From f21ac2d20764213489732d3b2f9006e06b6132f6 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Sun, 6 Dec 2015 14:40:42 +0100
Subject: [PATCH 3/4] api: move check_access() out of ApiFormPage.__init__
 (#9146)

check_access() is alrady called on entry to FormPage.json() so to cover
the same paths as before we just need to add it to _q_lookup.
---
 wcs/api.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/wcs/api.py b/wcs/api.py
index c70dee7..7412435 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -163,9 +163,6 @@ class ApiFormPage(BackofficeFormPage):
             self.formdef = FormDef.get_by_urlname(component)
         except KeyError:
             raise TraversalError()
-        # check access for all paths, to block access to formdata that would
-        # otherwise be accessible if the user is the submitter.
-        self.check_access()
 
     def check_access(self):
         api_user = get_user_from_api_query_string()
@@ -177,6 +174,9 @@ class ApiFormPage(BackofficeFormPage):
             raise AccessForbiddenError('unsufficient roles')
 
     def _q_lookup(self, component):
+        # check access for all paths, to block access to formdata that would
+        # otherwise be accessible if the user is the submitter.
+        self.check_access()
         try:
             formdata = self.formdef.data_class().get(component)
         except KeyError:
-- 
2.1.4