From 88e477098f31da29683eec1a5c051b0664218b9d Mon Sep 17 00:00:00 2001
From: alx <alexbridge@gmail.com>
Date: Mon, 23 Nov 2015 20:52:46 +0000
Subject: [PATCH] Ensure that locked pages can't be unpublished.

Fixes #1615
---
 CHANGELOG.txt                                 |  1 +
 CONTRIBUTORS.rst                              |  1 +
 docs/releases/1.3.rst                         |  1 +
 wagtail/tests/testapp/fixtures/test.json      | 20 ++++++++++++++++---
 .../wagtailadmin/pages/confirm_delete.html    |  7 ++++---
 wagtail/wagtailcore/models.py                 |  2 ++
 .../tests/test_page_permissions.py            |  3 +++
 7 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index b52fe02ff..bb22ebb89 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -9,6 +9,7 @@ Changelog
  * Added `.alt` attribute to image renditions
  * The default `src`, `width`, `height` and `alt` attributes can now be overridden by attributes passed to the `{% image %}` tag
  * Fix: HTTP cache purge now works again on Python 2 (Mitchel Cabuloy)
+ * Fix: Locked pages can no longer be unpublished (Alex Bridge)
 
 1.2 (12.11.2015)
 ~~~~~~~~~~~~~~~~
diff --git a/CONTRIBUTORS.rst b/CONTRIBUTORS.rst
index 462b327e4..a4ccbba9e 100644
--- a/CONTRIBUTORS.rst
+++ b/CONTRIBUTORS.rst
@@ -80,6 +80,7 @@ Contributors
 * Sergey Nikitin
 * John Draper
 * Rich Brennan
+* Alex Bridge
 
 
 Translators
diff --git a/docs/releases/1.3.rst b/docs/releases/1.3.rst
index b809baa99..1f1cc3d0a 100644
--- a/docs/releases/1.3.rst
+++ b/docs/releases/1.3.rst
@@ -24,6 +24,7 @@ Bug fixes
 ~~~~~~~~~
 
  * HTTP cache purge now works again on Python 2 (Mitchel Cabuloy)
+ * Locked pages can no longer be unpublished (Alex Bridge)
 
 
 Upgrade considerations
diff --git a/wagtail/tests/testapp/fixtures/test.json b/wagtail/tests/testapp/fixtures/test.json
index fa424ac01..44a919b45 100644
--- a/wagtail/tests/testapp/fixtures/test.json
+++ b/wagtail/tests/testapp/fixtures/test.json
@@ -23,7 +23,7 @@
     "model": "wagtailcore.page",
     "fields": {
         "title": "Welcome to the Wagtail test site!",
-        "numchild": 5,
+        "numchild": 6,
         "show_in_menus": false,
         "live": true,
         "depth": 2,
@@ -33,7 +33,6 @@
         "slug": "home"
     }
 },
-
 {
     "pk": 3,
     "model": "wagtailcore.page",
@@ -379,7 +378,22 @@
         "cost": "free"
     }
 },
-
+{
+    "pk": 14,
+    "model": "wagtailcore.page",
+    "fields": {
+        "title": "My locked page",
+        "numchild": 0,
+        "show_in_menus": true,
+        "live": true,
+        "depth": 3,
+        "content_type": ["wagtailcore", "page"],
+        "path": "000100010006",
+        "url_path": "/home/my-locked-page/",
+        "slug": "my-locked-page",
+        "locked": true
+    }
+},
 {
     "pk": 1,
     "model": "wagtailcore.site",
diff --git a/wagtail/wagtailadmin/templates/wagtailadmin/pages/confirm_delete.html b/wagtail/wagtailadmin/templates/wagtailadmin/pages/confirm_delete.html
index d10f47e89..5c2a3c404 100644
--- a/wagtail/wagtailadmin/templates/wagtailadmin/pages/confirm_delete.html
+++ b/wagtail/wagtailadmin/templates/wagtailadmin/pages/confirm_delete.html
@@ -1,5 +1,5 @@
 {% extends "wagtailadmin/base.html" %}
-{% load i18n %}
+{% load i18n wagtailadmin_tags %}
 {% block titletag %}{% blocktrans with title=page.title %}Delete {{ title }}{% endblocktrans %}{% endblock %}
 
 {% block content %}
@@ -17,12 +17,13 @@
                 {% endblocktrans %}
             {% endif %}
         </p>
-        {% if page.live %}
+        {% page_permissions page as page_perms %}
+        {% if page_perms.can_unpublish %}
             <p>{% trans "Alternatively you can unpublish the page. This removes the page from public view and you can edit or publish it again later." %}</p>
         {% endif %}
         <form action="{% url 'wagtailadmin_pages:delete' page.id %}" method="POST">
             {% csrf_token %}
-            <input type="submit" value="{% trans 'Delete it' %}" class="serious {% if page.live %}button-secondary{% endif %}"> {% if page.live %}<a href="{% url 'wagtailadmin_pages:unpublish' page.id %}" class="button">{% trans 'Unpublish it' %}</a>{% endif %}
+            <input type="submit" value="{% trans 'Delete it' %}" class="serious {% if page.live %}button-secondary{% endif %}"> {% if page_perms.can_unpublish %}<a href="{% url 'wagtailadmin_pages:unpublish' page.id %}" class="button">{% trans 'Unpublish it' %}</a>{% endif %}
         </form>
     </div>
 {% endblock %}
diff --git a/wagtail/wagtailcore/models.py b/wagtail/wagtailcore/models.py
index 4ce53b987..f348f678e 100644
--- a/wagtail/wagtailcore/models.py
+++ b/wagtail/wagtailcore/models.py
@@ -1352,6 +1352,8 @@ class PagePermissionTester(object):
             return False
         if (not self.page.live) or self.page_is_root:
             return False
+        if self.page.locked:
+            return False
 
         return self.user.is_superuser or ('publish' in self.permissions)
 
diff --git a/wagtail/wagtailcore/tests/test_page_permissions.py b/wagtail/wagtailcore/tests/test_page_permissions.py
index 33dfc6e21..6baf6606f 100644
--- a/wagtail/wagtailcore/tests/test_page_permissions.py
+++ b/wagtail/wagtailcore/tests/test_page_permissions.py
@@ -303,10 +303,13 @@ class TestPagePermission(TestCase):
     def test_lock_page_for_superuser(self):
         user = get_user_model().objects.get(username='superuser')
         christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
+        locked_page = Page.objects.get(url_path='/home/my-locked-page/')
 
         perms = UserPagePermissionsProxy(user).for_page(christmas_page)
+        locked_perms = UserPagePermissionsProxy(user).for_page(locked_page)
 
         self.assertTrue(perms.can_lock())
+        self.assertFalse(locked_perms.can_unpublish())  # locked pages can't be unpublished
 
     def test_lock_page_for_moderator(self):
         user = get_user_model().objects.get(username='eventmoderator')