From fd3b296a53694a6e0bdf3707481f2711f5d49043 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Wed, 9 Jan 2019 13:12:04 +0100
Subject: [PATCH] api: check status visibility against authenticated API user
 (#29588)

* thread user through get_json_export_dict() and get_visible_status()
* modify test_api_list_formdata to get forms with the just_submitted
  status.
---
 tests/test_api.py            |  7 +++++--
 wcs/api.py                   |  2 +-
 wcs/backoffice/management.py |  2 +-
 wcs/formdata.py              | 12 ++++++------
 4 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index e5c2386b..6fa75af7 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -1480,6 +1480,8 @@ def test_api_list_formdata(pub, local_user):
         formdata.just_created()
         if i%3 == 0:
             formdata.jump_status('new')
+        elif i%3 == 1:
+            formdata.jump_status('just_submitted')
         else:
             formdata.jump_status('finished')
         if i%7 == 0:
@@ -1514,6 +1516,7 @@ def test_api_list_formdata(pub, local_user):
     assert 'time' in resp.json[0]['evolution'][0]
     assert resp.json[0]['evolution'][0]['who']['id'] == local_user.id
 
+    assert all('status' in x['workflow'] for x in resp.json)
     assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 0'][0]['submission']['backoffice'] is True
     assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 0'][0]['submission']['channel'] == 'mail'
     assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 1'][0]['submission']['backoffice'] is False
@@ -1529,9 +1532,9 @@ def test_api_list_formdata(pub, local_user):
 
     # check filter on status
     resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=pending', user=local_user))
-    assert len(resp.json) == 10
-    resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=done', user=local_user))
     assert len(resp.json) == 20
+    resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=done', user=local_user))
+    assert len(resp.json) == 10
     resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=all', user=local_user))
     assert len(resp.json) == 30
 
diff --git a/wcs/api.py b/wcs/api.py
index 7ee43baf..a0dc5b73 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -102,7 +102,7 @@ def get_formdata_dict(formdata, user, consider_status_visibility=True):
 
     d.update(formdata.get_static_substitution_variables(minimal=True))
     if get_request().form.get('full') == 'on':
-        d.update(formdata.get_json_export_dict(include_files=False))
+        d.update(formdata.get_json_export_dict(include_files=False, user=user))
     return d
 
 
diff --git a/wcs/backoffice/management.py b/wcs/backoffice/management.py
index d269db0a..78554fb1 100644
--- a/wcs/backoffice/management.py
+++ b/wcs/backoffice/management.py
@@ -1627,7 +1627,7 @@ class FormPage(Directory):
         if get_publisher().is_using_postgresql():
             self.formdef.data_class().load_all_evolutions(items)
         if get_request().form.get('full') == 'on':
-            output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise)
+            output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise, user=user)
                       for filled in items]
         else:
             output = [{'id': filled.id,
diff --git a/wcs/formdata.py b/wcs/formdata.py
index 0ec50b9a..6919afdb 100644
--- a/wcs/formdata.py
+++ b/wcs/formdata.py
@@ -230,10 +230,10 @@ class Evolution(object):
         status = self.get_status()
         return status.name if status else _('Unknown')
 
-    def is_hidden(self):
+    def is_hidden(self, user=None):
         status = self.get_status()
         if status:
-            return not status.is_visible(self.formdata, get_request().user)
+            return not status.is_visible(self.formdata, user or get_request().user)
         return True
 
 
@@ -509,11 +509,11 @@ class FormData(StorableObject):
             return wf_status
         return None
 
-    def get_visible_evolution_parts(self):
+    def get_visible_evolution_parts(self, user=None):
         last_seen_status = None
         last_seen_author = None
         for evolution_part in self.evolution or []:
-            if evolution_part.is_hidden():
+            if evolution_part.is_hidden(user=user):
                 continue
             if (evolution_part.status is None or last_seen_status == evolution_part.status) and (
                     evolution_part.who is None or last_seen_author == evolution_part.who):
@@ -944,7 +944,7 @@ class FormData(StorableObject):
                 'name': self.formdef.name,
                 'id': self.get_display_id()}
 
-    def get_json_export_dict(self, include_files=True, anonymise=False):
+    def get_json_export_dict(self, include_files=True, anonymise=False, user=None):
         data = {}
         data['id'] = str(self.id)
         data['display_id'] = self.get_display_id()
@@ -966,7 +966,7 @@ class FormData(StorableObject):
                 include_files=include_files, anonymise=anonymise)
 
         data['workflow'] = {}
-        wf_status = self.get_visible_status()
+        wf_status = self.get_visible_status(user)
         if wf_status:
             data['workflow']['status'] = {'id': wf_status.id, 'name': wf_status.name}
         # Workflow data have unknown purpose, do not store them in anonymised export
-- 
2.20.1