From eae3d1641fd9d2c2c8e3fbf7d80f7521c4785cec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Wed, 21 Sep 2016 14:45:08 +0200
Subject: [PATCH] backoffice: also lock related user formdata (#12895)

---
 tests/test_backoffice_pages.py | 79 ++++++++++++++++++++++++++++++++++++++----
 wcs/backoffice/management.py   |  1 +
 wcs/formdata.py                |  4 +++
 wcs/forms/common.py            | 14 +++++---
 4 files changed, 86 insertions(+), 12 deletions(-)

diff --git a/tests/test_backoffice_pages.py b/tests/test_backoffice_pages.py
index f72c52b..6f9f177 100644
--- a/tests/test_backoffice_pages.py
+++ b/tests/test_backoffice_pages.py
@@ -78,7 +78,7 @@ def create_user(pub, is_admin=False):
     return user1
 
 def create_superuser(pub):
-    create_user(pub, is_admin=True)
+    return create_user(pub, is_admin=True)
 
 def create_environment(pub, set_receiver=True):
     Workflow.wipe()
@@ -958,7 +958,7 @@ def test_backoffice_info_text(pub):
     account.store()
     app2 = login(get_app(pub), username='foobar', password='foobar')
     resp = app2.get('/backoffice/management/form-title/%s/' % number31.id)
-    assert 'Be warned this form is also being' in resp.body
+    assert 'Be warned forms of this user are also being looked' in resp.body
     assert not 'backoffice-description' in resp.body
     assert not 'CLICK ME!' in resp.body
     assert not 'CLICK ME2!' in resp.body
@@ -2514,24 +2514,24 @@ def test_backoffice_advisory_lock(pub):
         assert not 'advisory-lock' in resp.body
 
     resp = app.get('/backoffice/management/form-title/' + first_link)
-    assert not 'Be warned this form is also being' in resp.body
+    assert not 'Be warned forms of this user are also being looked' in resp.body
     assert 'button_commentable' in resp.body
     assert len(resp.forms) == 1
     resp = app2.get('/backoffice/management/form-title/' + first_link)
-    assert 'Be warned this form is also being' in resp.body
+    assert 'Be warned forms of this user are also being looked' in resp.body
     assert not 'button_commentable' in resp.body
     assert len(resp.forms) == 0
     # revisit with first user, no change
     resp = app.get('/backoffice/management/form-title/' + first_link)
-    assert not 'Be warned this form is also being' in resp.body
+    assert not 'Be warned forms of this user are also being looked' in resp.body
     assert 'button_commentable' in resp.body
     # back to second
     resp = app2.get('/backoffice/management/form-title/' + first_link)
-    assert 'Be warned this form is also being' in resp.body
+    assert 'Be warned forms of this user are also being looked' in resp.body
     assert not 'button_commentable' in resp.body
     resp = resp.click('(unlock actions)')
     resp = resp.follow()
-    assert 'Be warned this form is also being' in resp.body
+    assert 'Be warned forms of this user are also being looked' in resp.body
     assert 'button_commentable' in resp.body
     assert not '(unlock actions)' in resp.body
     assert len(resp.forms) == 1
@@ -2549,6 +2549,71 @@ def test_backoffice_advisory_lock(pub):
     assert not 'advisory-lock' in app2.get('/backoffice/management/form-title/')
     assert 'advisory-lock' in app.get('/backoffice/management/form-title/')
 
+def test_backoffice_advisory_lock_related_formdatas(pub):
+    if not pub.is_using_postgresql():
+        pytest.skip('this requires SQL')
+        return
+    pub.session_manager.session_class.wipe()
+    user = create_superuser(pub)
+    create_environment(pub)
+
+    formdef = FormDef.get_by_urlname('form-title')
+    formdatas = formdef.data_class().select(lambda x: x.status == 'wf-new')
+
+    second_user = pub.user_class(name='foobar')
+    second_user.roles = Role.keys()
+    second_user.store()
+    account = PasswordAccount(id='foobar')
+    account.set_password('foobar')
+    account.user_id = second_user.id
+    account.store()
+
+    third_user = pub.user_class(name='user')
+    third_user.store()
+
+    for formdata in formdatas[:2]:
+        formdata.user_id = third_user.id
+        formdata.store()
+
+    second_formdef = FormDef.get_by_urlname('other-form')
+    second_formdef.workflow_roles = {}
+    second_formdef.store()
+    other_formdatas = second_formdef.data_class().select(lambda x: x.status == 'wf-new')
+    other_formdatas[0].user_id = third_user.id
+    other_formdatas[0].store()
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/management/form-title/%s/' % formdatas[0].id)
+    assert not 'Be warned forms of this user are also being looked' in resp.body
+
+    app2 = login(get_app(pub), username='foobar', password='foobar')
+    resp2 = app2.get('/backoffice/management/form-title/%s/' % formdatas[0].id)
+    assert 'Be warned forms of this user are also being looked' in resp2.body
+
+    # another by the same user
+    resp2 = app2.get('/backoffice/management/form-title/%s/' % formdatas[1].id)
+    assert 'Be warned forms of this user are also being looked' in resp2.body
+
+    # another by another user
+    resp2 = app2.get('/backoffice/management/form-title/%s/' % formdatas[3].id)
+    assert not 'Be warned forms of this user are also being looked' in resp2.body
+
+    # check another formdef is only marked as visited if the user has potential
+    # actions on it.
+    session = pub.session_manager.session_class.select(lambda x: x.user == user.id)[0]
+    second_formdef.workflow_roles = {'_receiver': 1}
+    second_formdef.store()
+    other_formdata = second_formdef.data_class().get(other_formdatas[0].id)
+    other_formdata.store() # update concerned_roles
+
+    assert not 'formdata-other-form-%d' % other_formdata.id in session.visiting_objects.keys()
+    session.visiting_objects = {}
+    session.store()
+
+    resp = app.get('/backoffice/management/form-title/%s/' % formdatas[0].id)
+    session = pub.session_manager.session_class.select(lambda x: x.user == user.id)[0]
+    assert 'formdata-other-form-%d' % other_formdata.id in session.visiting_objects.keys()
+
 def test_backoffice_resubmit(pub):
     user = create_user(pub)
     create_environment(pub)
diff --git a/wcs/backoffice/management.py b/wcs/backoffice/management.py
index 06e85cf..4aa8c4e 100644
--- a/wcs/backoffice/management.py
+++ b/wcs/backoffice/management.py
@@ -1908,6 +1908,7 @@ class FormBackOfficeStatusPage(FormStatusPage):
                         ]
             from wcs import sql
             formdatas = sql.AnyFormData.select(criterias, order_by='receipt_time')
+            self.filled.related_user_forms = formdatas
 
             if formdatas:
                 r += htmltext('<div class="user-pending-forms">')
diff --git a/wcs/formdata.py b/wcs/formdata.py
index 6743278..a1bf678 100644
--- a/wcs/formdata.py
+++ b/wcs/formdata.py
@@ -788,6 +788,10 @@ class FormData(StorableObject):
                 cls=qommon.misc.JSONEncoder,
                 encoding=get_publisher().site_charset)
 
+    def mark_as_being_visited(self):
+        object_key = 'formdata-%s-%s' % (self.formdef.url_name, self.id)
+        get_session().mark_visited_object(object_key)
+
     def feed_session(self):
         # this gives a chance to fields to initialize things that would rely on
         # current data ahead of times
diff --git a/wcs/forms/common.py b/wcs/forms/common.py
index cde0a10..a90d483 100644
--- a/wcs/forms/common.py
+++ b/wcs/forms/common.py
@@ -527,7 +527,7 @@ class FormStatusPage(Directory):
         if get_request().get_query() == 'unlock':
             # mark user as active visitor of the object, then redirect to self,
             # the unlocked form will appear.
-            get_session().mark_visited_object(object_key)
+            self.filled.mark_as_being_visited()
             return redirect('./#lock-notice')
 
         user = self.check_receiver()
@@ -594,7 +594,7 @@ class FormStatusPage(Directory):
                     visitor_users.append('%s (%s)' % (visitor_name, time_ago))
                 if visitor_users:
                     r += htmltext('<div id="lock-notice" class="infonotice"><p>')
-                    r += _('Be warned this form is also being looked at by: '
+                    r += _('Be warned forms of this user are also being looked at by: '
                            '%s.') % ', '.join(visitor_users)
                     r += ' '
                     r += htmltext('</p>')
@@ -605,7 +605,12 @@ class FormStatusPage(Directory):
                     r += htmltext('</div>')
             if not visitors or me_in_visitors:
                 r += form.render()
-                get_session().mark_visited_object(object_key)
+                self.filled.mark_as_being_visited()
+                related_user_forms = getattr(self.filled, 'related_user_forms', None) or []
+                for user_formdata in related_user_forms:
+                    other_form = user_formdata.get_workflow_form(user)
+                    if other_form:
+                        user_formdata.mark_as_being_visited()
 
         if not locked:
             if (self.filled.get_status() and self.filled.get_status().backoffice_info_text) or (
@@ -740,8 +745,7 @@ class FormStatusPage(Directory):
             f.edited_data = self.filled
             f.edit_action_id = action_id
             f.action_url = 'wfedit-%s' % action_id
-            get_session().mark_visited_object('formdata-%s-%s' % (
-                self.formdef.url_name, self.filled.id))
+            self.filled.mark_as_being_visited()
             get_response().breadcrumb = get_response().breadcrumb[:-1]
             get_response().breadcrumb.append((f.action_url, _('Edit')))
             return f._q_index()
-- 
2.9.3