failing test for #2511 for document uploader

Make collection field on document chooser upload respect user permissions failing test for #2511 for image uploader Make collection field on image chooser upload respect user permissions
2026-04-13 03:20:59 +00:00 · 2016-04-26 11:51:14 +01:00 · 2016-04-26 11:51:14 +01:00 · 83bfaf14a8
commit 83bfaf14a8
parent b7995f91e0
6 changed files with 152 additions and 9 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -32,7 +32,8 @@ Changelog
 * Fix: Direct usage of `Document` model replaced with `get_document_model` function in `wagtail.contrib.wagtailmedusa` and in `wagtail.contrib.wagtailapi`
 * Fix: Failures on sending moderation notification emails now produce a warning, rather than crashing the admin page outright (Matt Fozard)
 * Fix: All admin forms that could potentially include file upload fields now specify `multipart/form-data` where appropriate (Tim Heap)
-* Fix: REM units in Wagtailuserbar caused incorrect spacing (Vincent Audebert)
+ * Fix: REM units in Wagtailuserbar caused incorrect spacing (Vincent Audebert)
+ * Fix: Now user can upload images / documents only into permitted collection from choosers


 1.4.4 (xx.xx.2016)
--- a/docs/releases/1.5.rst
+++ b/docs/releases/1.5.rst
@ -60,8 +60,9 @@ Bug fixes
 * Registered settings admin menu items now show active correctly (Matthew Downey)
 * Direct usage of ``Document`` model replaced with ``get_document_model`` function in ``wagtail.contrib.wagtailmedusa`` and in ``wagtail.contrib.wagtailapi``
 * Failures on sending moderation notification emails now produce a warning, rather than crashing the admin page outright (Matt Fozard)
-* Fix: All admin forms that could potentially include file upload fields now specify ``multipart/form-data`` where appropriate (Tim Heap)
-* Fix: REM units in Wagtailuserbar caused incorrect spacing (Vincent Audebert)
+ * All admin forms that could potentially include file upload fields now specify ``multipart/form-data`` where appropriate (Tim Heap)
+ * REM units in Wagtailuserbar caused incorrect spacing (Vincent Audebert)
+ * Now user can upload images / documents only into permitted collection from choosers


 Upgrade considerations
--- a/wagtail/wagtaildocs/tests.py
+++ b/wagtail/wagtaildocs/tests.py
@ -732,6 +732,78 @@ class TestDocumentChooserUploadView(TestCase, WagtailTestUtils):
        self.assertTrue(models.Document.objects.filter(title="Test document").exists())


+class TestDocumentChooserUploadViewWithLimitedPermissions(TestCase, WagtailTestUtils):
+    def setUp(self):
+        add_doc_permission = Permission.objects.get(
+            content_type__app_label='wagtaildocs', codename='add_document'
+        )
+        admin_permission = Permission.objects.get(
+            content_type__app_label='wagtailadmin', codename='access_admin'
+        )
+
+        root_collection = Collection.get_first_root_node()
+        self.evil_plans_collection = root_collection.add_child(name="Evil plans")
+
+        conspirators_group = Group.objects.create(name="Evil conspirators")
+        conspirators_group.permissions.add(admin_permission)
+        GroupCollectionPermission.objects.create(
+            group=conspirators_group,
+            collection=self.evil_plans_collection,
+            permission=add_doc_permission
+        )
+
+        user = get_user_model().objects.create_user(
+            username='moriarty',
+            email='moriarty@example.com',
+            password='password'
+        )
+        user.groups.add(conspirators_group)
+
+        self.client.login(username='moriarty', password='password')
+
+    def test_simple(self):
+        response = self.client.get(reverse('wagtaildocs:chooser_upload'))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/chooser.html')
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/chooser.js')
+
+        # user only has access to one collection -> should not see the collections field
+        self.assertNotContains(response, 'id_collection')
+
+    def test_chooser_view(self):
+        # The main chooser view also includes the form, so need to test there too
+        response = self.client.get(reverse('wagtaildocs:chooser'))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/chooser.html')
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/chooser.js')
+
+        # user only has access to one collection -> should not see the collections field
+        self.assertNotContains(response, 'id_collection')
+
+    def test_post(self):
+        # Build a fake file
+        fake_file = ContentFile(b("A boring example document"))
+        fake_file.name = 'test.txt'
+
+        # Submit
+        post_data = {
+            'title': "Test document",
+            'file': fake_file,
+        }
+        response = self.client.post(reverse('wagtaildocs:chooser_upload'), post_data)
+
+        # Check that the response is a javascript file saying the document was chosen
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/document_chosen.js')
+        self.assertContains(response, "modal.respond('documentChosen'")
+
+        # Document should be created
+        doc = models.Document.objects.filter(title="Test document")
+        self.assertTrue(doc.exists())
+
+        # Document should be in the 'evil plans' collection
+        self.assertEqual(doc.get().collection, self.evil_plans_collection)
+
+
 class TestDocumentFilenameProperties(TestCase):
    def setUp(self):
        self.document = models.Document(title="Test document")
--- a/wagtail/wagtaildocs/views/chooser.py
+++ b/wagtail/wagtaildocs/views/chooser.py
@ -36,7 +36,7 @@ def chooser(request):

    if permission_policy.user_has_permission(request.user, 'add'):
        DocumentForm = get_document_form(Document)
-        uploadform = DocumentForm()
+        uploadform = DocumentForm(user=request.user)
    else:
        uploadform = None

@ -104,7 +104,7 @@ def chooser_upload(request):

    if request.method == 'POST':
        document = Document(uploaded_by_user=request.user)
-        form = DocumentForm(request.POST, request.FILES, instance=document)
+        form = DocumentForm(request.POST, request.FILES, instance=document, user=request.user)

        if form.is_valid():
            form.save()
@ -118,7 +118,7 @@ def chooser_upload(request):
                {'document_json': get_document_json(document)}
            )
    else:
-        form = DocumentForm()
+        form = DocumentForm(user=request.user)

    documents = Document.objects.order_by('title')

--- a/wagtail/wagtailimages/tests/test_admin_views.py
+++ b/wagtail/wagtailimages/tests/test_admin_views.py
@ -504,6 +504,75 @@ class TestImageChooserUploadView(TestCase, WagtailTestUtils):
        self.assertTrue(Image.objects.filter(title="Test image").exists())


+class TestImageChooserUploadViewWithLimitedPermissions(TestCase, WagtailTestUtils):
+    def setUp(self):
+        add_image_permission = Permission.objects.get(
+            content_type__app_label='wagtailimages', codename='add_image'
+        )
+        admin_permission = Permission.objects.get(
+            content_type__app_label='wagtailadmin', codename='access_admin'
+        )
+
+        root_collection = Collection.get_first_root_node()
+        self.evil_plans_collection = root_collection.add_child(name="Evil plans")
+
+        conspirators_group = Group.objects.create(name="Evil conspirators")
+        conspirators_group.permissions.add(admin_permission)
+        GroupCollectionPermission.objects.create(
+            group=conspirators_group,
+            collection=self.evil_plans_collection,
+            permission=add_image_permission
+        )
+
+        user = get_user_model().objects.create_user(
+            username='moriarty',
+            email='moriarty@example.com',
+            password='password'
+        )
+        user.groups.add(conspirators_group)
+
+        self.client.login(username='moriarty', password='password')
+
+    def test_get(self):
+        response = self.client.get(reverse('wagtailimages:chooser_upload'))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, 'wagtailimages/chooser/chooser.html')
+
+        # user only has access to one collection, so no 'Collection' option
+        # is displayed on the form
+        self.assertNotContains(response, '<label for="id_collection">')
+
+    def test_get_chooser(self):
+        response = self.client.get(reverse('wagtailimages:chooser'))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, 'wagtailimages/chooser/chooser.html')
+
+        # user only has access to one collection, so no 'Collection' option
+        # is displayed on the form
+        self.assertNotContains(response, '<label for="id_collection">')
+
+    def test_add(self):
+        response = self.client.post(reverse('wagtailimages:chooser_upload'), {
+            'title': "Test image",
+            'file': SimpleUploadedFile('test.png', get_test_image_file().file.getvalue()),
+        })
+
+        self.assertEqual(response.status_code, 200)
+
+        # Check that the image was created
+        images = Image.objects.filter(title="Test image")
+        self.assertEqual(images.count(), 1)
+
+        # Image should be created in the 'evil plans' collection,
+        # despite there being no collection field in the form, because that's the
+        # only one the user has access to
+        self.assertTrue(Image.objects.filter(title="Test image").exists())
+        self.assertEqual(
+            Image.objects.get(title="Test image").collection,
+            self.evil_plans_collection
+        )
+
+
 class TestMultipleImageUploader(TestCase, WagtailTestUtils):
    """
    This tests the multiple image upload views located in wagtailimages/views/multiple.py
--- a/wagtail/wagtailimages/views/chooser.py
+++ b/wagtail/wagtailimages/views/chooser.py
@ -43,7 +43,7 @@ def chooser(request):

    if permission_policy.user_has_permission(request.user, 'add'):
        ImageForm = get_image_form(Image)
-        uploadform = ImageForm()
+        uploadform = ImageForm(user=request.user)
    else:
        uploadform = None

@ -121,7 +121,7 @@ def chooser_upload(request):

    if request.method == 'POST':
        image = Image(uploaded_by_user=request.user)
-        form = ImageForm(request.POST, request.FILES, instance=image)
+        form = ImageForm(request.POST, request.FILES, instance=image, user=request.user)

        if form.is_valid():
            form.save()
@ -143,7 +143,7 @@ def chooser_upload(request):
                    {'image_json': get_image_json(image)}
                )
    else:
-        form = ImageForm()
+        form = ImageForm(user=request.user)

    images = Image.objects.order_by('title')