From 2dea16ab80f3a52a05991dd893401dc86112a66f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Fri, 5 Jul 2013 13:19:53 +0200
Subject: [PATCH] forms: redirect to safe page if workflow action makes page
 forbidden (#3213)

---
 wcs/forms/common.ptl | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/wcs/forms/common.ptl b/wcs/forms/common.ptl
index 14160fc..b2b8b25 100644
--- a/wcs/forms/common.ptl
+++ b/wcs/forms/common.ptl
@@ -417,7 +417,6 @@ class FormStatusPage(Directory):
 
         '<a href="..">%s</a>' % _('Back to Listing')
 
-
     def submit(self, form, comment_only = False):
         status = None
         current_status = self.filled.status
@@ -430,6 +429,21 @@ class FormStatusPage(Directory):
         if current_status != self.filled.status:
             get_logger().info('form %s - id: %s - status -> %s' % (
                         self.formdef.name, self.filled.id, self.filled.status))
+            try:
+                self.check_auth()
+            except errors.AccessError:
+                # the user no longer has access to the form; redirect to a
+                # different page
+                if 'backoffice/' in [x[0] for x in get_response().breadcrumb]:
+                    user = get_request().user
+                    if user and (user.is_admin or self.formdef.is_of_concern_for_user(user)):
+                        # user has access to the formdef, redirect to the
+                        # listing.
+                        return '..'
+                    else:
+                        return get_publisher().get_backoffice_url()
+                else:
+                    return get_publisher().get_root_url()
 
     def download(self):
         self.check_receiver()
-- 
1.8.3.2