misc: fix log visibility for users with dispatched functions (#17672)

2017-07-17 22:05:00 +02:00 · 2017-07-17 22:05:00 +02:00 · 1c687adc90
parent c754ac53bc
commit 1c687adc90
2 changed files with 60 additions and 0 deletions
--- a/tests/test_backoffice_pages.py
+++ b/tests/test_backoffice_pages.py
@ -3621,3 +3621,61 @@ def test_backoffice_logged_errors(pub):
    FormDef.wipe()
    resp = resp2.click('ZeroDivisionError')
    assert not 'href="http://example.net/backoffice/management/test/' in resp.body
+
+def test_backoffice_private_status_and_history(pub):
+    create_user(pub)
+    create_environment(pub)
+    formdef = FormDef.get_by_urlname('form-title')
+    formdef.private_status_and_history = True
+    formdef.store()
+    form_class = FormDef.get_by_urlname('form-title').data_class()
+    number31 = [x for x in form_class.select() if x.data['1'] == 'FOO BAR 30'][0]
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/management/form-title/')
+    assert re.findall('<tbody.*\/tbody>', resp.body, re.DOTALL)[0].count('<tr') == 17
+
+    # click on a formdata
+    resp = resp.click(href='%s/' % number31.id)
+    assert (' with the number %s.' % number31.get_display_id()) in resp.body
+    resp.forms[0]['comment'] = 'HELLO WORLD'
+    resp = resp.forms[0].submit('button_accept')
+    resp = resp.follow()
+    assert FormDef.get_by_urlname('form-title').data_class().get(number31.id).status == 'wf-accepted'
+    assert 'HELLO WORLD' in resp.body
+
+    assert 'id="evolution-log"' in resp.body
+
+def test_backoffice_private_status_and_history_with_assigned_function(pub):
+    create_user(pub)
+    create_environment(pub, set_receiver=False)
+
+    formdef = FormDef.get_by_urlname('form-title')
+    formdef.private_status_and_history = True
+    formdef.store()
+
+    form_class = FormDef.get_by_urlname('form-title').data_class()
+    number31 = [x for x in form_class.select() if x.data['1'] == 'FOO BAR 30'][0]
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/management/form-title/', status=403)
+
+    # fake function assignment
+    number31.workflow_roles = {'_receiver': '1'}
+    number31.store()
+    resp = app.get('/backoffice/management/form-title/', status=200)
+    assert re.findall('<tbody.*\/tbody>', resp.body, re.DOTALL)[0].count('<tr') == 1
+
+    # click on a formdata
+    resp = resp.click(href='%s/' % number31.id)
+    assert (' with the number %s.' % number31.get_display_id()) in resp.body
+
+    # history is visible
+    assert 'id="evolution-log"' in resp.body
+    resp.forms[0]['comment'] = 'HELLO WORLD'
+    resp = resp.forms[0].submit('button_accept')
+    resp = resp.follow()
+    assert FormDef.get_by_urlname('form-title').data_class().get(number31.id).status == 'wf-accepted'
+
+    # history is still visible
+    assert 'HELLO WORLD' in resp.body
+    assert 'id="evolution-log"' in resp.body
--- a/wcs/formdef.py
+++ b/wcs/formdef.py
@ -1217,6 +1217,8 @@ class FormDef(StorableObject):
        if not self.workflow_roles:
            self.workflow_roles = {}
        form_roles = [x for x in self.workflow_roles.values() if x]
+        if formdata and formdata.workflow_roles:
+            form_roles.extend([x for x in formdata.workflow_roles.values() if x])
        if user and self.private_status_and_history and not user_roles.intersection(form_roles):
            return False
        return self.is_user_allowed_read(user, formdata=formdata)