From 46cd12c16a073477f6b5617040b46ee6157087dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Thu, 14 Jun 2018 10:29:00 +0200
Subject: [PATCH] api: mark restricted formdefs as requiring authentication
 (#24522)

---
 tests/test_api.py | 7 +++++++
 wcs/api.py        | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/tests/test_api.py b/tests/test_api.py
index 9edc1a94..3a76f339 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -349,6 +349,7 @@ def test_limited_formdef_list(pub, local_user):
     resp = get_app(pub).get('/api/formdefs/')
     assert resp.json['err'] == 0
     assert len(resp.json['data']) == 1
+    assert resp.json['data'][0]['authentication_required'] is False
     # not present in backoffice-submission formdefs
     resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
     assert resp.json['err'] == 0
@@ -379,6 +380,12 @@ def test_limited_formdef_list(pub, local_user):
     local_user.roles = []
     local_user.store()
 
+    # check it's also included in anonymous/signed calls, but marked for
+    # authentication
+    resp = get_app(pub).get(sign_uri('/api/formdefs/'))
+    assert resp.json['data'][0]
+    assert resp.json['data'][0]['authentication_required'] is True
+
     # check it's advertised
     formdef.always_advertise = True
     formdef.store()
diff --git a/wcs/api.py b/wcs/api.py
index 4d8a1414..54b4c326 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -390,6 +390,9 @@ class ApiFormdefsDirectory(Directory):
                         break
                 else:
                     continue
+            elif formdef.roles and user is None and list_all_forms:
+                # anonymous API call, mark authentication as required
+                authentication_required = True
 
             formdict = {'title': unicode(formdef.name, charset),
                         'slug': formdef.url_name,
-- 
2.17.1