api: add backoffice-submission parameters to formdefs endpoints (#17689)

help/fr/api-schema.page

@@ -69,6 +69,12 @@ URL <code>/json</code> autrement.
 </p>
 </note>
 
+<p>
+La liste des formulaires accessibles à un utilisateur dans le but de faire une
+saisie backoffice est disponible, sous le même format, via l'URL
+<code>/api/formdefs/?backoffice-submission=on</code>.
+</p>
+
 
 </section>
 
@@ -114,6 +120,11 @@ Les formulaires d'une catégorie précise sont disponibles à l'URL
        https://www.example.net/api/categories/inscriptions/formdefs/</input>
 </screen>
 
+<p>
+Comme pour la liste des formulaires en général, on peut ajouter l'argument
+<code>?backoffice-submission=on</code> à cette URL, pour n'obtenir que les
+formulaires de la catégorie accessibles en saisie backoffice.
+</p>
 
 
 </section>

tests/test_api.py

@@ -327,6 +327,10 @@ def test_formdef_list(pub):
     assert resp1.json[0]['functions']['_receiver']['role']['slug'] == role.slug
     assert resp1.json[0]['functions']['_receiver']['role']['name'] == role.name
 
+    # backoffice_submission formdef : none
+    resp1 = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
+    assert len(resp1.json) == 0
+
 def test_limited_formdef_list(pub, local_user):
     Role.wipe()
     role = Role(name='Foo bar')
@@ -343,6 +347,9 @@ def test_limited_formdef_list(pub, local_user):
 
     resp = get_app(pub).get('/api/formdefs/')
     assert len(resp.json) == 1
+    # not present in backoffice-submission formdefs
+    resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
+    assert len(resp.json) == 0
 
     # check it's not advertised
     formdef.roles = [role.id]
@@ -353,6 +360,9 @@ def test_limited_formdef_list(pub, local_user):
     resp4 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0]))
     assert len(resp.json) == 0
     assert resp.json == resp2.json == resp3.json == resp4.json
+    # still not present in backoffice-submission formdefs
+    resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
+    assert len(resp.json) == 0
 
     # unless user has correct roles
     local_user.roles = [role.id]
@@ -394,6 +404,48 @@ def test_formdef_list_redirection(pub):
     assert resp1.json[0]['count'] == 0
     assert resp1.json[0]['redirection'] == True
 
+def test_backoffice_submission_formdef_list(pub, local_user):
+    Role.wipe()
+    role = Role(name='Foo bar')
+    role.id = '14'
+    role.store()
+
+    FormDef.wipe()
+    formdef = FormDef()
+    formdef.name = 'test'
+    formdef.description = 'plop'
+    formdef.workflow_roles = {'_receiver': str(role.id)}
+    formdef.fields = []
+    formdef.store()
+
+    resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
+    assert len(resp.json) == 0
+
+    # check it's not advertised ...
+    formdef.backoffice_submission_roles = [role.id]
+    formdef.store()
+    resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
+    assert len(resp.json) == 0
+
+    # even if it's advertised on frontoffice
+    formdef.always_advertise = True
+    formdef.store()
+    resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
+    assert len(resp.json) == 0
+
+    # ... unless user has correct roles
+    local_user.roles = [role.id]
+    local_user.store()
+    resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' %
+                                     local_user.name_identifiers[0]))
+    assert len(resp.json) == 1
+
+    # but not advertised if it's a redirection
+    formdef.disabled = True
+    formdef.disabled_redirection = 'http://example.net'
+    formdef.store()
+    resp = get_app(pub).get('/api/formdefs/?backoffice-submission=on')
+    assert len(resp.json) == 0
 
 def test_formdef_schema(pub):
     Workflow.wipe()
@@ -828,8 +880,29 @@ def test_categories_private(pub, local_user):
     resp = get_app(pub).get(sign_uri('http://example.net/api/categories/', local_user))
     assert len(resp.json['data']) == 1
 
-def test_categories_formdefs(pub):
-    test_categories(pub)
+def test_categories_formdefs(pub, local_user):
+    FormDef.wipe()
+    Category.wipe()
+    category = Category()
+    category.name = 'Category'
+    category.description = 'hello world'
+    category.store()
+
+    formdef = FormDef()
+    formdef.name = 'test'
+    formdef.category_id = category.id
+    formdef.fields = []
+    formdef.keywords = 'mobile, test'
+    formdef.store()
+    formdef.data_class().wipe()
+
+    formdef = FormDef()
+    formdef.name = 'test 2'
+    formdef.category_id = category.id
+    formdef.fields = []
+    formdef.keywords = 'foobar'
+    formdef.store()
+    formdef.data_class().wipe()
 
     formdef2 = FormDef()
     formdef2.name = 'other test'
@@ -851,6 +924,31 @@ def test_categories_formdefs(pub):
 
     get_app(pub).get('/api/categories/XXX/formdefs/', status=404)
 
+    resp = get_app(pub).get('/api/categories/category/formdefs/?backoffice-submission=on')
+    assert len(resp.json) == 0
+
+    Role.wipe()
+    role = Role(name='test')
+    role.store()
+    local_user.roles = []
+    local_user.store()
+    # check it's not advertised ...
+    formdef.backoffice_submission_roles = [role.id]
+    formdef.store()
+    resp = get_app(pub).get('/api/categories/category/formdefs/?backoffice-submission=on')
+    assert len(resp.json) == 0
+    resp = get_app(pub).get(sign_uri(
+        '/api/categories/category/formdefs/?backoffice-submission=on&NameID=%s' %
+        local_user.name_identifiers[0]))
+    assert len(resp.json) == 0
+    # ... unless user has correct roles
+    local_user.roles = [role.id]
+    local_user.store()
+    resp = get_app(pub).get(sign_uri(
+        '/api/categories/category/formdefs/?backoffice-submission=on&NameID=%s' %
+        local_user.name_identifiers[0]))
+    assert len(resp.json) == 1
+
 def test_categories_full(pub):
     test_categories(pub)
     resp = get_app(pub).get('/api/categories/?full=on')

wcs/api.py

@@ -342,12 +342,20 @@ class ApiFormdefsDirectory(Directory):
     def __init__(self, category=None):
         self.category = category
 
-    def get_list_forms(self, user, list_all_forms=False, formdefs=None):
+    def get_list_forms(self, user, list_all_forms=False, formdefs=None,
+                       backoffice_submission=False):
         list_forms = []
+
+        if not user and backoffice_submission:
+            return list_forms
+
         if formdefs is None:
             formdefs = FormDef.select(order_by='name', ignore_errors=True)
 
-        formdefs = [x for x in formdefs if not x.is_disabled() or x.disabled_redirection]
+        if backoffice_submission:
+            formdefs = [x for x in formdefs if not x.is_disabled()]
+        else:
+            formdefs = [x for x in formdefs if not x.is_disabled() or x.disabled_redirection]
 
         if self.category:
             formdefs = [x for x in formdefs if str(x.category_id) == str(self.category.id)]
@@ -356,7 +364,7 @@ class ApiFormdefsDirectory(Directory):
 
         for formdef in formdefs:
             authentication_required = False
-            if formdef.roles and not list_all_forms:
+            if formdef.roles and not list_all_forms and not backoffice_submission:
                 if not user:
                     if not formdef.always_advertise:
                         continue
@@ -369,6 +377,14 @@ class ApiFormdefsDirectory(Directory):
                         if not formdef.always_advertise:
                             continue
                         authentication_required = True
+            elif backoffice_submission and not list_all_forms:
+                if not formdef.backoffice_submission_roles:
+                    continue
+                for role in user.roles or []:
+                    if role in formdef.backoffice_submission_roles:
+                        break
+                else:
+                    continue
 
             formdict = {'title': unicode(formdef.name, charset),
                         'slug': formdef.url_name,
@@ -421,8 +437,10 @@ class ApiFormdefsDirectory(Directory):
             # webservice call.
             user = False
         list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None)
+        backoffice_submission = get_request().form.get('backoffice-submission') == 'on'
 
-        list_forms = self.get_list_forms(user, list_all_forms)
+        list_forms = self.get_list_forms(user, list_all_forms,
+                                         backoffice_submission=backoffice_submission)
 
         list_forms.sort(lambda x, y: cmp(x['category_position'], y['category_position']))
         for formdict in list_forms:
@@ -461,6 +479,7 @@ class ApiCategoriesDirectory(Directory):
             # users.
             user = None
         list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None)
+        backoffice_submission = get_request().form.get('backoffice-submission') == 'on'
         list_categories = []
         charset = get_publisher().site_charset
         categories = Category.select()
@@ -474,7 +493,8 @@ class ApiCategoriesDirectory(Directory):
             if category.description:
                 d['description'] = unicode(str(category.get_description_html_text(editable=False)), charset)
             formdefs = ApiFormdefsDirectory(category).get_list_forms(user,
-                    formdefs=all_formdefs, list_all_forms=list_all_forms)
+                    formdefs=all_formdefs, list_all_forms=list_all_forms,
+                    backoffice_submission=backoffice_submission)
             if not formdefs:
                 # don't advertise empty categories
                 continue