Merge pull request #3654 from open-formulieren/backport/3613-to-23x

Backport of #3613 to 2.3.x
open-formulieren · Dec 1, 2023 · 757affb · 757affb
2 parents aaa3fad + da6867a
commit 757affb
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 3 deletions.
diff --git a/src/openforms/submissions/tests/test_resume_form_view.py b/src/openforms/submissions/tests/test_resume_form_view.py
@@ -19,6 +19,7 @@
 class SubmissionResumeViewTests(TestCase):
     def test_good_token_and_submission_redirect_and_add_submission_to_session(self):
         submission = SubmissionFactory.from_components(
+            form__formstep__form_definition__login_required=False,
             completed=True,
             components_list=[
                 {
@@ -416,3 +417,38 @@ def test_resume_creates_valid_url(self):
         self.assertRedirects(
             response, expected_redirect_url, fetch_redirect_response=False
         )
+
+    @tag("gh-3613")
+    def test_redirects_to_auth_if_form_does_not_require_login_but_user_logged_in_the_first_time(
+        self,
+    ):
+        submission = SubmissionFactory.create(
+            form__generate_minimal_setup=True,
+            form__formstep__form_definition__login_required=False,
+            auth_info__plugin="digid",
+            auth_info__value="some-hashed-value",
+        )
+        SubmissionStepFactory.create(
+            submission=submission,
+            form_step=submission.form.formstep_set.first(),
+            data={"foo": "bar"},
+        )
+
+        endpoint = reverse(
+            "submissions:resume",
+            kwargs={
+                "token": submission_resume_token_generator.make_token(submission),
+                "submission_uuid": submission.uuid,
+            },
+        )
+        expected_redirect_url = furl(
+            f"http://testserver/auth/{submission.form.slug}/digid/start"
+        )
+        expected_redirect_url.args["next"] = f"http://testserver{endpoint}"
+
+        response = self.client.get(endpoint)
+
+        self.assertRedirects(
+            response, expected_redirect_url.url, fetch_redirect_response=False
+        )
+        self.assertNotIn(SUBMISSIONS_SESSION_KEY, self.client.session)
diff --git a/src/openforms/submissions/views.py b/src/openforms/submissions/views.py
@@ -144,16 +144,17 @@ def get_redirect_url(
 
         # TODO: remove code duplication
 
-        # No login required, skip authentication
-        if not submission.form.login_required:
+        # No login required. If the user did NOT log in when initially starting the submission (that they are now
+        # resuming) skip authentication.
+        if not submission.form.login_required and not submission.is_authenticated:
             submission = self.custom_submission_modifications(submission)
             add_submmission_to_session(submission, self.request.session)
             submission_resumed.send(
                 sender=self.__class__, instance=submission, request=self.request
             )
             return self.get_form_resume_url(submission)
 
-        # Login IS required. Check if the user has already logged in.
+        # Check if the user has already logged in.
         # This is done by checking if the authentication details are in the session and
         # if they match those in the saved submission.
         if FORM_AUTH_SESSION_KEY in self.request.session: