tracking code: don't give formdata access after support have been disabled

2015-02-24 14:58:28 +01:00 · 2015-02-24 14:58:28 +01:00 · 6c9bc73d6e
parent 7a126d49a8
commit 6c9bc73d6e
2 changed files with 12 additions and 0 deletions
--- a/tests/test_form_pages.py
+++ b/tests/test_form_pages.py
@ -350,3 +350,13 @@ def test_form_invalid_tracking_code():
    resp = resp.forms[0].submit()
    assert resp.location == 'http://example.net/code/%s/load' % fake_code
    resp = resp.follow(status=404)
+
+    # check we also get an error if tracking code access is disabled after the
+    # fact
+    formdef.enable_tracking_codes = False
+    formdef.store()
+    resp = get_app(pub).get('/')
+    resp.forms[0]['code'] = code.id
+    resp = resp.forms[0].submit()
+    assert resp.location == 'http://example.net/code/%s/load' % code.id
+    resp = resp.follow(status=404)
--- a/wcs/forms/root.py
+++ b/wcs/forms/root.py
@ -167,6 +167,8 @@ class TrackingCodeDirectory(Directory):
        except KeyError:
            raise errors.TraversalError()
        formdata = tracking_code.formdata
+        if formdata.formdef.enable_tracking_codes is False:
+            raise errors.TraversalError()
        if not get_session().user:
            get_session().mark_anonymous_formdata(formdata)
        return redirect(formdata.get_url().rstrip('/'))