0001-api-don-t-check-category-permissions-54757.patch
tests/api/test_formdata.py | ||
---|---|---|
1046 | 1046 |
ods_sheet = ET.parse(zipf.open('content.xml')) |
1047 | 1047 |
assert len(ods_sheet.findall('.//{%s}table-row' % ods.NS['table'])) == 311 |
1048 | 1048 | |
1049 |
# check it's not subject to category permissions |
|
1050 |
role2 = pub.role_class(name='test2') |
|
1051 |
role2.store() |
|
1052 |
category = Category() |
|
1053 |
category.name = 'Category 1' |
|
1054 |
category.export_roles = [role2] |
|
1055 |
category.store() |
|
1056 |
formdef.category = category |
|
1057 |
formdef.store() |
|
1058 |
get_app(pub).get(sign_uri('/api/forms/test/ods', user=local_user), status=200) |
|
1059 | ||
1049 | 1060 | |
1050 | 1061 |
def test_api_global_geojson(pub, local_user): |
1051 | 1062 |
pub.role_class.wipe() |
wcs/backoffice/management.py | ||
---|---|---|
2181 | 2181 | |
2182 | 2182 |
def csv(self): |
2183 | 2183 |
self.check_access() |
2184 |
if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user): |
|
2184 |
if ( |
|
2185 |
not get_request().is_api_url() |
|
2186 |
and self.formdef.category |
|
2187 |
and not self.formdef.category.has_permission('export', get_request().user) |
|
2188 |
): |
|
2185 | 2189 |
raise errors.AccessForbiddenError() |
2186 | 2190 |
fields = self.get_fields_from_query() |
2187 | 2191 |
selected_filter = self.get_filter_from_query() |
... | ... | |
2235 | 2239 |
if get_request().has_anonymised_data_api_restriction(): |
2236 | 2240 |
# api/ will let this pass but we don't want that. |
2237 | 2241 |
raise errors.AccessForbiddenError() |
2238 |
if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user): |
|
2242 |
if ( |
|
2243 |
not get_request().is_api_url() |
|
2244 |
and self.formdef.category |
|
2245 |
and not self.formdef.category.has_permission('export', get_request().user) |
|
2246 |
): |
|
2239 | 2247 |
raise errors.AccessForbiddenError() |
2240 | 2248 |
fields = self.get_fields_from_query() |
2241 | 2249 |
selected_filter = self.get_filter_from_query() |
2242 |
- |