forms: always redirect user after access right is lost (#55081)

tests/backoffice_pages/test_all.py

@@ -29,6 +29,7 @@ from wcs.roles import logged_users_role
 from wcs.wf.backoffice_fields import SetBackofficeFieldsWorkflowStatusItem
 from wcs.wf.create_carddata import CreateCarddataWorkflowStatusItem
 from wcs.wf.create_formdata import CreateFormdataWorkflowStatusItem, Mapping
+from wcs.wf.dispatch import DispatchWorkflowStatusItem
 from wcs.wf.export_to_model import ExportToModel
 from wcs.wf.form import FormWorkflowStatusItem, WorkflowFormFieldsFormDef
 from wcs.wf.jump import JumpWorkflowStatusItem
@@ -6302,3 +6303,52 @@ def test_backoffice_http_basic_auth(pub):
     app = get_app(pub)
     app.set_authorization(('Basic', ('test', '12345')))
     app.get('/backoffice/', status=403)
+
+
+def test_backoffice_dispatch_lose_access(pub):
+    user = create_user(pub)
+    create_environment(pub)
+
+    role1 = pub.role_class(name='xxx1')
+    role1.store()
+    role2 = pub.role_class(name='xxx2')
+    role2.store()
+    user.roles.append(role1.id)
+    user.store()
+
+    formdef = FormDef()
+    formdef.name = 'test dispatch lose access'
+    formdef.fields = []
+
+    wf = Workflow(name='dispatch')
+
+    st1 = wf.add_status('Status1')
+    dispatch = DispatchWorkflowStatusItem()
+    dispatch.id = '_dispatch'
+    dispatch.role_key = '_receiver'
+    dispatch.role_id = role2.id
+    st1.items.append(dispatch)
+    dispatch.parent = st1
+
+    add_function = ChoiceWorkflowStatusItem()
+    add_function.id = '_change_function'
+    add_function.label = 'Change function'
+    add_function.by = ['_receiver']
+    add_function.status = st1.id
+    st1.items.append(add_function)
+    add_function.parent = st1
+
+    wf.store()
+
+    formdef.workflow_id = wf.id
+    formdef.workflow_roles = {'_receiver': role1.id}
+    formdef.store()
+
+    formdata = formdef.data_class()()
+    formdata.just_created()
+    formdata.store()
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/management/%s/%s/' % (formdef.url_name, formdata.id))
+    resp = resp.form.submit('button_add_function')
+    assert resp.location == '..'  # no access -> to listing

wcs/forms/common.py

@@ -657,21 +657,21 @@ class FormStatusPage(Directory, FormTemplateMixin):
             get_logger().info(
                 'form %s - id: %s - status -> %s' % (self.formdef.name, self.filled.id, self.filled.status)
             )
-            try:
-                self.check_auth()
-            except errors.AccessError:
-                # the user no longer has access to the form; redirect to a
-                # different page
-                if 'backoffice/' in [x[0] for x in get_response().breadcrumb]:
-                    user = get_request().user
-                    if user and (user.is_admin or self.formdef.is_of_concern_for_user(user)):
-                        # user has access to the formdef, redirect to the
-                        # listing.
-                        return '..'
-                    else:
-                        return get_publisher().get_backoffice_url()
+        try:
+            self.check_auth()
+        except errors.AccessError:
+            # the user no longer has access to the form; redirect to a
+            # different page
+            if 'backoffice/' in [x[0] for x in get_response().breadcrumb]:
+                user = get_request().user
+                if user and (user.is_admin or self.formdef.is_of_concern_for_user(user)):
+                    # user has access to the formdef, redirect to the
+                    # listing.
+                    return '..'
                 else:
-                    return get_publisher().get_root_url()
+                    return get_publisher().get_backoffice_url()
+            else:
+                return get_publisher().get_root_url()
 
     def download(self):
         self.check_receiver()