Commit 66cbbd41 authored by buttle's avatar buttle

Added Restricted Access to forms. Login required

parent feed2260
......@@ -31,8 +31,8 @@ babel = Babel(app)
csrf = CSRFProtect()
csrf.init_app(app)
app.config['APP_VERSION'] = 23
app.config['SCHEMA_VERSION'] = 11
app.config['APP_VERSION'] = 24
app.config['SCHEMA_VERSION'] = 12
app.config['RESERVED_SLUGS'] = ['static', 'admin', 'admins', 'user', 'users', 'form', 'forms', 'site', 'sites', 'update']
# DPL = Data Protection Law
......
......@@ -143,6 +143,12 @@ def migrateMongoSchema(schemaVersion):
mongo.db.sites.update_one({"_id": site["_id"]}, {"$unset": {'noreplyEmailAddress' :1},"$set": {"smtpConfig": smtpConfig} })
schemaVersion=11
if schemaVersion < 12:
# Add restrictedAccess
for form in mongo.db.forms.find():
mongo.db.forms.update_one({"_id": form["_id"]}, {"$set": {"restrictedAccess": False}})
schemaVersion=12
# this can't be a good migration setup :(
return schemaVersion
......@@ -570,7 +570,12 @@ class Form(object):
self.form['sharedEntries']['enabled'] = False if self.form['sharedEntries']['enabled'] else True
mongo.db.forms.save(self.form)
return self.form['sharedEntries']['enabled']
def toggleRestrictedAccess(self):
self.form['restrictedAccess'] = False if self.form['restrictedAccess'] else True
mongo.db.forms.save(self.form)
return self.form['restrictedAccess']
def toggleNotification(self):
editor_id=str(g.current_user._id)
if editor_id in self.editors:
......
......@@ -60,7 +60,7 @@
</tr>
{% endif %}
<tr>
<td>{%trans%}Is public{%endtrans%}</td>
<td>{%trans%}Published{%endtrans%}</td>
<td>
{% if form.editors[g.current_user._id|string] is defined %}
<div id="toggle_enabled" class="btn-group btn-toggle">
......@@ -136,7 +136,20 @@
{% endif %}
</td>
</tr>
<tr>
<td>{%trans%}Restricted access{%endtrans%}</td>
<td>
{% if form.editors[g.current_user._id|string] is defined %}
{% if form.data.restrictedAccess %}
<input class="btn-success btn btn-xs" type="button" value="{%trans%}True{%endtrans%}" onClick="location.href='/forms/share/{{form._id}}'" >
{% else %}
<input class="btn-primary btn btn-xs" type="button" value="{%trans%}False{%endtrans%}" onClick="location.href='/forms/share/{{form._id}}'" >
{% endif %}
{% else %}
{{ form.data.restrictedAccess }}
{% endif %}
</td>
</tr>
{% if form.site.isPersonalDataConsentEnabled() %}
<tr>
<td>{%trans%}Require consent{%endtrans%}</td>
......
......@@ -30,11 +30,28 @@
</div>
</div>
<div class="container" style="padding-top:1em;">
<div class="container" style="padding-top:2em;">
<div class="row col-md-3"></div>
<div class="row col-md-9">
<div style="font-size:1.5em;">
{%trans%}Restricted access{%endtrans%}
</div>
{%trans%}Only visible to people with a user account (login required){%endtrans%}
<div style="padding-top:0.7em">
<span id="toggle_restrictedAccess" class="btn-group btn-toggle">
<button id="restrictedAccess_true" class="btn btn-xs btn-default {% if form.data.restrictedAccess %}btn-success{% endif %}">{%trans%}Restricted{%endtrans%}</button>
<button id="restrictedAccess_false" class="btn btn-xs btn-default {% if not form.data.restrictedAccess %}btn-primary{% endif %}">{%trans%}Public form{%endtrans%}</button>
</span>
</div>
</div>
</div>
<div class="container" style="padding-top:2em;">
<div class="row col-md-3"></div>
<div class="row col-md-5">
<div style="padding-top:1.2em; font-size:1.5em;">
<div style="font-size:1.5em;">
{%trans%}Editors{%endtrans%}
</div>
<div>
......@@ -123,6 +140,30 @@ document.getElementById('toggle_sharedEntries').addEventListener('click', functi
}
});
});
document.getElementById('toggle_restrictedAccess').addEventListener('click', function(evt){
$.ajax({
url : "/form/toggle-restricted-access/{{ form._id }}",
type: "POST",
dataType: "json",
beforeSend: function(xhr, settings) {
if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type)) {
xhr.setRequestHeader("X-CSRFToken", csrftoken)
}
},
success: function(data, textStatus, jqXHR)
{
if (data.restricted == true) {
$('#restrictedAccess_true').addClass('btn-success');
$('#restrictedAccess_false').removeClass('btn-primary');
}
else if (data.restricted == false) {
$('#restrictedAccess_true').removeClass('btn-success');
$('#restrictedAccess_false').addClass('btn-primary');
}
}
});
});
</script>
{% endblock %}
......@@ -101,6 +101,8 @@ def view_form(slug):
return render_template('form-has-expired.html'), 400
else:
return render_template('page-not-found.html'), 400
if queriedForm.data["restrictedAccess"] and not g.current_user:
return render_template('page-not-found.html'), 400
if request.method == 'POST':
formData=request.form.to_dict(flat=False)
......@@ -172,6 +174,8 @@ def view_csv(slug, key):
queriedForm = Form(slug=slug, key=key)
if not queriedForm or not queriedForm.areEntriesShared():
return render_template('page-not-found.html'), 400
if queriedForm.data["restrictedAccess"] and not g.current_user:
return render_template('page-not-found.html'), 400
csv_file = writeCSV(queriedForm)
......@@ -525,7 +529,8 @@ def save_form(_id=None):
"expireDate": None},
"afterSubmitText": afterSubmitText,
"log": [],
"requireDataConsent": g.site.isPersonalDataConsentEnabled()
"requireDataConsent": g.site.isPersonalDataConsentEnabled(),
"restrictedAccess": False
}
newForm=Form().insert(newFormData)
clearSessionFormData()
......@@ -591,6 +596,16 @@ def toggle_shared_entries(_id):
form.addLog(gettext("Shared entries set to: %s" % shared))
return JsonResponse(json.dumps({'enabled':shared}))
@app.route('/form/toggle-restricted-access/<string:_id>', methods=['POST'])
@enabled_user_required
def toggle_restricted_access(_id):
form=Form(_id=_id, editor=str(g.current_user._id))
if not form:
return JsonResponse(json.dumps())
access=form.toggleRestrictedAccess()
form.addLog(gettext("Restricted access set to: %s" % access))
return JsonResponse(json.dumps({'restricted':access}))
@app.route('/form/toggle-notification/<string:_id>', methods=['POST'])
@enabled_user_required
def toggle_form_notification(_id):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment