[FIX] survey: Avoid forbidding access to survey when the answer cookie...

[FIX] survey: Avoid forbidding access to survey when the answer cookie corresponds to no actual answer To reproduce: 1) Create a survey and open it with a portal user with its /survey/start/*** link 2) In a private window, connect as the admin and remove the answer in 'Not started yet' state that step 1 created. 3) Go back to your portal user window and re-enter the same /survey/start/*** URL. ==> The portal user is brought back to the home page. He has no way to access the survey anymore, the link will always redirect him there. This is because of cookies. The first time the user opens the survey, it creates a cookie in his browser allowing him to reload the answer he was working on. In our example, this answer has been deleted for some reason (maybe some cleaning of too old 'not started' or 'in progress' stuff); so the token stored in the cookie does not correspond to anything anymore. Instead of crashing and redirecting to home page, this commit makes it so that we now ignore the cookie in that case, so that the user directly has access to the survey to build a new answer. Task-2729738 closes odoo/odoo#82041 Signed-off-by: Thibault Delavallee (tde) <tde@openerp.com>

[FIX] survey: Avoid forbidding access to survey when the answer cookie...
c642be8e · oco-odoo · 0be94b7f · c642be8e
Commit c642be8e authored 3 years ago by oco-odoo
--- a/addons/survey/controllers/main.py
+++ b/addons/survey/controllers/main.py
@@ -223,10 +223,11 @@ class Survey(http.Controller):

        access_data = self._get_access_data(survey_token, answer_token, ensure_token=False)

-        if answer_from_cookie and access_data['validity_code'] == 'answer_wrong_user':
-            # The cookie had been generated for another user; ignore this answer and redo the check.
-            answer_token = None
-            access_data = self._get_access_data(survey_token, answer_token, ensure_token=False)
+        if answer_from_cookie and access_data['validity_code'] in ('answer_wrong_user', 'token_wrong'):
+            # If the cookie had been generated for another user or does not correspond to any existing answer object
+            # (probably because it has been deleted), ignore it and redo the check.
+            # The cookie will be replaced by a legit value when resolving the URL, so we don't clean it further here.
+            access_data = self._get_access_data(survey_token, None, ensure_token=False)

        if access_data['validity_code'] is not True:
            return self._redirect_with_error(access_data, access_data['validity_code'])