wf/jump: respond 404 on non-existing trigger, on all HTTP methods (#58226)

tests/api/test_workflow.py

@@ -108,6 +108,16 @@ def test_workflow_trigger(pub, local_user):
     get_app(pub).post(sign_uri(formdata.get_url() + 'jump/trigger/XXX/'), status=200)
     assert formdef.data_class().get(formdata.id).status == 'wf-st2'
 
+    # verify trigger presence (not-404 response)
+    formdata.store()  # reset
+    get_app(pub).get(sign_uri(formdata.get_url() + 'jump/trigger/XXX'), status=403)  # not 404: ok
+    assert formdef.data_class().get(formdata.id).status == 'wf-st1'
+    get_app(pub).get(sign_uri(formdata.get_url() + 'jump/trigger/ABC'), status=404)
+    # jump, and then test trigger is not available
+    get_app(pub).post(sign_uri(formdata.get_url() + 'jump/trigger/XXX'), status=200)
+    assert formdef.data_class().get(formdata.id).status == 'wf-st2'
+    get_app(pub).get(sign_uri(formdata.get_url() + 'jump/trigger/XXX'), status=404)
+
     pub.role_class.wipe()
     role = pub.role_class(name='xxx')
     role.store()

wcs/wf/jump.py

@@ -71,9 +71,6 @@ class TriggerDirectory(Directory):
         if get_request().is_json():
             get_response().set_content_type('application/json')
 
-        if not get_request().get_method() == 'POST':
-            raise errors.AccessForbiddenError()
-
         signed_request = is_url_signed()
         user = get_user_from_api_query_string() or get_request().user
         for item in self.wfstatus.items:
@@ -82,6 +79,8 @@ class TriggerDirectory(Directory):
             if not hasattr(item, 'trigger'):
                 continue
             if component == item.trigger:
+                if not get_request().get_method() == 'POST':
+                    raise errors.AccessForbiddenError()
                 if signed_request and not item.by:
                     pass
                 elif not item.check_auth(self.formdata, user):