Projet

Général

Profil

0001-api-don-t-check-category-permissions-54757.patch

Frédéric Péters, 11 juin 2021 08:50

Télécharger (2,6 ko)

Voir les différences: 

Subject: [PATCH] api: don't check category permissions (#54757)


 tests/api/test_formdata.py   | 11 +++++++++++
 wcs/backoffice/management.py | 12 ++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)
tests/api/test_formdata.py
1046 1046 
        ods_sheet = ET.parse(zipf.open('content.xml'))
1047 1047 
    assert len(ods_sheet.findall('.//{%s}table-row' % ods.NS['table'])) == 311
1048 1048 

  		




  
  1049
  
    
    # check it's not subject to category permissions

  		




  
  1050
  
    
    role2 = pub.role_class(name='test2')

  		




  
  1051
  
    
    role2.store()

  		




  
  1052
  
    
    category = Category()

  		




  
  1053
  
    
    category.name = 'Category 1'

  		




  
  1054
  
    
    category.export_roles = [role2]

  		




  
  1055
  
    
    category.store()

  		




  
  1056
  
    
    formdef.category = category

  		




  
  1057
  
    
    formdef.store()

  		




  
  1058
  
    
    get_app(pub).get(sign_uri('/api/forms/test/ods', user=local_user), status=200)

  		




  
  1059
  
    

  		




  1049
  1060
  
    

  		




  1050
  1061
  
    
def test_api_global_geojson(pub, local_user):

  		




  1051
  1062
  
    
    pub.role_class.wipe()

  		












  

    
      wcs/backoffice/management.py
    
  





  2181
  2181
  
    

  		




  2182
  2182
  
    
    def csv(self):

  		




  2183
  2183
  
    
        self.check_access()

  		




  2184
  
  
    
        if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user):

  		




  
  2184
  
    
        if (

  		




  
  2185
  
    
            not get_request().is_api_url()

  		




  
  2186
  
    
            and self.formdef.category

  		




  
  2187
  
    
            and not self.formdef.category.has_permission('export', get_request().user)

  		




  
  2188
  
    
        ):

  		




  2185
  2189
  
    
            raise errors.AccessForbiddenError()

  		




  2186
  2190
  
    
        fields = self.get_fields_from_query()

  		




  2187
  2191
  
    
        selected_filter = self.get_filter_from_query()

  		




  ......




  2235
  2239
  
    
        if get_request().has_anonymised_data_api_restriction():

  		




  2236
  2240
  
    
            # api/ will let this pass but we don't want that.

  		




  2237
  2241
  
    
            raise errors.AccessForbiddenError()

  		




  2238
  
  
    
        if self.formdef.category and not self.formdef.category.has_permission('export', get_request().user):

  		




  
  2242
  
    
        if (

  		




  
  2243
  
    
            not get_request().is_api_url()

  		




  
  2244
  
    
            and self.formdef.category

  		




  
  2245
  
    
            and not self.formdef.category.has_permission('export', get_request().user)

  		




  
  2246
  
    
        ):

  		




  2239
  2247
  
    
            raise errors.AccessForbiddenError()

  		




  2240
  2248
  
    
        fields = self.get_fields_from_query()

  		




  2241
  2249
  
    
        selected_filter = self.get_filter_from_query()

  		




  2242
  
  
    
-