backoffice: give appropriate roles access to private histories (#15040)
This commit is contained in:
parent
7ed398fd7f
commit
4f31842a06
|
@ -10,6 +10,7 @@ from wcs.qommon.http_request import HTTPRequest
|
|||
from wcs import fields, formdef
|
||||
from wcs.formdef import FormDef
|
||||
from wcs.formdata import Evolution
|
||||
from wcs.roles import Role
|
||||
from wcs.workflows import Workflow, WorkflowCriticalityLevel, WorkflowBackofficeFieldsFormDef
|
||||
from wcs.wf.anonymise import AnonymiseWorkflowStatusItem
|
||||
from wcs.wf.wscall import JournalWsCallErrorPart
|
||||
|
@ -31,6 +32,7 @@ def pub(request):
|
|||
|
||||
req = HTTPRequest(None, {'SCRIPT_NAME': '/', 'SERVER_NAME': 'example.net'})
|
||||
pub.set_app_dir(req)
|
||||
pub._set_request(req)
|
||||
pub.cfg['identification'] = {'methods': ['password']}
|
||||
pub.cfg['language'] = {'language': 'en'}
|
||||
pub.write_cfg()
|
||||
|
@ -564,3 +566,26 @@ def test_backoffice_field_varname(pub):
|
|||
formdata.data = {'bo1': 'test'}
|
||||
substvars = formdata.get_substitution_variables()
|
||||
assert substvars.get('form_var_backoffice_blah') == 'test'
|
||||
|
||||
def test_private_history(pub, local_user):
|
||||
formdef.data_class().wipe()
|
||||
formdef.private_status_and_history = True
|
||||
formdef.store()
|
||||
formdata = formdef.data_class()()
|
||||
formdata.store()
|
||||
|
||||
assert formdef.is_user_allowed_read_status_and_history(None, formdata=formdata) is False
|
||||
|
||||
assert formdef.is_user_allowed_read_status_and_history(local_user, formdata=formdata) is False
|
||||
local_user.is_admin = True
|
||||
assert formdef.is_user_allowed_read_status_and_history(local_user, formdata=formdata) is True
|
||||
local_user.is_admin = False
|
||||
|
||||
role = Role(name='foobar')
|
||||
role.store()
|
||||
|
||||
formdef.workflow_roles['_receiver'] = role.id
|
||||
assert formdef.is_user_allowed_read_status_and_history(local_user, formdata=formdata) is False
|
||||
|
||||
local_user.roles = [role.id]
|
||||
assert formdef.is_user_allowed_read_status_and_history(local_user, formdata=formdata) is True
|
||||
|
|
|
@ -1151,7 +1151,7 @@ class FormDef(StorableObject):
|
|||
|
||||
if not self.workflow_roles:
|
||||
self.workflow_roles = {}
|
||||
form_roles = [x for x in self.workflow_roles.keys() if x]
|
||||
form_roles = [x for x in self.workflow_roles.values() if x]
|
||||
if user and self.private_status_and_history and not user_roles.intersection(form_roles):
|
||||
return False
|
||||
return self.is_user_allowed_read(user, formdata=formdata)
|
||||
|
|
Loading…
Reference in New Issue