From 4b802af8567a40443003ca2ed604e47dbeb4ea78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Thu, 29 Apr 2021 10:33:26 +0200
Subject: [PATCH] backoffice: don't display invalid "option replacement field"
 varnames (#53526)

---
 tests/admin_pages/test_workflow.py | 47 ++++++++++++++++++++++++++++++
 wcs/admin/fields.py                |  5 +++-
 wcs/variables.py                   |  4 +++
 3 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/tests/admin_pages/test_workflow.py b/tests/admin_pages/test_workflow.py
index ba02cfa33..031384bd0 100644
--- a/tests/admin_pages/test_workflow.py
+++ b/tests/admin_pages/test_workflow.py
@@ -1386,6 +1386,53 @@ def test_workflows_variables_with_export_to_model_action(pub):
     resp = resp.click('Edit', href='1/')
 
 
+def test_workflows_variables_replacement(pub):
+    create_superuser(pub)
+
+    Workflow.wipe()
+    workflow = Workflow(name='foo')
+    baz_status = workflow.add_status(name='baz')
+    display_message = DisplayMessageWorkflowStatusItem()
+    display_message.parent = baz_status
+    baz_status.items.append(display_message)
+    workflow.store()
+
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/workflows/%s/variables/fields/' % workflow.id)
+
+    # add a field
+    resp.forms[0]['label'] = 'foobar'
+    resp.forms[0]['type'] = 'string'
+    resp = resp.forms[0].submit().follow()
+
+    # edit
+    resp = resp.click('Edit', href='1/')
+    resp.form['varname$select'].value = '1*1*message'
+    resp = resp.form.submit('submit').follow()
+
+    # make sure a wrong variable name is not displayed
+    assert 'form_option_1*1*message' not in resp.text
+    assert Workflow.get(workflow.id).variables_formdef.fields[0].varname == '1*1*message'
+
+    # and make sure it doesn't appear in formdata inspect page
+    formdef = FormDef()
+    formdef.name = 'Form title'
+    formdef.workflow = workflow
+    formdef.fields = []
+    formdef.store()
+
+    data_class = formdef.data_class()
+    data_class.wipe()
+
+    formdata = data_class()
+    formdata.data = {}
+    formdata.status = 'wf-new'
+    formdata.store()
+
+    resp = app.get(formdata.get_backoffice_url() + 'inspect')
+    assert 'form_option_1*1*message' not in resp.text
+
+
 def test_workflows_backoffice_fields(pub):
     create_superuser(pub)
 
diff --git a/wcs/admin/fields.py b/wcs/admin/fields.py
index ac0b414fc..b29e970b4 100644
--- a/wcs/admin/fields.py
+++ b/wcs/admin/fields.py
@@ -31,6 +31,7 @@ from wcs.qommon import N_, _, errors, get_cfg, misc
 from wcs.qommon.admin.menu import command_icon
 from wcs.qommon.backoffice.menu import html_top
 from wcs.qommon.form import CheckboxWidget, Form, HtmlWidget, SingleSelectWidget, StringWidget
+from wcs.qommon.substitution import CompatibilityNamesDict
 
 
 class FieldDefPage(Directory):
@@ -326,7 +327,9 @@ class FieldsDirectory(Directory):
                         r += htmltext('<span class="optional">%s</span>') % required
                     if getattr(field, 'condition', None):
                         r += htmltext(' - <span class="condition">%s</span>') % _('depending on condition')
-                    if getattr(field, 'varname', None):
+                    if getattr(field, 'varname', None) and CompatibilityNamesDict.valid_key_regex.match(
+                        field.varname
+                    ):
                         r += htmltext(' - <span class="varname">{{%s%s}}</span>') % (
                             self.field_var_prefix,
                             field.varname,
diff --git a/wcs/variables.py b/wcs/variables.py
index 59eb46940..67db3508c 100644
--- a/wcs/variables.py
+++ b/wcs/variables.py
@@ -1186,6 +1186,10 @@ class LazyFormDefOptions(LazyFormDataVar):
         data = self._formdef.workflow_options
         super().__init__(fields, data)
 
+    def inspect_keys(self):
+        # don't display "parameter replacement" options
+        return [x for x in self.varnames.keys() if '*' not in x]
+
 
 class CardsSource:
     @classmethod