misc: disable verification after tracking code, for the submitter (#64437)

2022-04-21 15:54:54 +02:00 · 2022-04-21 15:54:54 +02:00 · 41ecc47858
parent 033f80f2f2
commit 41ecc47858
2 changed files with 38 additions and 0 deletions
--- a/tests/form_pages/test_all.py
+++ b/tests/form_pages/test_all.py
@ -2062,6 +2062,41 @@ def test_form_tracking_code_email(pub, emails, nocache):
    assert resp.forms[1]['f0'].value == 'barfoo'


+def test_form_tracking_code_email_and_verification(pub, emails, nocache):
+    formdef = create_formdef()
+    formdef.fields = [
+        fields.StringField(id='0', label='string1', required=False),
+        fields.StringField(id='1', label='string2', required=False),
+        fields.DateField(id='2', label='date', required=False),
+    ]
+    formdef.enable_tracking_codes = True
+    formdef.tracking_code_verify_fields = ['0', '1', '2']
+    formdef.store()
+
+    app = get_app(pub)
+    resp = app.get('/test/')
+    resp.form['f0'] = 'barfoo'
+    # autosave will be made using javascript in real world
+    app.post('/test/autosave', params=resp.form.submit_fields())
+
+    tracking_code = get_displayed_tracking_code(resp)
+    assert tracking_code is not None
+
+    resp = app.get('/test/code/%s/' % tracking_code)
+    assert '<h2>Keep your tracking code</h2>' in resp.text
+    resp.forms[0]['email'] = 'foo@localhost'
+    resp = resp.forms[0].submit()
+    assert emails.get('Tracking Code reminder')
+    assert tracking_code in emails.get('Tracking Code reminder')['payload']
+    assert resp.location == 'http://example.net/test/code/%s/load' % tracking_code
+
+    # returns to the form, without verification: formdata is mine
+    resp = resp.follow()
+    resp = resp.follow()
+    resp = resp.follow()
+    assert resp.forms[1]['f0'].value == 'barfoo'
+
+
 def test_form_tracking_code_email_antibot(pub, emails, nocache):
    formdef = create_formdef()
    formdef.data_class().wipe()
--- a/wcs/forms/root.py
+++ b/wcs/forms/root.py
@ -191,6 +191,9 @@ class TrackingCodeDirectory(Directory):
        if get_request().is_from_bot():
            raise errors.AccessForbiddenError()

+        if formdata.is_submitter(get_request().user):
+            return redirect(formdata.get_url())
+
        verify_fields = []
        for field in formdata.formdef.fields:
            if field.id in (formdata.formdef.tracking_code_verify_fields or []):