add bulk_delete permission type

2026-05-03 21:14:46 +00:00 · 2016-09-26 23:01:40 +01:00 · 2016-09-26 23:01:40 +01:00 · 0070da62db
commit 0070da62db
parent 5c9fc29fbe
3 changed files with 70 additions and 1 deletions
--- a/wagtail/wagtailcore/migrations/0032_add_bulk_delete_page_permission.py
+++ b/wagtail/wagtailcore/migrations/0032_add_bulk_delete_page_permission.py
@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.1 on 2016-09-27 14:11
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('wagtailcore', '0031_add_page_view_restriction_types'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='grouppagepermission',
+            name='permission_type',
+            field=models.CharField(choices=[('add', 'Add/edit pages you own'), ('edit', 'Edit any page'), ('publish', 'Publish any page'), ('bulk_delete', 'Delete pages with children'), ('lock', 'Lock/unlock any page')], max_length=20, verbose_name='permission type'),
+        ),
+    ]
--- a/wagtail/wagtailcore/models.py
+++ b/wagtail/wagtailcore/models.py
@ -1536,6 +1536,7 @@ PAGE_PERMISSION_TYPES = [
    ('add', _("Add"), _("Add/edit pages you own")),
    ('edit', _("Edit"), _("Edit any page")),
    ('publish', _("Publish"), _("Publish any page")),
+    ('bulk_delete', _("Bulk delete"), _("Delete pages with children")),
    ('lock', _("Lock"), _("Lock/unlock any page")),
 ]

@ -1695,6 +1696,10 @@ class PagePermissionTester(object):
            # superusers require no further checks
            return True

+        # if the user does not have bulk_delete permission, they may only delete leaf pages
+        if 'bulk_delete' not in self.permissions and not self.page.is_leaf():
+            return False
+
        if 'edit' in self.permissions:
            # if the user does not have publish permission, we also need to confirm that there
            # are no published pages here
--- a/wagtail/wagtailcore/tests/test_page_permissions.py
+++ b/wagtail/wagtailcore/tests/test_page_permissions.py
@ -1,9 +1,10 @@
 from __future__ import absolute_import, unicode_literals

 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Group
 from django.test import TestCase

-from wagtail.tests.testapp.models import BusinessSubIndex, EventPage
+from wagtail.tests.testapp.models import BusinessSubIndex, EventIndex, EventPage
 from wagtail.wagtailcore.models import GroupPagePermission, Page, UserPagePermissionsProxy


@ -189,6 +190,49 @@ class TestPagePermission(TestCase):
        self.assertFalse(moderator_event_perms.can_move_to(homepage))
        self.assertTrue(moderator_event_perms.can_move_to(unpublished_event_page))

+    def test_cannot_bulk_delete_without_permissions(self):
+        event_moderator = get_user_model().objects.get(username='eventmoderator')
+        events_page = EventIndex.objects.get(url_path='/home/events/')
+        events_perms = events_page.permissions_for_user(event_moderator)
+
+        self.assertFalse(events_perms.can_delete())
+
+    def test_can_bulk_delete_with_permissions(self):
+        event_moderator = get_user_model().objects.get(username='eventmoderator')
+        events_page = EventIndex.objects.get(url_path='/home/events/')
+
+        # Assign 'bulk_delete' permission to the event_moderator group
+        event_moderators_group = Group.objects.get(name='Event moderators')
+        GroupPagePermission.objects.create(
+            group=event_moderators_group, page=events_page, permission_type='bulk_delete'
+        )
+
+        events_perms = events_page.permissions_for_user(event_moderator)
+
+        self.assertTrue(events_perms.can_delete())
+
+    def test_need_delete_permission_to_bulk_delete(self):
+        """
+        Having bulk_delete permission is not in itself sufficient to allow deleting pages -
+        you need actual edit permission on the pages too.
+
+        In this test the event editor is given bulk_delete permission, but since their
+        only other permission is 'add', they cannot delete published pages or pages owned
+        by other users, and therefore the bulk deletion cannot happen.
+        """
+        event_editor = get_user_model().objects.get(username='eventeditor')
+        events_page = EventIndex.objects.get(url_path='/home/events/')
+
+        # Assign 'bulk_delete' permission to the event_editor group
+        event_editors_group = Group.objects.get(name='Event editors')
+        GroupPagePermission.objects.create(
+            group=event_editors_group, page=events_page, permission_type='bulk_delete'
+        )
+
+        events_perms = events_page.permissions_for_user(event_editor)
+
+        self.assertFalse(events_perms.can_delete())
+
    def test_inactive_user_has_no_permissions(self):
        user = get_user_model().objects.get(username='inactiveuser')
        christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')