From 3bcf1f3e2a6ab7619556bfd98df605d53e3d44e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Tue, 2 Aug 2022 14:49:45 +0200
Subject: [PATCH] api: do not return any options in schema for sources linked
 to user (#67862)

---
 tests/api/test_carddef.py | 34 ++++++++++++++++++++++++++++++++++
 wcs/carddef.py            |  5 ++++-
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/tests/api/test_carddef.py b/tests/api/test_carddef.py
index 630d30586..a2391d8b9 100644
--- a/tests/api/test_carddef.py
+++ b/tests/api/test_carddef.py
@@ -219,6 +219,40 @@ def test_cards(pub, local_user):
     resp = get_app(pub).get('/api/cards/test/@schema', status=403)
 
 
+def test_carddef_schema_user_filtered_datasource(pub):
+    CardDef.wipe()
+    carddef = CardDef()
+    carddef.name = 'items'
+    carddef.user_support = 'optional'
+    carddef.digest_templates = {'default': '{{form_var_name}}'}
+    carddef.fields = [
+        fields.StringField(id='0', label='string', varname='name'),
+    ]
+    carddef.store()
+
+    for value in ['foo', 'bar', 'baz']:
+        carddata = carddef.data_class()()
+        carddata.data = {'0': value}
+        carddata.just_created()
+        carddata.store()
+
+    ds = {'type': 'carddef:%s' % carddef.url_name}
+    carddef2 = CardDef()
+    carddef2.name = 'foobar'
+    carddef2.fields = [
+        fields.ItemField(id='0', label='item', type='item', varname='foo', data_source=ds),
+    ]
+    carddef2.store()
+
+    resp = get_app(pub).get(sign_uri('/api/cards/foobar/@schema'), status=200)
+    assert resp.json['fields'][0]['items'] == ['bar', 'baz', 'foo']
+
+    carddef2.fields[0].data_source['type'] = 'carddef:%s:_with_user_filter' % carddef.url_name
+    carddef2.store()
+    resp = get_app(pub).get(sign_uri('/api/cards/foobar/@schema'), status=200)
+    assert resp.json['fields'][0]['items'] == []
+
+
 def test_carddef_schema_relations(pub):
     FormDef.wipe()
     CardDef.wipe()
diff --git a/wcs/carddef.py b/wcs/carddef.py
index 3025b3110..e4fe28dad 100644
--- a/wcs/carddef.py
+++ b/wcs/carddef.py
@@ -204,7 +204,10 @@ class CardDef(FormDef):
             if parts[2] == '_with_user_filter':
                 if not get_by_id:
                     variables = get_publisher().substitutions.get_context_variables(mode='lazy')
-                    user = variables['form_user']
+                    try:
+                        user = variables['form_user']
+                    except KeyError:
+                        user = None
                     criterias.append(Equal('user_id', str(user.id) if user else '-1'))
             else:
                 if custom_view is None: