api: export all formdefs if url is signed without a user (#7410)

wcs/api.py

@@ -32,13 +32,13 @@ from wcs.formdef import FormDef
 from wcs.roles import Role
 
 
-def get_user_from_api_query_string():
+def is_url_signed():
     query_string = get_request().get_query()
     if not query_string:
-        return None
+        return False
     signature = get_request().form.get('signature')
     if not isinstance(signature, basestring):
-        return None
+        return False
     # verify signature
     orig = get_request().form.get('orig')
     if not isinstance(orig, basestring):
@@ -67,7 +67,11 @@ def get_user_from_api_query_string():
     if abs(delta) > datetime.timedelta(seconds=MAX_DELTA):
         raise AccessForbiddenError('timestamp delta is more '
                 'than %s seconds: %s seconds' % (MAX_DELTA, delta))
+    return True
 
+def get_user_from_api_query_string():
+    if not is_url_signed():
+        return None
     # Signature is good. Now looking for the user, by email/NameID.
     # If email or NameID exist but are empty, return None
     user = None

wcs/forms/root.py

@@ -1210,8 +1210,10 @@ class RootDirectory(AccessControlled, Directory):
         return r.getvalue()
 
     def json(self):
-        from wcs.api import get_user_from_api_query_string
+        from wcs.api import is_url_signed, get_user_from_api_query_string
         user = get_user_from_api_query_string() or get_request().user
+        list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None)
+
         list_forms = []
 
         if self.category:
@@ -1227,7 +1229,7 @@ class RootDirectory(AccessControlled, Directory):
 
         for formdef in formdefs:
             authentication_required = False
-            if formdef.roles and not (user and user.is_admin):
+            if formdef.roles and not list_all_forms:
                 if not user:
                     if not formdef.always_advertise:
                         continue