymous-use-user-tra.patch

Nicolas Roche, 11 février 2020 14:24

Télécharger (2,87 ko)

Voir les différences: 

Subject: [PATCH 2/3] forms: force authentication if anonymous use user
 tracking code (#38239)


 tests/test_form_pages.py | 6 ++----
 wcs/forms/root.py        | 6 ++++++
 2 files changed, 8 insertions(+), 4 deletions(-)
tests/test_form_pages.py
1633 1633 
    resp = resp.follow()
1634 1634 
    assert resp.location == 'http://example.net/test/%s/' % formdata_id
1635 1635 
    resp = resp.follow()
1636 1636 
    assert 'form_comment' in resp.text # makes sure user is treated as submitter
1637 1637 
    resp.forms[0]['comment'] = 'hello world'
1638 1638 
    resp = resp.forms[0].submit()
1639 1639 
    assert formdef.data_class().get(formdata_id).evolution[-1].comment == 'hello world'
1640 1640 

  		




  1641
  
  
    
    # and check we can also get back to it as anonymous

  		




  
  1641
  
    
    # check we can't get back to it as anonymous

  		




  1642
  1642
  
    
    app = get_app(pub)

  		




  1643
  1643
  
    
    resp = app.get('/')

  		




  1644
  1644
  
    
    resp.forms[0]['code'] = tracking_code

  		




  1645
  1645
  
    
    resp = resp.forms[0].submit()

  		




  1646
  1646
  
    
    assert resp.location == 'http://example.net/code/%s/load' % tracking_code

  		




  1647
  1647
  
    
    resp = resp.follow()

  		




  1648
  
  
    
    assert resp.location == 'http://example.net/test/%s/' % formdata_id

  		




  1649
  
  
    
    resp = resp.follow()

  		




  1650
  
  
    
    assert 'form_comment' in resp.text # makes sure user is treated as submitter

  		




  
  1648
  
    
    assert resp.location == 'http://example.net/login/?ReturnUrl=http://example.net/test/%s' % formdata_id

  		




  1651
  1649
  
    

  		




  1652
  1650
  
    
    # and check a bot is not allowed to get it

  		




  1653
  1651
  
    
    app = get_app(pub)

  		




  1654
  1652
  
    
    resp = app.get('/code/%s/load' % tracking_code,

  		




  1655
  1653
  
    
            headers={'User-agent': 'Googlebot'}, status=403)

  		




  1656
  1654
  
    

  		




  1657
  1655
  
    

  		




  1658
  1656
  
    
def test_form_empty_tracking_code(pub, nocache):

  		












  

    
      wcs/forms/root.py
    
  





  169
  169
  
    
                raise KeyError

  		




  170
  170
  
    
            formdata = tracking_code.formdata

  		




  171
  171
  
    
        except KeyError:

  		




  172
  172
  
    
            raise errors.TraversalError()

  		




  173
  173
  
    
        if formdata.formdef.enable_tracking_codes is False:

  		




  174
  174
  
    
            raise errors.TraversalError()

  		




  175
  175
  
    
        if BotFilter.is_bot():

  		




  176
  176
  
    
            raise errors.AccessForbiddenError()

  		




  
  177
  
    

  		




  
  178
  
    
        formdata_url = formdata.get_url().rstrip('/')

  		




  
  179
  
    
        if formdata.user_id and not get_request().user:

  		




  
  180
  
    
            # anonymous user asked to load a tracking code associated with an user,

  		




  
  181
  
    
            # don't load, ask for authentication instead

  		




  
  182
  
    
            return redirect('/login/?ReturnUrl=%s' % formdata_url)

  		




  177
  183
  
    
        get_session().mark_anonymous_formdata(formdata)

  		




  178
  184
  
    
        return redirect(formdata.get_url())

  		




  179
  185
  
    

  		




  180
  186
  
    

  		




  181
  187
  
    
class TrackingCodesDirectory(Directory):

  		




  182
  188
  
    
    _q_exports = ['load']

  		




  183
  189
  
    

  		




  184
  190
  
    
    def __init__(self, formdef=None):

  		




  185
  
  
    
-