From 19b51f2dda127113489cd785a2257dfe2bc89851 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Thu, 9 Aug 2018 22:22:16 +0200
Subject: [PATCH] api: limit forms sent to admin when backoffice submission is
 requested (#25626)

---
 tests/test_api.py | 15 +++++++++++++++
 wcs/api.py        | 13 +++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index aed27429..14680d17 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -433,6 +433,11 @@ def test_backoffice_submission_formdef_list(pub, local_user):
     formdef.fields = []
     formdef.store()
 
+    formdef2 = FormDef()
+    formdef2.name = 'ignore me'
+    formdef2.fields = []
+    formdef2.store()
+
     resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
     assert resp.json['err'] == 0
     assert len(resp.json['data']) == 0
@@ -451,6 +456,16 @@ def test_backoffice_submission_formdef_list(pub, local_user):
     assert resp.json['err'] == 0
     assert len(resp.json['data']) == 0
 
+    # ... unless user is admin
+    local_user.is_admin = True
+    local_user.store()
+    resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' %
+                                     local_user.name_identifiers[0]))
+    assert resp.json['err'] == 0
+    assert len(resp.json['data']) == 1
+    local_user.is_admin = False
+    local_user.store()
+
     # ... unless user has correct roles
     local_user.roles = [role.id]
     local_user.store()
diff --git a/wcs/api.py b/wcs/api.py
index 744e2f0e..ed0c5e46 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -388,14 +388,15 @@ class ApiFormdefsDirectory(Directory):
                         if not formdef.always_advertise:
                             continue
                         authentication_required = True
-            elif backoffice_submission and not list_all_forms:
+            elif backoffice_submission:
                 if not formdef.backoffice_submission_roles:
                     continue
-                for role in user.roles or []:
-                    if role in formdef.backoffice_submission_roles:
-                        break
-                else:
-                    continue
+                if not list_all_forms:
+                    for role in user.roles or []:
+                        if role in formdef.backoffice_submission_roles:
+                            break
+                    else:
+                        continue
             elif formdef.roles and user is None and list_all_forms:
                 # anonymous API call, mark authentication as required
                 authentication_required = True
-- 
2.18.0