backoffice: give appropriate roles access to private histories (#15040)

2017-02-17 13:02:36 +01:00 · 2017-02-17 13:02:36 +01:00 · 4f31842a06
parent 7ed398fd7f
commit 4f31842a06
2 changed files with 26 additions and 1 deletions
--- a/tests/test_formdata.py
+++ b/tests/test_formdata.py
@ -10,6 +10,7 @@ from wcs.qommon.http_request import HTTPRequest
 from wcs import fields, formdef
 from wcs.formdef import FormDef
 from wcs.formdata import Evolution
+from wcs.roles import Role
 from wcs.workflows import Workflow, WorkflowCriticalityLevel, WorkflowBackofficeFieldsFormDef
 from wcs.wf.anonymise import AnonymiseWorkflowStatusItem
 from wcs.wf.wscall import JournalWsCallErrorPart
@ -31,6 +32,7 @@ def pub(request):

    req = HTTPRequest(None, {'SCRIPT_NAME': '/', 'SERVER_NAME': 'example.net'})
    pub.set_app_dir(req)
+    pub._set_request(req)
    pub.cfg['identification'] = {'methods': ['password']}
    pub.cfg['language'] = {'language': 'en'}
    pub.write_cfg()
@ -564,3 +566,26 @@ def test_backoffice_field_varname(pub):
    formdata.data = {'bo1': 'test'}
    substvars = formdata.get_substitution_variables()
    assert substvars.get('form_var_backoffice_blah') == 'test'
+
+def test_private_history(pub, local_user):
+    formdef.data_class().wipe()
+    formdef.private_status_and_history = True
+    formdef.store()
+    formdata = formdef.data_class()()
+    formdata.store()
+
+    assert formdef.is_user_allowed_read_status_and_history(None, formdata=formdata) is False
+
+    assert formdef.is_user_allowed_read_status_and_history(local_user, formdata=formdata) is False
+    local_user.is_admin = True
+    assert formdef.is_user_allowed_read_status_and_history(local_user, formdata=formdata) is True
+    local_user.is_admin = False
+
+    role = Role(name='foobar')
+    role.store()
+
+    formdef.workflow_roles['_receiver'] = role.id
+    assert formdef.is_user_allowed_read_status_and_history(local_user, formdata=formdata) is False
+
+    local_user.roles = [role.id]
+    assert formdef.is_user_allowed_read_status_and_history(local_user, formdata=formdata) is True
--- a/wcs/formdef.py
+++ b/wcs/formdef.py
@ -1151,7 +1151,7 @@ class FormDef(StorableObject):

        if not self.workflow_roles:
            self.workflow_roles = {}
-        form_roles = [x for x in self.workflow_roles.keys() if x]
+        form_roles = [x for x in self.workflow_roles.values() if x]
        if user and self.private_status_and_history and not user_roles.intersection(form_roles):
            return False
        return self.is_user_allowed_read(user, formdata=formdata)