From 29595139bca12fa871c4ffeeba16acba320f772b Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Fri, 30 Sep 2016 13:54:55 +0200
Subject: [PATCH] api: return 404 on access to an unknown formdef (#13379)

---
 tests/test_api.py | 3 +++
 wcs/api.py        | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index e463b0c..7afe5ea 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -391,6 +391,9 @@ def test_formdef_schema(pub):
     assert len(resp.json['workflow']['fields']) == 1
     assert resp.json['workflow']['fields'][0]['label'] == '1st backoffice field'
 
+    get_app(pub).get('/api/formdefs/xxx/schema', status=404)
+
+
 def test_formdef_submit(pub, local_user):
     Role.wipe()
     role = Role(name='test')
diff --git a/wcs/api.py b/wcs/api.py
index db83469..9a64a87 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -341,7 +341,11 @@ class ApiFormdefsDirectory(Directory):
         return json.dumps(list_forms)
 
     def _q_lookup(self, component):
-        return ApiFormdefDirectory(FormDef.get_by_urlname(component))
+        try:
+            formdef = FormDef.get_by_urlname(component)
+        except KeyError:
+            raise TraversalError()
+        return ApiFormdefDirectory(formdef)
 
 
 class ApiCategoryDirectory(Directory):
-- 
2.1.4