Merge pull request #418 from collective/fix-permission-for-saved-data…

…-restapi-serializer Fix permission for saved data restapi serializer
collective · Nov 3, 2023 · 8ef8abf · 8ef8abf
2 parents b5c2a4e + 91b9ab7
commit 8ef8abf
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -5,7 +5,8 @@ Changelog
 4.1.5 (unreleased)
 ------------------
 
-- Nothing changed yet.
+- check for "collective.easyform.DownloadSavedInput" permission, before including the saved data in serializer.
+  [MrTango]
 
 
 4.1.4 (2023-07-27)

diff --git a/api.http b/api.http
@@ -0,0 +1,9 @@
+@baseUrl = http://localhost:8080/Plone
+
+###
+
+get {{baseUrl}}/form
+
+###
+get {{baseUrl}}/form
+Authorization: Basic admin:admin
diff --git a/src/collective/easyform/serializer.py b/src/collective/easyform/serializer.py
@@ -12,6 +12,7 @@
 from zope.schema import getFieldsInOrder
 from zope.schema.interfaces import ISet, IDate, IDatetime
 
+from plone import api
 from plone.restapi.serializer.dxcontent import SerializeToJson as DXContentToJson
 from plone.restapi.deserializer.dxcontent import (
     DeserializeFromJson as DXContentFromJson,
@@ -24,6 +25,7 @@
 
 from collective.easyform.api import get_actions
 from collective.easyform.api import get_schema
+from collective.easyform.config import DOWNLOAD_SAVED_PERMISSION
 from collective.easyform.interfaces import IEasyForm
 from collective.easyform.interfaces import ISaveData
 from Products.CMFPlone.utils import safe_unicode
@@ -37,8 +39,8 @@
 class SerializeToJson(DXContentToJson):
     def __call__(self, version=None, include_items=True):
         result = super(SerializeToJson, self).__call__(version, include_items)
-        self.serializeSavedData(result)
-
+        if api.user.has_permission(DOWNLOAD_SAVED_PERMISSION, obj=self.context):
+            self.serializeSavedData(result)
         return result
 
     def serializeSavedData(self, result):