api: mark restricted formdefs as requiring authentication (#24522)

2018-06-14 10:29:00 +02:00 · 2018-06-14 10:29:00 +02:00 · 055d6a29f3
parent 7ea96855b3
commit 055d6a29f3
2 changed files with 10 additions and 0 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -349,6 +349,7 @@ def test_limited_formdef_list(pub, local_user):
    resp = get_app(pub).get('/api/formdefs/')
    assert resp.json['err'] == 0
    assert len(resp.json['data']) == 1
+    assert resp.json['data'][0]['authentication_required'] is False
    # not present in backoffice-submission formdefs
    resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
    assert resp.json['err'] == 0
@ -379,6 +380,12 @@ def test_limited_formdef_list(pub, local_user):
    local_user.roles = []
    local_user.store()

+    # check it's also included in anonymous/signed calls, but marked for
+    # authentication
+    resp = get_app(pub).get(sign_uri('/api/formdefs/'))
+    assert resp.json['data'][0]
+    assert resp.json['data'][0]['authentication_required'] is True
+
    # check it's advertised
    formdef.always_advertise = True
    formdef.store()
--- a/wcs/api.py
+++ b/wcs/api.py
@ -388,6 +388,9 @@ class ApiFormdefsDirectory(Directory):
                        break
                else:
                    continue
+            elif formdef.roles and user is None and list_all_forms:
+                # anonymous API call, mark authentication as required
+                authentication_required = True

            formdict = {'title': unicode(formdef.name, charset),
                        'slug': formdef.url_name,