api: check status visibility against authenticated API user (#29588)
* thread user through get_json_export_dict() and get_visible_status() * modify test_api_list_formdata to get forms with the just_submitted status.
This commit is contained in:
parent
2b14b99f74
commit
c8023e67f9
|
@ -1480,6 +1480,8 @@ def test_api_list_formdata(pub, local_user):
|
|||
formdata.just_created()
|
||||
if i%3 == 0:
|
||||
formdata.jump_status('new')
|
||||
elif i%3 == 1:
|
||||
formdata.jump_status('just_submitted')
|
||||
else:
|
||||
formdata.jump_status('finished')
|
||||
if i%7 == 0:
|
||||
|
@ -1514,6 +1516,7 @@ def test_api_list_formdata(pub, local_user):
|
|||
assert 'time' in resp.json[0]['evolution'][0]
|
||||
assert resp.json[0]['evolution'][0]['who']['id'] == local_user.id
|
||||
|
||||
assert all('status' in x['workflow'] for x in resp.json)
|
||||
assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 0'][0]['submission']['backoffice'] is True
|
||||
assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 0'][0]['submission']['channel'] == 'mail'
|
||||
assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 1'][0]['submission']['backoffice'] is False
|
||||
|
@ -1529,9 +1532,9 @@ def test_api_list_formdata(pub, local_user):
|
|||
|
||||
# check filter on status
|
||||
resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=pending', user=local_user))
|
||||
assert len(resp.json) == 10
|
||||
resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=done', user=local_user))
|
||||
assert len(resp.json) == 20
|
||||
resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=done', user=local_user))
|
||||
assert len(resp.json) == 10
|
||||
resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=all', user=local_user))
|
||||
assert len(resp.json) == 30
|
||||
|
||||
|
|
|
@ -102,7 +102,7 @@ def get_formdata_dict(formdata, user, consider_status_visibility=True):
|
|||
|
||||
d.update(formdata.get_static_substitution_variables(minimal=True))
|
||||
if get_request().form.get('full') == 'on':
|
||||
d.update(formdata.get_json_export_dict(include_files=False))
|
||||
d.update(formdata.get_json_export_dict(include_files=False, user=user))
|
||||
return d
|
||||
|
||||
|
||||
|
|
|
@ -1632,7 +1632,7 @@ class FormPage(Directory):
|
|||
if get_publisher().is_using_postgresql():
|
||||
self.formdef.data_class().load_all_evolutions(items)
|
||||
if get_request().form.get('full') == 'on':
|
||||
output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise)
|
||||
output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise, user=user)
|
||||
for filled in items]
|
||||
else:
|
||||
output = [{'id': filled.id,
|
||||
|
|
|
@ -230,10 +230,10 @@ class Evolution(object):
|
|||
status = self.get_status()
|
||||
return status.name if status else _('Unknown')
|
||||
|
||||
def is_hidden(self):
|
||||
def is_hidden(self, user=None):
|
||||
status = self.get_status()
|
||||
if status:
|
||||
return not status.is_visible(self.formdata, get_request().user)
|
||||
return not status.is_visible(self.formdata, user or get_request().user)
|
||||
return True
|
||||
|
||||
|
||||
|
@ -509,11 +509,11 @@ class FormData(StorableObject):
|
|||
return wf_status
|
||||
return None
|
||||
|
||||
def get_visible_evolution_parts(self):
|
||||
def get_visible_evolution_parts(self, user=None):
|
||||
last_seen_status = None
|
||||
last_seen_author = None
|
||||
for evolution_part in self.evolution or []:
|
||||
if evolution_part.is_hidden():
|
||||
if evolution_part.is_hidden(user=user):
|
||||
continue
|
||||
if (evolution_part.status is None or last_seen_status == evolution_part.status) and (
|
||||
evolution_part.who is None or last_seen_author == evolution_part.who):
|
||||
|
@ -946,7 +946,7 @@ class FormData(StorableObject):
|
|||
'name': self.formdef.name,
|
||||
'id': self.get_display_id()}
|
||||
|
||||
def get_json_export_dict(self, include_files=True, anonymise=False):
|
||||
def get_json_export_dict(self, include_files=True, anonymise=False, user=None):
|
||||
data = {}
|
||||
data['id'] = str(self.id)
|
||||
data['display_id'] = self.get_display_id()
|
||||
|
@ -968,7 +968,7 @@ class FormData(StorableObject):
|
|||
include_files=include_files, anonymise=anonymise)
|
||||
|
||||
data['workflow'] = {}
|
||||
wf_status = self.get_visible_status()
|
||||
wf_status = self.get_visible_status(user)
|
||||
if wf_status:
|
||||
data['workflow']['status'] = {'id': wf_status.id, 'name': wf_status.name}
|
||||
# Workflow data have unknown purpose, do not store them in anonymised export
|
||||
|
|
Loading…
Reference in New Issue