forms: redirect manager to backoffice view of formdatas (#25330)
This commit is contained in:
parent
211ecf72a3
commit
9b62bfdbcd
|
|
@ -2271,7 +2271,7 @@ def test_backoffice_submission_no_manual_channel_with_welco(pub, welco_url):
|
|||
assert 'submission_channel' not in resp.form.fields
|
||||
|
||||
def test_backoffice_wscall_failure_display(http_requests, pub):
|
||||
create_user(pub)
|
||||
user = create_user(pub)
|
||||
create_environment(pub)
|
||||
formdef = FormDef.get_by_urlname('form-title')
|
||||
form_class = formdef.data_class()
|
||||
|
|
@ -2313,6 +2313,8 @@ def test_backoffice_wscall_failure_display(http_requests, pub):
|
|||
resp = resp.follow()
|
||||
assert 'Error during webservice call' in resp.body
|
||||
|
||||
number31.user_id = user.id # change ownership to stay in frontoffice
|
||||
number31.store()
|
||||
# the failure message shouldn't be displayed in the frontoffice
|
||||
resp = app.get('/form-title/%s/' % number31.id)
|
||||
assert (' with the number %s.' % number31.get_display_id()) in resp.body
|
||||
|
|
|
|||
|
|
@ -4105,6 +4105,7 @@ def test_form_worklow_multiple_identical_status(pub):
|
|||
|
||||
Role.wipe()
|
||||
role = Role(name='xxx')
|
||||
role.allows_backoffice_access = False
|
||||
role.store()
|
||||
|
||||
jump.by = [role.id]
|
||||
|
|
@ -4919,3 +4920,75 @@ def test_condition_on_action(pub, emails):
|
|||
resp = resp.form.submit('submit')
|
||||
resp = resp.form.submit('submit')
|
||||
assert emails.get('New form2 (test condition on action)')
|
||||
|
||||
def test_manager_public_access(pub):
|
||||
user, manager = create_user_and_admin(pub)
|
||||
|
||||
Role.wipe()
|
||||
role = Role(name='xxx')
|
||||
role.store()
|
||||
|
||||
manager.is_admin = False
|
||||
manager.roles = [role.id]
|
||||
manager.store()
|
||||
assert manager.can_go_in_backoffice()
|
||||
|
||||
formdef = create_formdef()
|
||||
formdef.workflow_roles = {'_receiver': role.id}
|
||||
formdef.store()
|
||||
|
||||
formdata = formdef.data_class()()
|
||||
formdata.user_id = user.id
|
||||
formdata.data = {}
|
||||
formdata.just_created()
|
||||
formdata.store()
|
||||
|
||||
# user access to own formdata
|
||||
app = login(get_app(pub), username='foo', password='foo')
|
||||
resp = app.get(formdata.get_url())
|
||||
assert 'The form has been recorded' in resp.body
|
||||
|
||||
# agent access to formdata
|
||||
app = login(get_app(pub), username='admin', password='admin')
|
||||
resp = app.get(formdata.get_url())
|
||||
assert resp.location == formdata.get_url(backoffice=True)
|
||||
resp = resp.follow()
|
||||
assert 'The form has been recorded' in resp.body
|
||||
|
||||
# agent access to an unauthorized formdata
|
||||
formdef.workflow_roles = {'_receiver': None}
|
||||
formdef.store()
|
||||
resp = app.get(formdata.get_url(), status=403)
|
||||
|
||||
# agent access via a tracking code (stays in frontoffice)
|
||||
formdef.workflow_roles = {'_receiver': role.id}
|
||||
formdef.enable_tracking_codes = True
|
||||
formdef.store()
|
||||
|
||||
code = pub.tracking_code_class()
|
||||
code.formdata = formdata
|
||||
code.store()
|
||||
|
||||
resp = app.get('/code/%s/load' % code.id)
|
||||
resp = resp.follow() # -> /test/1
|
||||
assert not 'backoffice' in resp.location
|
||||
resp = resp.follow() # -> /test/1/
|
||||
assert 'The form has been recorded' in resp.body
|
||||
|
||||
# authorized access but not backoffice access
|
||||
app = login(get_app(pub), username='admin', password='admin') # reset session
|
||||
resp = app.get(formdata.get_url())
|
||||
assert resp.location == formdata.get_url(backoffice=True) # check tracking code is no longer effective
|
||||
role.allows_backoffice_access = False
|
||||
role.store()
|
||||
resp = app.get(formdata.get_url())
|
||||
assert 'The form has been recorded' in resp.body
|
||||
|
||||
# agent access to own formdata (stays in frontoffice)
|
||||
formdata = formdef.data_class()()
|
||||
formdata.user_id = manager.id
|
||||
formdata.data = {}
|
||||
formdata.just_created()
|
||||
formdata.store()
|
||||
resp = app.get(formdata.get_url())
|
||||
assert 'The form has been recorded' in resp.body
|
||||
|
|
|
|||
|
|
@ -227,6 +227,12 @@ class FormStatusPage(Directory, FormTemplateMixin):
|
|||
|
||||
def _q_index(self):
|
||||
mine = self.check_auth()
|
||||
if not mine and not get_request().is_in_backoffice():
|
||||
# access authorized but the form doesn't belong to the user; if the
|
||||
# user has access to the backoffice, redirect.
|
||||
if get_request().user.can_go_in_backoffice():
|
||||
return redirect(self.filled.get_url(backoffice=True))
|
||||
|
||||
get_logger().info('form %s - id: %s - view' % (self.formdef.name, self.filled.id))
|
||||
|
||||
user = get_request().user
|
||||
|
|
|
|||
Loading…
Reference in New Issue