0002-forms-force-authentication-if-anonymous-use-user-tra.patch
tests/test_form_pages.py | ||
---|---|---|
1633 | 1633 |
resp = resp.follow() |
1634 | 1634 |
assert resp.location == 'http://example.net/test/%s/' % formdata_id |
1635 | 1635 |
resp = resp.follow() |
1636 | 1636 |
assert 'form_comment' in resp.text # makes sure user is treated as submitter |
1637 | 1637 |
resp.forms[0]['comment'] = 'hello world' |
1638 | 1638 |
resp = resp.forms[0].submit() |
1639 | 1639 |
assert formdef.data_class().get(formdata_id).evolution[-1].comment == 'hello world' |
1640 | 1640 | |
1641 |
# and check we can also get back to it as anonymous
|
|
1641 |
# check we can't get back to it as anonymous
|
|
1642 | 1642 |
app = get_app(pub) |
1643 | 1643 |
resp = app.get('/') |
1644 | 1644 |
resp.forms[0]['code'] = tracking_code |
1645 | 1645 |
resp = resp.forms[0].submit() |
1646 | 1646 |
assert resp.location == 'http://example.net/code/%s/load' % tracking_code |
1647 | 1647 |
resp = resp.follow() |
1648 |
assert resp.location == 'http://example.net/test/%s/' % formdata_id |
|
1649 |
resp = resp.follow() |
|
1650 |
assert 'form_comment' in resp.text # makes sure user is treated as submitter |
|
1648 |
assert resp.location == 'http://example.net/login/?ReturnUrl=http://example.net/test/%s' % formdata_id |
|
1651 | 1649 | |
1652 | 1650 |
# and check a bot is not allowed to get it |
1653 | 1651 |
app = get_app(pub) |
1654 | 1652 |
resp = app.get('/code/%s/load' % tracking_code, |
1655 | 1653 |
headers={'User-agent': 'Googlebot'}, status=403) |
1656 | 1654 | |
1657 | 1655 | |
1658 | 1656 |
def test_form_empty_tracking_code(pub, nocache): |
wcs/forms/root.py | ||
---|---|---|
169 | 169 |
raise KeyError |
170 | 170 |
formdata = tracking_code.formdata |
171 | 171 |
except KeyError: |
172 | 172 |
raise errors.TraversalError() |
173 | 173 |
if formdata.formdef.enable_tracking_codes is False: |
174 | 174 |
raise errors.TraversalError() |
175 | 175 |
if BotFilter.is_bot(): |
176 | 176 |
raise errors.AccessForbiddenError() |
177 | ||
178 |
formdata_url = formdata.get_url().rstrip('/') |
|
179 |
if formdata.user_id and not get_request().user: |
|
180 |
# anonymous user asked to load a tracking code associated with an user, |
|
181 |
# don't load, ask for authentication instead |
|
182 |
return redirect('/login/?ReturnUrl=%s' % formdata_url) |
|
177 | 183 |
get_session().mark_anonymous_formdata(formdata) |
178 | 184 |
return redirect(formdata.get_url()) |
179 | 185 | |
180 | 186 | |
181 | 187 |
class TrackingCodesDirectory(Directory): |
182 | 188 |
_q_exports = ['load'] |
183 | 189 | |
184 | 190 |
def __init__(self, formdef=None): |
185 |
- |