From f14f6d6adfeb85f9be9321dcca5988ec902152a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Thu, 9 Aug 2018 22:22:16 +0200
Subject: [PATCH] api: limit forms sent to admin when backoffice submission is
 requested (#25626)

---
 tests/test_api.py | 13 ++++++++++++-
 wcs/api.py        | 13 +++++++------
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index 066bd8de..35c0dea3 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -419,7 +419,7 @@ def test_formdef_list_redirection(pub):
     assert resp1.json['data'][0]['redirection'] == True
     assert 'count' not in resp1.json['data'][0]
 
-def test_backoffice_submission_formdef_list(pub, local_user):
+def test_backoffice_submission_formdef_list(pub, admin_user, local_user):
     Role.wipe()
     role = Role(name='Foo bar')
     role.id = '14'
@@ -433,6 +433,11 @@ def test_backoffice_submission_formdef_list(pub, local_user):
     formdef.fields = []
     formdef.store()
 
+    formdef2 = FormDef()
+    formdef2.name = 'ignore me'
+    formdef2.fields = []
+    formdef2.store()
+
     resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
     assert resp.json['err'] == 0
     assert len(resp.json['data']) == 0
@@ -451,6 +456,12 @@ def test_backoffice_submission_formdef_list(pub, local_user):
     assert resp.json['err'] == 0
     assert len(resp.json['data']) == 0
 
+    # ... unless user is admin
+    resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' %
+                                     admin_user.name_identifiers[0]))
+    assert resp.json['err'] == 0
+    assert len(resp.json['data']) == 1
+
     # ... unless user has correct roles
     local_user.roles = [role.id]
     local_user.store()
diff --git a/wcs/api.py b/wcs/api.py
index 71320e9a..b12cbeb0 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -388,14 +388,15 @@ class ApiFormdefsDirectory(Directory):
                         if not formdef.always_advertise:
                             continue
                         authentication_required = True
-            elif backoffice_submission and not list_all_forms:
+            elif backoffice_submission:
                 if not formdef.backoffice_submission_roles:
                     continue
-                for role in user.roles or []:
-                    if role in formdef.backoffice_submission_roles:
-                        break
-                else:
-                    continue
+                if list_all_forms:
+                    for role in user.roles or []:
+                        if role in formdef.backoffice_submission_roles:
+                            break
+                    else:
+                        continue
             elif formdef.roles and user is None and list_all_forms:
                 # anonymous API call, mark authentication as required
                 authentication_required = True
-- 
2.18.0