From a80a9e4f5e716102afee136d74f5a95a3caad1f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Tue, 11 May 2021 15:26:43 +0200
Subject: [PATCH] api: don't mark API fake admin user as an API user (#53926)

---
 tests/api/test_carddef.py | 5 +++++
 wcs/api.py                | 1 +
 2 files changed, 6 insertions(+)

diff --git a/tests/api/test_carddef.py b/tests/api/test_carddef.py
index bf6dcc249..7fbe88a73 100644
--- a/tests/api/test_carddef.py
+++ b/tests/api/test_carddef.py
@@ -157,6 +157,11 @@ def test_cards(pub, local_user):
     assert resp.json['data'][0]['digest'] == formdata.digest
     assert resp.json['data'][0]['text'] == formdata.digest
 
+    # get single carddata (as signed request without any user specified, so
+    # no check for permissions)
+    resp = get_app(pub).get(sign_uri('/api/cards/test/%s/' % formdata.id))
+    assert resp.json['text'] == formdata.digest
+
     # get schema
     resp = get_app(pub).get(sign_uri('/api/cards/test/@schema'), status=200)
     assert len(resp.json['fields']) == 1
diff --git a/wcs/api.py b/wcs/api.py
index 4cfe3b5c2..66cba1db6 100644
--- a/wcs/api.py
+++ b/wcs/api.py
@@ -264,6 +264,7 @@ class ApiCardPage(ApiFormPageMixin, BackofficeCardPage):
             class ApiAdminUser:
                 is_admin = True
                 anonymous = True
+                is_api_user = False
 
             get_request()._user = ApiAdminUser()
             return True