tracking code: don't give formdata access after support have been disabled
This commit is contained in:
parent
7a126d49a8
commit
6c9bc73d6e
|
@ -350,3 +350,13 @@ def test_form_invalid_tracking_code():
|
|||
resp = resp.forms[0].submit()
|
||||
assert resp.location == 'http://example.net/code/%s/load' % fake_code
|
||||
resp = resp.follow(status=404)
|
||||
|
||||
# check we also get an error if tracking code access is disabled after the
|
||||
# fact
|
||||
formdef.enable_tracking_codes = False
|
||||
formdef.store()
|
||||
resp = get_app(pub).get('/')
|
||||
resp.forms[0]['code'] = code.id
|
||||
resp = resp.forms[0].submit()
|
||||
assert resp.location == 'http://example.net/code/%s/load' % code.id
|
||||
resp = resp.follow(status=404)
|
||||
|
|
|
@ -167,6 +167,8 @@ class TrackingCodeDirectory(Directory):
|
|||
except KeyError:
|
||||
raise errors.TraversalError()
|
||||
formdata = tracking_code.formdata
|
||||
if formdata.formdef.enable_tracking_codes is False:
|
||||
raise errors.TraversalError()
|
||||
if not get_session().user:
|
||||
get_session().mark_anonymous_formdata(formdata)
|
||||
return redirect(formdata.get_url().rstrip('/'))
|
||||
|
|
Loading…
Reference in New Issue