api: mark role-restricted api user as non anonymous (#53864)

2021-05-07 18:52:01 +02:00 · 2021-05-07 18:52:01 +02:00 · 3a641631b1
parent 8b629deef1
commit 3a641631b1
2 changed files with 9 additions and 0 deletions
--- a/tests/api/test_carddef.py
+++ b/tests/api/test_carddef.py
@ -253,6 +253,9 @@ def test_cards_restricted_api(pub, local_user):
    resp = get_app(pub).get(sign_uri('/api/cards/test/list', orig='test', key='12345'))
    assert len(resp.json['data']) == 1

+    resp = get_app(pub).get(sign_uri('/api/cards/test/%s/' % formdata.id, orig='test', key='12345'))
+    assert resp.json['id'] == str(formdata.id)
+
    # restricted to another role, do not get it
    role2 = pub.role_class(name='second')
    role2.store()
@ -261,6 +264,11 @@ def test_cards_restricted_api(pub, local_user):
    resp = get_app(pub).get(sign_uri('/api/cards/test/list', orig='test', key='12345'), status=403)
    assert resp.json['err_desc'] == 'unsufficient roles'

+    resp = get_app(pub).get(
+        sign_uri('/api/cards/test/%s/' % formdata.id, orig='test', key='12345'), status=403
+    )
+    assert resp.json['err_desc'] == 'unsufficient roles'
+

 def test_cards_http_auth_access(pub, local_user):
    pub.role_class.wipe()
--- a/wcs/api_access.py
+++ b/wcs/api_access.py
@ -87,6 +87,7 @@ class ApiAccess(XmlStorableObject):
            id = Ellipsis  # make sure it fails all over the place if used
            is_admin = False
            is_api_user = True
+            anonymous = False

            def can_go_in_admin(self):
                return False