From d888abdd20f12336d337cef91a232920b756c0e2 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 22 Feb 2021 12:57:20 +0100
Subject: [PATCH 1/3] formdef: forbid use of data_class() on lightweight
 formdef (#51327)

---
 wcs/api.py                   | 2 +-
 wcs/backoffice/management.py | 2 +-
 wcs/formdef.py               | 7 +++++--
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/wcs/api.py b/wcs/api.py
index 6e336c6f..e62eb8f9 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -685,7 +685,7 @@ class ApiFormdefsDirectory(Directory):
                     )
                 else:
                     # naive count
-                    count = formdef.data_class().count()
+                    count = formdef.data_class(lightweight=True).count()
                 formdict['count'] = count
 
             formdict['functions'] = {}
diff --git a/wcs/backoffice/management.py b/wcs/backoffice/management.py
index e1cfd458..76cdc756 100644
--- a/wcs/backoffice/management.py
+++ b/wcs/backoffice/management.py
@@ -508,7 +508,7 @@ class ManagementDirectory(Directory):
                 count_forms = total_counts.get(formdef.id) or 0
                 waiting_forms_count = actionable_counts.get(formdef.id) or 0
             else:
-                formdef_data_class = formdef.data_class()
+                formdef_data_class = formdef.data_class(lightweight=True)
                 count_forms = formdef_data_class.count() - len(
                     formdef_data_class.get_ids_with_indexed_value('status', 'draft')
                 )
diff --git a/wcs/formdef.py b/wcs/formdef.py
index c339b5be..880785c9 100644
--- a/wcs/formdef.py
+++ b/wcs/formdef.py
@@ -287,7 +287,10 @@ class FormDef(StorableObject):
     def data_class_name(self):
         return '_wcs_%s' % self.url_name.title()
 
-    def data_class(self, mode=None):
+    def data_class(self, mode=None, lightweight=False):
+        if getattr(self, 'fields', None) is Ellipsis and not lightweight:
+            raise RuntimeError('accessing data from a lightweight object is not allowed')
+
         if not 'formdef' in sys.modules:
             sys.modules['formdef'] = sys.modules[__name__]
         if hasattr(sys.modules['formdef'], self.data_class_name):
@@ -1403,7 +1406,7 @@ class FormDef(StorableObject):
         # if no formdata was given, lookup if there are some existing formdata
         # where the user has access.
         if not formdata:
-            data_class = self.data_class()
+            data_class = self.data_class(lightweight=True)
             for role_id in user.get_roles():
                 if data_class.get_ids_with_indexed_value('workflow_roles', role_id):
                     return True
-- 
2.30.0