api: do not return any options in schema for sources linked to user (#67862)

2022-08-02 14:49:45 +02:00 · 2022-08-02 14:49:45 +02:00 · 3bcf1f3e2a
parent daf0f5a029
commit 3bcf1f3e2a
2 changed files with 38 additions and 1 deletions
--- a/tests/api/test_carddef.py
+++ b/tests/api/test_carddef.py
@ -219,6 +219,40 @@ def test_cards(pub, local_user):
    resp = get_app(pub).get('/api/cards/test/@schema', status=403)


+def test_carddef_schema_user_filtered_datasource(pub):
+    CardDef.wipe()
+    carddef = CardDef()
+    carddef.name = 'items'
+    carddef.user_support = 'optional'
+    carddef.digest_templates = {'default': '{{form_var_name}}'}
+    carddef.fields = [
+        fields.StringField(id='0', label='string', varname='name'),
+    ]
+    carddef.store()
+
+    for value in ['foo', 'bar', 'baz']:
+        carddata = carddef.data_class()()
+        carddata.data = {'0': value}
+        carddata.just_created()
+        carddata.store()
+
+    ds = {'type': 'carddef:%s' % carddef.url_name}
+    carddef2 = CardDef()
+    carddef2.name = 'foobar'
+    carddef2.fields = [
+        fields.ItemField(id='0', label='item', type='item', varname='foo', data_source=ds),
+    ]
+    carddef2.store()
+
+    resp = get_app(pub).get(sign_uri('/api/cards/foobar/@schema'), status=200)
+    assert resp.json['fields'][0]['items'] == ['bar', 'baz', 'foo']
+
+    carddef2.fields[0].data_source['type'] = 'carddef:%s:_with_user_filter' % carddef.url_name
+    carddef2.store()
+    resp = get_app(pub).get(sign_uri('/api/cards/foobar/@schema'), status=200)
+    assert resp.json['fields'][0]['items'] == []
+
+
 def test_carddef_schema_relations(pub):
    FormDef.wipe()
    CardDef.wipe()
--- a/wcs/carddef.py
+++ b/wcs/carddef.py
@ -204,7 +204,10 @@ class CardDef(FormDef):
            if parts[2] == '_with_user_filter':
                if not get_by_id:
                    variables = get_publisher().substitutions.get_context_variables(mode='lazy')
-                    user = variables['form_user']
+                    try:
+                        user = variables['form_user']
+                    except KeyError:
+                        user = None
                    criterias.append(Equal('user_id', str(user.id) if user else '-1'))
            else:
                if custom_view is None: