From 3ae2ca6684aa2aab4996de582754cb77f0c7dc31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Tue, 24 Nov 2015 13:39:28 +0100 Subject: [PATCH] api: don't return all formdefs in anonymous calls (#9101) --- tests/test_api.py | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ wcs/api.py | 9 +++++++-- 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/tests/test_api.py b/tests/test_api.py index 1feeff9..d9e9f09 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -54,6 +54,7 @@ def local_user(): user = get_publisher().user_class() user.name = 'Jean Darmette' user.email = 'jean.darmette@triffouilis.fr' + user.name_identifiers = ['0123456789'] user.store() return user @@ -264,6 +265,53 @@ def test_formdef_list(pub): assert resp1.json[0]['functions']['_receiver']['role']['slug'] == role.slug assert resp1.json[0]['functions']['_receiver']['role']['name'] == role.name +def test_limited_formdef_list(pub, local_user): + Role.wipe() + role = Role(name='Foo bar') + role.id = '14' + role.store() + + FormDef.wipe() + formdef = FormDef() + formdef.name = 'test' + formdef.description = 'plop' + formdef.workflow_roles = {'_receiver': str(role.id)} + formdef.fields = [] + formdef.store() + + resp = get_app(pub).get('/api/formdefs/') + assert len(resp.json) == 1 + + # check it's not advertised + formdef.roles = [role.id] + formdef.store() + resp = get_app(pub).get('/api/formdefs/') + resp2 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=')) + resp3 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=XXX')) + resp4 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0])) + assert len(resp.json) == 0 + assert resp.json == resp2.json == resp3.json == resp4.json + + # unless user has correct roles + local_user.roles = [role.id] + local_user.store() + resp = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0])) + assert len(resp.json) == 1 + + local_user.roles = [] + local_user.store() + + # check it's advertised + formdef.always_advertise = True + formdef.store() + resp = get_app(pub).get('/api/formdefs/') + resp2 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=')) + resp3 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=XXX')) + resp4 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0])) + assert len(resp.json) == 1 + assert resp.json[0]['authentication_required'] + assert resp.json == resp2.json == resp3.json == resp4.json + def test_formdef_list_redirection(pub): FormDef.wipe() formdef = FormDef() diff --git a/wcs/api.py b/wcs/api.py index 9c66389..a9b19b0 100644 --- a/wcs/api.py +++ b/wcs/api.py @@ -80,7 +80,6 @@ def get_user_from_api_query_string(): if not is_url_signed(): return None # Signature is good. Now looking for the user, by email/NameID. - # If email or NameID exist but are empty, return None user = None if get_request().form.get('email'): email = get_request().form.get('email') @@ -100,6 +99,10 @@ def get_user_from_api_query_string(): user = users[0] else: raise UnknownNameIdAccessForbiddenError('unknown NameID') + elif 'email' in get_request().form or 'NameID' in get_request().form: + # email or NameID were given as empty to the query string, this maps + # the anonymous user case. + return False return user @@ -323,7 +326,9 @@ class ApiFormdefsDirectory(Directory): def _q_index(self): try: - user = get_user_from_api_query_string() or get_request().user + user = get_user_from_api_query_string() + if user is None and get_request().user: + user = get_request().user # helps debugging except UnknownNameIdAccessForbiddenError: # if authenticating the user via the query string failed, return # results for the anonymous case; user is set to 'False' as a -- 2.6.2