From 1bd342dd5f0f36fdf969b8327892db59a79d6ef6 Mon Sep 17 00:00:00 2001 From: MrTango Date: Thu, 2 Nov 2023 18:03:19 +0200 Subject: [PATCH 1/3] check for "collective.easyform.DownloadSavedInput" permission, before including the saved data in serializer --- CHANGES.rst | 3 ++- src/collective/easyform/serializer.py | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 6d455259..dd8620f1 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -5,7 +5,8 @@ Changelog 4.1.5 (unreleased) ------------------ -- Nothing changed yet. +- check for "collective.easyform.DownloadSavedInput" permission, before including the saved data in serializer. + [MrTango] 4.1.4 (2023-07-27) diff --git a/src/collective/easyform/serializer.py b/src/collective/easyform/serializer.py index 80e2da5b..0db1fa5b 100644 --- a/src/collective/easyform/serializer.py +++ b/src/collective/easyform/serializer.py @@ -12,6 +12,7 @@ from zope.schema import getFieldsInOrder from zope.schema.interfaces import ISet, IDate, IDatetime +from plone import api from plone.restapi.serializer.dxcontent import SerializeToJson as DXContentToJson from plone.restapi.deserializer.dxcontent import ( DeserializeFromJson as DXContentFromJson, @@ -37,8 +38,8 @@ class SerializeToJson(DXContentToJson): def __call__(self, version=None, include_items=True): result = super(SerializeToJson, self).__call__(version, include_items) - self.serializeSavedData(result) - + if api.user.has_permission('collective.easyform.DownloadSavedInput', obj=self.context): + self.serializeSavedData(result) return result def serializeSavedData(self, result): From d202c9d86731ea3673c2bb7a3903c0f41a5fe7eb Mon Sep 17 00:00:00 2001 From: MrTango Date: Thu, 2 Nov 2023 18:07:19 +0200 Subject: [PATCH 2/3] Add example config for VS Code REST Client (Huachao Mao) --- api.http | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 api.http diff --git a/api.http b/api.http new file mode 100644 index 00000000..0fd1dd05 --- /dev/null +++ b/api.http @@ -0,0 +1,9 @@ +@baseUrl = http://localhost:8080/Plone + +### + +get {{baseUrl}}/form + +### +get {{baseUrl}}/form +Authorization: Basic admin:admin From 91b9ab733b4d05ef3b4ef25b7d7e6173950afc07 Mon Sep 17 00:00:00 2001 From: MrTango Date: Fri, 3 Nov 2023 10:20:28 +0200 Subject: [PATCH 3/3] import DOWNLOAD_SAVED_PERMISSION instead of direcly define the perm string again --- src/collective/easyform/serializer.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/collective/easyform/serializer.py b/src/collective/easyform/serializer.py index 0db1fa5b..14a1ab03 100644 --- a/src/collective/easyform/serializer.py +++ b/src/collective/easyform/serializer.py @@ -25,6 +25,7 @@ from collective.easyform.api import get_actions from collective.easyform.api import get_schema +from collective.easyform.config import DOWNLOAD_SAVED_PERMISSION from collective.easyform.interfaces import IEasyForm from collective.easyform.interfaces import ISaveData from Products.CMFPlone.utils import safe_unicode @@ -38,7 +39,7 @@ class SerializeToJson(DXContentToJson): def __call__(self, version=None, include_items=True): result = super(SerializeToJson, self).__call__(version, include_items) - if api.user.has_permission('collective.easyform.DownloadSavedInput', obj=self.context): + if api.user.has_permission(DOWNLOAD_SAVED_PERMISSION, obj=self.context): self.serializeSavedData(result) return result