forms: always redirect user after access right is lost (#55081)
This commit is contained in:
parent
235740a742
commit
454d63dcd2
|
@ -29,6 +29,7 @@ from wcs.roles import logged_users_role
|
|||
from wcs.wf.backoffice_fields import SetBackofficeFieldsWorkflowStatusItem
|
||||
from wcs.wf.create_carddata import CreateCarddataWorkflowStatusItem
|
||||
from wcs.wf.create_formdata import CreateFormdataWorkflowStatusItem, Mapping
|
||||
from wcs.wf.dispatch import DispatchWorkflowStatusItem
|
||||
from wcs.wf.export_to_model import ExportToModel
|
||||
from wcs.wf.form import FormWorkflowStatusItem, WorkflowFormFieldsFormDef
|
||||
from wcs.wf.jump import JumpWorkflowStatusItem
|
||||
|
@ -6302,3 +6303,52 @@ def test_backoffice_http_basic_auth(pub):
|
|||
app = get_app(pub)
|
||||
app.set_authorization(('Basic', ('test', '12345')))
|
||||
app.get('/backoffice/', status=403)
|
||||
|
||||
|
||||
def test_backoffice_dispatch_lose_access(pub):
|
||||
user = create_user(pub)
|
||||
create_environment(pub)
|
||||
|
||||
role1 = pub.role_class(name='xxx1')
|
||||
role1.store()
|
||||
role2 = pub.role_class(name='xxx2')
|
||||
role2.store()
|
||||
user.roles.append(role1.id)
|
||||
user.store()
|
||||
|
||||
formdef = FormDef()
|
||||
formdef.name = 'test dispatch lose access'
|
||||
formdef.fields = []
|
||||
|
||||
wf = Workflow(name='dispatch')
|
||||
|
||||
st1 = wf.add_status('Status1')
|
||||
dispatch = DispatchWorkflowStatusItem()
|
||||
dispatch.id = '_dispatch'
|
||||
dispatch.role_key = '_receiver'
|
||||
dispatch.role_id = role2.id
|
||||
st1.items.append(dispatch)
|
||||
dispatch.parent = st1
|
||||
|
||||
add_function = ChoiceWorkflowStatusItem()
|
||||
add_function.id = '_change_function'
|
||||
add_function.label = 'Change function'
|
||||
add_function.by = ['_receiver']
|
||||
add_function.status = st1.id
|
||||
st1.items.append(add_function)
|
||||
add_function.parent = st1
|
||||
|
||||
wf.store()
|
||||
|
||||
formdef.workflow_id = wf.id
|
||||
formdef.workflow_roles = {'_receiver': role1.id}
|
||||
formdef.store()
|
||||
|
||||
formdata = formdef.data_class()()
|
||||
formdata.just_created()
|
||||
formdata.store()
|
||||
|
||||
app = login(get_app(pub))
|
||||
resp = app.get('/backoffice/management/%s/%s/' % (formdef.url_name, formdata.id))
|
||||
resp = resp.form.submit('button_add_function')
|
||||
assert resp.location == '..' # no access -> to listing
|
||||
|
|
|
@ -657,21 +657,21 @@ class FormStatusPage(Directory, FormTemplateMixin):
|
|||
get_logger().info(
|
||||
'form %s - id: %s - status -> %s' % (self.formdef.name, self.filled.id, self.filled.status)
|
||||
)
|
||||
try:
|
||||
self.check_auth()
|
||||
except errors.AccessError:
|
||||
# the user no longer has access to the form; redirect to a
|
||||
# different page
|
||||
if 'backoffice/' in [x[0] for x in get_response().breadcrumb]:
|
||||
user = get_request().user
|
||||
if user and (user.is_admin or self.formdef.is_of_concern_for_user(user)):
|
||||
# user has access to the formdef, redirect to the
|
||||
# listing.
|
||||
return '..'
|
||||
else:
|
||||
return get_publisher().get_backoffice_url()
|
||||
try:
|
||||
self.check_auth()
|
||||
except errors.AccessError:
|
||||
# the user no longer has access to the form; redirect to a
|
||||
# different page
|
||||
if 'backoffice/' in [x[0] for x in get_response().breadcrumb]:
|
||||
user = get_request().user
|
||||
if user and (user.is_admin or self.formdef.is_of_concern_for_user(user)):
|
||||
# user has access to the formdef, redirect to the
|
||||
# listing.
|
||||
return '..'
|
||||
else:
|
||||
return get_publisher().get_root_url()
|
||||
return get_publisher().get_backoffice_url()
|
||||
else:
|
||||
return get_publisher().get_root_url()
|
||||
|
||||
def download(self):
|
||||
self.check_receiver()
|
||||
|
|
Loading…
Reference in New Issue