api: check status visibility against authenticated API user (#29588)

* thread user through get_json_export_dict() and get_visible_status() * modify test_api_list_formdata to get forms with the just_submitted status.
2019-01-09 13:12:04 +01:00 · 2019-01-09 13:12:04 +01:00 · c8023e67f9
parent 2b14b99f74
commit c8023e67f9
4 changed files with 13 additions and 10 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -1480,6 +1480,8 @@ def test_api_list_formdata(pub, local_user):
        formdata.just_created()
        if i%3 == 0:
            formdata.jump_status('new')
+        elif i%3 == 1:
+            formdata.jump_status('just_submitted')
        else:
            formdata.jump_status('finished')
        if i%7 == 0:
@ -1514,6 +1516,7 @@ def test_api_list_formdata(pub, local_user):
    assert 'time' in resp.json[0]['evolution'][0]
    assert resp.json[0]['evolution'][0]['who']['id'] == local_user.id

+    assert all('status' in x['workflow'] for x in resp.json)
    assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 0'][0]['submission']['backoffice'] is True
    assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 0'][0]['submission']['channel'] == 'mail'
    assert [x for x in resp.json if x['fields']['foobar'] == 'FOO BAR 1'][0]['submission']['backoffice'] is False
@ -1529,9 +1532,9 @@ def test_api_list_formdata(pub, local_user):

    # check filter on status
    resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=pending', user=local_user))
-    assert len(resp.json) == 10
-    resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=done', user=local_user))
    assert len(resp.json) == 20
+    resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=done', user=local_user))
+    assert len(resp.json) == 10
    resp = get_app(pub).get(sign_uri('/api/forms/test/list?filter=all', user=local_user))
    assert len(resp.json) == 30

--- a/wcs/api.py
+++ b/wcs/api.py
@ -102,7 +102,7 @@ def get_formdata_dict(formdata, user, consider_status_visibility=True):

    d.update(formdata.get_static_substitution_variables(minimal=True))
    if get_request().form.get('full') == 'on':
-        d.update(formdata.get_json_export_dict(include_files=False))
+        d.update(formdata.get_json_export_dict(include_files=False, user=user))
    return d


--- a/wcs/backoffice/management.py
+++ b/wcs/backoffice/management.py
@ -1632,7 +1632,7 @@ class FormPage(Directory):
        if get_publisher().is_using_postgresql():
            self.formdef.data_class().load_all_evolutions(items)
        if get_request().form.get('full') == 'on':
-            output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise)
+            output = [filled.get_json_export_dict(include_files=False, anonymise=anonymise, user=user)
                      for filled in items]
        else:
            output = [{'id': filled.id,
--- a/wcs/formdata.py
+++ b/wcs/formdata.py
@ -230,10 +230,10 @@ class Evolution(object):
        status = self.get_status()
        return status.name if status else _('Unknown')

-    def is_hidden(self):
+    def is_hidden(self, user=None):
        status = self.get_status()
        if status:
-            return not status.is_visible(self.formdata, get_request().user)
+            return not status.is_visible(self.formdata, user or get_request().user)
        return True


@ -509,11 +509,11 @@ class FormData(StorableObject):
            return wf_status
        return None

-    def get_visible_evolution_parts(self):
+    def get_visible_evolution_parts(self, user=None):
        last_seen_status = None
        last_seen_author = None
        for evolution_part in self.evolution or []:
-            if evolution_part.is_hidden():
+            if evolution_part.is_hidden(user=user):
                continue
            if (evolution_part.status is None or last_seen_status == evolution_part.status) and (
                    evolution_part.who is None or last_seen_author == evolution_part.who):
@ -946,7 +946,7 @@ class FormData(StorableObject):
                'name': self.formdef.name,
                'id': self.get_display_id()}

-    def get_json_export_dict(self, include_files=True, anonymise=False):
+    def get_json_export_dict(self, include_files=True, anonymise=False, user=None):
        data = {}
        data['id'] = str(self.id)
        data['display_id'] = self.get_display_id()
@ -968,7 +968,7 @@ class FormData(StorableObject):
                include_files=include_files, anonymise=anonymise)

        data['workflow'] = {}
-        wf_status = self.get_visible_status()
+        wf_status = self.get_visible_status(user)
        if wf_status:
            data['workflow']['status'] = {'id': wf_status.id, 'name': wf_status.name}
        # Workflow data have unknown purpose, do not store them in anonymised export