Retrieve username from request object and not xform object

docs/index.rst

@@ -281,6 +281,14 @@ The following is a jquery code snippet on how to make a CORS request.
        },
    });
 
+Formlist for preview urls
+--------------------------
+To generate a preview url for enketo, use the following formlist url format
+::
+
+    https://api.ona.io/<username>/formList
+
+
 
 Quick start
 -----------

onadata/apps/api/tests/viewsets/test_xform_list_viewset.py

@@ -8,7 +8,9 @@
 
 from onadata.apps.api.tests.viewsets.test_abstract_viewset import\
     TestAbstractViewSet
-from onadata.apps.api.viewsets.xform_list_viewset import XFormListViewSet
+from onadata.apps.api.viewsets.xform_list_viewset import (
+    XFormListViewSet, PreviewXFormListViewSet
+)
 from onadata.apps.api.viewsets.project_viewset import ProjectViewSet
 from onadata.libs.permissions import DataEntryRole
 from onadata.libs.permissions import ReadOnlyRole
@@ -109,6 +111,60 @@ def test_get_xform_list_with_malformed_cookie(self):
             response.data.get('detail'),
             u'JWT DecodeError: Not enough segments')
 
+    @patch('onadata.apps.api.viewsets.project_viewset.send_mail')
+    def test_read_only_users_get_non_empty_formlist_using_preview_formlist(
+            self, mock_send_mail):
+        alice_data = {'username': 'alice', 'email': 'alice@localhost.com',
+                      'password1': 'alice', 'password2': 'alice'}
+        alice_profile = self._create_user_profile(alice_data)
+
+        self.assertFalse(
+            ReadOnlyRole.user_has_role(alice_profile.user, self.project))
+
+        # share bob's project with alice
+        data = {'username': 'alice',
+                'role': ReadOnlyRole.name,
+                'email_msg': 'I have shared the project with you'}
+        request = self.factory.post('/', data=data, **self.extra)
+        share_view = ProjectViewSet.as_view({
+            'post': 'share'
+        })
+        projectid = self.project.pk
+        response = share_view(request, pk=projectid)
+        self.assertEqual(response.status_code, 204)
+        self.assertTrue(mock_send_mail.called)
+        self.assertTrue(
+            ReadOnlyRole.user_has_role(alice_profile.user, self.project))
+
+        # check that she can authenticate successfully
+        request = self.factory.get('/')
+        response = self.view(request)
+        self.assertEqual(response.status_code, 401)
+        auth = DigestAuth('alice', 'alice')
+        request.META.update(auth(request.META, response))
+        response = self.view(request, username='bob')
+        self.assertEqual(response.status_code, 200)
+        # check that alice gets an empty response when requesting bob's
+        # formlist
+        self.assertEqual(response.data, [])
+
+        # set endpoint to preview formList
+        self.view = PreviewXFormListViewSet.as_view({
+            "get": "list"
+        })
+
+        request = self.factory.get('/')
+        response = self.view(request)
+        self.assertEqual(response.status_code, 401)
+        self.assertNotEqual(response.data, [])
+        auth = DigestAuth('alice', 'alice')
+        request.META.update(auth(request.META, response))
+        response = self.view(request, username='bob')
+        self.assertEqual(response.status_code, 200)
+        # check that alice does NOT get an empty response when requesting bob's
+        # formlist when using the preview formlist endpoint
+        self.assertNotEqual(response.data, [])
+
     @patch('onadata.apps.api.viewsets.project_viewset.send_mail')
     def test_get_xform_list_with_shared_forms(self, mock_send_mail):
         # create user alice

onadata/apps/api/viewsets/xform_list_viewset.py

@@ -141,3 +141,8 @@ def media(self, request, *args, **kwargs):
             MetaData, data_type='media', object_id=self.object.pk, pk=pk)
 
         return get_media_file_response(meta_obj, request)
+
+
+class PreviewXFormListViewSet(XFormListViewSet):
+    filter_backends = (filters.AnonDjangoObjectPermissionFilter,)
+    permission_classes = (permissions.AllowAny,)

onadata/apps/main/urls.py

@@ -9,6 +9,9 @@
 from onadata.apps.api.viewsets.dataview_viewset import DataViewViewSet
 from onadata.apps.api.urls import router
 from onadata.apps.api.urls import XFormListViewSet
+from onadata.apps.api.viewsets.xform_list_viewset import (
+    PreviewXFormListViewSet
+)
 from onadata.apps.api.urls import XFormSubmissionViewSet
 from onadata.apps.api.urls import BriefcaseViewset
 from onadata.apps.logger import views as logger_views
@@ -190,6 +193,8 @@
         XFormListViewSet.as_view({'get': 'list'}), name='form-list'),
     url(r'^(?P<username>\w+)/formList$',
         XFormListViewSet.as_view({'get': 'list'}), name='form-list'),
+    url(r'^preview/(?P<username>\w+)/formList$',
+        PreviewXFormListViewSet.as_view({'get': 'list'}), name='form-list'),
     url(r'^(?P<username>\w+)/xformsManifest/(?P<pk>[\d+^/]+)$',
         XFormListViewSet.as_view({'get': 'manifest'}), name='manifest-url'),
     url(r'^xformsManifest/(?P<pk>[\d+^/]+)$',

onadata/apps/main/views.py

@@ -1376,7 +1376,7 @@ def qrcode(request, username, id_string):
 
 
 def get_enketo_preview_url(request, username, id_string):
-    form_url = get_form_url(request, username, settings.ENKETO_PROTOCOL)
+    form_url = get_form_url(request, username, settings.ENKETO_PROTOCOL, True)
     values = {'form_id': id_string, 'server_url': form_url}
 
     res = requests.post(settings.ENKETO_PREVIEW_URL,

onadata/libs/utils/viewer_tools.py

@@ -252,15 +252,15 @@ def get_form(kwargs):
     from onadata.apps.logger.models import XForm
     from django.http import Http404
 
-    queryset = kwargs.pop('queryset',  XForm.objects.filter())
+    queryset = kwargs.pop('queryset', XForm.objects.filter())
     xform = queryset.filter(**kwargs).first()
     if xform:
         return xform
 
     raise Http404("XForm does not exist.")
 
 
-def get_form_url(request, username=None, protocol='https'):
+def get_form_url(request, username=None, protocol='https', preview=False):
     if settings.TESTING_MODE:
         http_host = settings.TEST_HTTP_HOST
         username = settings.TEST_USERNAME
@@ -269,6 +269,9 @@ def get_form_url(request, username=None, protocol='https'):
 
     url = '%s://%s' % (protocol, http_host)
 
+    if preview:
+        url = '%s/preview' % url
+
     if username:
         url = "{}/{}".format(url, username)