Projet

Général

Profil

0001-api-don-t-return-all-formdefs-in-anonymous-calls-910.patch

Frédéric Péters, 24 novembre 2015 13:41

Télécharger (4,1 ko)

Voir les différences: 

Subject: [PATCH] api: don't return all formdefs in anonymous calls (#9101)


 tests/test_api.py | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 wcs/api.py        |  9 +++++++--
 2 files changed, 55 insertions(+), 2 deletions(-)
tests/test_api.py
54 54 
    user = get_publisher().user_class()
55 55 
    user.name = 'Jean Darmette'
56 56 
    user.email = 'jean.darmette@triffouilis.fr'
57 
    user.name_identifiers = ['0123456789']
57 58 
    user.store()
58 59 
    return user
59 60 

  		




  ......




  264
  265
  
    
    assert resp1.json[0]['functions']['_receiver']['role']['slug'] == role.slug

  		




  265
  266
  
    
    assert resp1.json[0]['functions']['_receiver']['role']['name'] == role.name

  		




  266
  267
  
    

  		




  
  268
  
    
def test_limited_formdef_list(pub, local_user):

  		




  
  269
  
    
    Role.wipe()

  		




  
  270
  
    
    role = Role(name='Foo bar')

  		




  
  271
  
    
    role.id = '14'

  		




  
  272
  
    
    role.store()

  		




  
  273
  
    

  		




  
  274
  
    
    FormDef.wipe()

  		




  
  275
  
    
    formdef = FormDef()

  		




  
  276
  
    
    formdef.name = 'test'

  		




  
  277
  
    
    formdef.description = 'plop'

  		




  
  278
  
    
    formdef.workflow_roles = {'_receiver': str(role.id)}

  		




  
  279
  
    
    formdef.fields = []

  		




  
  280
  
    
    formdef.store()

  		




  
  281
  
    

  		




  
  282
  
    
    resp = get_app(pub).get('/api/formdefs/')

  		




  
  283
  
    
    assert len(resp.json) == 1

  		




  
  284
  
    

  		




  
  285
  
    
    # check it's not advertised

  		




  
  286
  
    
    formdef.roles = [role.id]

  		




  
  287
  
    
    formdef.store()

  		




  
  288
  
    
    resp = get_app(pub).get('/api/formdefs/')

  		




  
  289
  
    
    resp2 = get_app(pub).get(sign_uri('/api/formdefs/?NameID='))

  		




  
  290
  
    
    resp3 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=XXX'))

  		




  
  291
  
    
    resp4 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0]))

  		




  
  292
  
    
    assert len(resp.json) == 0

  		




  
  293
  
    
    assert resp.json == resp2.json == resp3.json == resp4.json

  		




  
  294
  
    

  		




  
  295
  
    
    # unless user has correct roles

  		




  
  296
  
    
    local_user.roles = [role.id]

  		




  
  297
  
    
    local_user.store()

  		




  
  298
  
    
    resp = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0]))

  		




  
  299
  
    
    assert len(resp.json) == 1

  		




  
  300
  
    

  		




  
  301
  
    
    local_user.roles = []

  		




  
  302
  
    
    local_user.store()

  		




  
  303
  
    

  		




  
  304
  
    
    # check it's advertised

  		




  
  305
  
    
    formdef.always_advertise = True

  		




  
  306
  
    
    formdef.store()

  		




  
  307
  
    
    resp = get_app(pub).get('/api/formdefs/')

  		




  
  308
  
    
    resp2 = get_app(pub).get(sign_uri('/api/formdefs/?NameID='))

  		




  
  309
  
    
    resp3 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=XXX'))

  		




  
  310
  
    
    resp4 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0]))

  		




  
  311
  
    
    assert len(resp.json) == 1

  		




  
  312
  
    
    assert resp.json[0]['authentication_required']

  		




  
  313
  
    
    assert resp.json == resp2.json == resp3.json == resp4.json

  		




  
  314
  
    

  		




  267
  315
  
    
def test_formdef_list_redirection(pub):

  		




  268
  316
  
    
    FormDef.wipe()

  		




  269
  317
  
    
    formdef = FormDef()

  		












  

    
      wcs/api.py
    
  





  80
  80
  
    
    if not is_url_signed():

  		




  81
  81
  
    
        return None

  		




  82
  82
  
    
    # Signature is good. Now looking for the user, by email/NameID.

  		




  83
  
  
    
    # If email or NameID exist but are empty, return None

  		




  84
  83
  
    
    user = None

  		




  85
  84
  
    
    if get_request().form.get('email'):

  		




  86
  85
  
    
        email = get_request().form.get('email')

  		




  ......




  100
  99
  
    
            user = users[0]

  		




  101
  100
  
    
        else:

  		




  102
  101
  
    
            raise UnknownNameIdAccessForbiddenError('unknown NameID')

  		




  
  102
  
    
    elif 'email' in get_request().form or 'NameID' in get_request().form:

  		




  
  103
  
    
        # email or NameID were given as empty to the query string, this maps

  		




  
  104
  
    
        # the anonymous user case.

  		




  
  105
  
    
        return False

  		




  103
  106
  
    

  		




  104
  107
  
    
    return user

  		




  105
  108
  
    

  		




  ......




  323
  326
  
    

  		




  324
  327
  
    
    def _q_index(self):

  		




  325
  328
  
    
        try:

  		




  326
  
  
    
            user = get_user_from_api_query_string() or get_request().user

  		




  
  329
  
    
            user = get_user_from_api_query_string()

  		




  
  330
  
    
            if user is None and get_request().user:

  		




  
  331
  
    
                user = get_request().user # helps debugging

  		




  327
  332
  
    
        except UnknownNameIdAccessForbiddenError:

  		




  328
  333
  
    
            # if authenticating the user via the query string failed, return

  		




  329
  334
  
    
            # results for the anonymous case; user is set to 'False' as a

  		




  330
  
  
    
-