From 4214e6184a673861f9bd3be23f5d618ce58bd4c0 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Wed, 9 Jan 2019 13:12:04 +0100
Subject: [PATCH 2/2] api: check status visibility with
 get_user_from_api_query_string() (fixes #29588)

---
 wcs/api.py                   |  2 +-
 wcs/backoffice/management.py |  2 +-
 wcs/formdata.py              | 12 ++++++------
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/wcs/api.py b/wcs/api.py
index 7ee43baf..a0dc5b73 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -102,7 +102,7 @@ def get_formdata_dict(formdata, user, consider_status_visibility=True):
 
     d.update(formdata.get_static_substitution_variables(minimal=True))
     if get_request().form.get('full') == 'on':
-        d.update(formdata.get_json_export_dict(include_files=False))
+        d.update(formdata.get_json_export_dict(include_files=False, user=user))
     return d
 
 
diff --git a/wcs/backoffice/management.py b/wcs/backoffice/management.py
index 1a7cefe3..2de42902 100644
--- a/wcs/backoffice/management.py
+++ b/wcs/backoffice/management.py
@@ -1626,7 +1626,7 @@ class FormPage(Directory):
         if get_publisher().is_using_postgresql():
             self.formdef.data_class().load_all_evolutions(items)
         if get_request().form.get('full') == 'on':
-            output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise)
+            output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise, user=user)
                       for filled in items]
         else:
             output = [{'id': filled.id,
diff --git a/wcs/formdata.py b/wcs/formdata.py
index 3b6b691a..94f1db51 100644
--- a/wcs/formdata.py
+++ b/wcs/formdata.py
@@ -230,10 +230,10 @@ class Evolution(object):
         status = self.get_status()
         return status.name if status else _('Unknown')
 
-    def is_hidden(self):
+    def is_hidden(self, user=None):
         status = self.get_status()
         if status:
-            return not status.is_visible(self.formdata, get_request().user)
+            return not status.is_visible(self.formdata, user or get_request().user)
         return True
 
 
@@ -509,11 +509,11 @@ class FormData(StorableObject):
             return wf_status
         return None
 
-    def get_visible_evolution_parts(self):
+    def get_visible_evolution_parts(self, user=None):
         last_seen_status = None
         last_seen_author = None
         for evolution_part in self.evolution or []:
-            if evolution_part.is_hidden():
+            if evolution_part.is_hidden(user=user):
                 continue
             if (evolution_part.status is None or last_seen_status == evolution_part.status) and (
                     evolution_part.who is None or last_seen_author == evolution_part.who):
@@ -942,7 +942,7 @@ class FormData(StorableObject):
                 'name': self.formdef.name,
                 'id': self.get_display_id()}
 
-    def get_json_export_dict(self, include_files=True, anonymise=False):
+    def get_json_export_dict(self, include_files=True, anonymise=False, user=None):
         data = {}
         data['id'] = '%s/%s' % (self.formdef.url_name, self.id)
         data['display_id'] = self.get_display_id()
@@ -964,7 +964,7 @@ class FormData(StorableObject):
                 include_files=include_files, anonymise=anonymise)
 
         data['workflow'] = {}
-        wf_status = self.get_visible_status()
+        wf_status = self.get_visible_status(user)
         if wf_status:
             data['workflow']['status'] = {'id': wf_status.id, 'name': wf_status.name}
         # Workflow data have unknown purpose, do not store them in anonymised export
-- 
2.20.1