backoffice: don't display invalid "option replacement field" varnames (#53526)

tests/admin_pages/test_workflow.py

@@ -1386,6 +1386,53 @@ def test_workflows_variables_with_export_to_model_action(pub):
     resp = resp.click('Edit', href='1/')
 
 
+def test_workflows_variables_replacement(pub):
+    create_superuser(pub)
+
+    Workflow.wipe()
+    workflow = Workflow(name='foo')
+    baz_status = workflow.add_status(name='baz')
+    display_message = DisplayMessageWorkflowStatusItem()
+    display_message.parent = baz_status
+    baz_status.items.append(display_message)
+    workflow.store()
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/workflows/%s/variables/fields/' % workflow.id)
+
+    # add a field
+    resp.forms[0]['label'] = 'foobar'
+    resp.forms[0]['type'] = 'string'
+    resp = resp.forms[0].submit().follow()
+
+    # edit
+    resp = resp.click('Edit', href='1/')
+    resp.form['varname$select'].value = '1*1*message'
+    resp = resp.form.submit('submit').follow()
+
+    # make sure a wrong variable name is not displayed
+    assert 'form_option_1*1*message' not in resp.text
+    assert Workflow.get(workflow.id).variables_formdef.fields[0].varname == '1*1*message'
+
+    # and make sure it doesn't appear in formdata inspect page
+    formdef = FormDef()
+    formdef.name = 'Form title'
+    formdef.workflow = workflow
+    formdef.fields = []
+    formdef.store()
+
+    data_class = formdef.data_class()
+    data_class.wipe()
+
+    formdata = data_class()
+    formdata.data = {}
+    formdata.status = 'wf-new'
+    formdata.store()
+
+    resp = app.get(formdata.get_backoffice_url() + 'inspect')
+    assert 'form_option_1*1*message' not in resp.text
+
+
 def test_workflows_backoffice_fields(pub):
     create_superuser(pub)
 

wcs/admin/fields.py

@@ -31,6 +31,7 @@ from wcs.qommon import N_, _, errors, get_cfg, misc
 from wcs.qommon.admin.menu import command_icon
 from wcs.qommon.backoffice.menu import html_top
 from wcs.qommon.form import CheckboxWidget, Form, HtmlWidget, SingleSelectWidget, StringWidget
+from wcs.qommon.substitution import CompatibilityNamesDict
 
 
 class FieldDefPage(Directory):
@@ -326,7 +327,9 @@ class FieldsDirectory(Directory):
                         r += htmltext('<span class="optional">%s</span>') % required
                     if getattr(field, 'condition', None):
                         r += htmltext(' - <span class="condition">%s</span>') % _('depending on condition')
-                    if getattr(field, 'varname', None):
+                    if getattr(field, 'varname', None) and CompatibilityNamesDict.valid_key_regex.match(
+                        field.varname
+                    ):
                         r += htmltext(' - <span class="varname">{{%s%s}}</span>') % (
                             self.field_var_prefix,
                             field.varname,

wcs/variables.py

@@ -1186,6 +1186,10 @@ class LazyFormDefOptions(LazyFormDataVar):
         data = self._formdef.workflow_options
         super().__init__(fields, data)
 
+    def inspect_keys(self):
+        # don't display "parameter replacement" options
+        return [x for x in self.varnames.keys() if '*' not in x]
+
 
 class CardsSource:
     @classmethod