From de812bcf6e79dd3d8a54751e680117931c253ed2 Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Tue, 9 Jun 2020 15:11:01 +0200 Subject: [PATCH 1/2] base: add confirmation when adding open access right (#42123) --- passerelle/base/forms.py | 14 ++++++++++++++ passerelle/base/views.py | 6 ++++++ tests/test_manager.py | 31 +++++++++++++++++++++++++++++++ 3 files changed, 51 insertions(+) diff --git a/passerelle/base/forms.py b/passerelle/base/forms.py index be10bcce..3c16c939 100644 --- a/passerelle/base/forms.py +++ b/passerelle/base/forms.py @@ -11,6 +11,9 @@ class ApiUserForm(forms.ModelForm): class AccessRightForm(forms.ModelForm): + confirm_open_access = forms.BooleanField(label=_('Allow open access'), required=False, + widget=forms.HiddenInput()) + class Meta: model = AccessRight exclude = [] @@ -20,6 +23,17 @@ class AccessRightForm(forms.ModelForm): 'resource_pk': forms.HiddenInput(), } + def add_confirmation_checkbox(self): + self.add_error(None, _('Selected user has no security.')) + self.add_error('confirm_open_access', + _('Check this box if you are sure you want to allow unauthenticated access to ' + 'endpoints. Otherwise, select a different API User.')) + self.fields['confirm_open_access'].widget = forms.CheckboxInput() + + @property + def allow_open_access(self): + return self.cleaned_data['confirm_open_access'] + class AvailabilityParametersForm(forms.ModelForm): class Meta: diff --git a/passerelle/base/views.py b/passerelle/base/views.py index 4e7c6812..7b06a489 100644 --- a/passerelle/base/views.py +++ b/passerelle/base/views.py @@ -125,6 +125,12 @@ class AccessRightCreateView(CreateView): d['resource_pk'] = self.kwargs.get('resource_pk') return d + def form_valid(self, form): + if not form.cleaned_data['apiuser'].key and not form.allow_open_access: + form.add_confirmation_checkbox() + return self.form_invalid(form) + return super(AccessRightCreateView, self).form_valid(form) + def get_success_url(self): return self.object.resource.get_absolute_url() diff --git a/tests/test_manager.py b/tests/test_manager.py index 9a039fa0..771b79c6 100644 --- a/tests/test_manager.py +++ b/tests/test_manager.py @@ -459,3 +459,34 @@ def test_manager_import_export(app, admin_user): resp = resp.form.submit().follow() assert ApiUser.objects.filter(username='public').exists() assert AccessRight.objects.filter(codename='can_access').exists() + + +def test_manager_add_open_access_warning(app, admin_user): + csv = CsvDataSource.objects.create(csv_file=File(StringIO('1;t\n'), 't.csv'), slug='t', title='t') + private = ApiUser.objects.create(username='private', fullname='private', keytype='', key='xxx') + public = ApiUser.objects.create(username='public', fullname='private', keytype='', key='') + assert AccessRight.objects.count() == 0 + + # adding private api user works + app = login(app) + resp = app.get(csv.get_absolute_url()) + resp = resp.click('Add') + resp.form['apiuser'] = private.pk + resp = resp.form.submit().follow() + assert AccessRight.objects.count() == 1 + + # adding public user displays a warning + resp = resp.click('Add') + resp.form['apiuser'] = public.pk + resp = resp.form.submit() + assert AccessRight.objects.count() == 1 + assert 'user has no security' in resp.text + + resp = resp.form.submit() + assert AccessRight.objects.count() == 1 + assert 'user has no security' in resp.text + + # user has to check a box to procceed + resp.form['confirm_open_access'] = True + resp.form.submit().follow() + assert AccessRight.objects.count() == 2 -- 2.20.1