Check that the content type passed to wagtailadmin.pages.create is valid according to subpage_types

2026-05-11 00:33:17 +00:00 · 2014-06-17 22:27:11 +01:00 · 2014-06-17 22:27:11 +01:00 · a4b60715b9
commit a4b60715b9
parent a713895440
2 changed files with 17 additions and 8 deletions
--- a/wagtail/wagtailadmin/tests/test_pages_views.py
+++ b/wagtail/wagtailadmin/tests/test_pages_views.py
@ -719,3 +719,16 @@ class TestSubpageBusinessRules(TestCase, WagtailTestUtils):
        self.assertEqual(response.status_code, 200)
        self.assertNotContains(response, 'Standard Child')
        self.assertEqual(0, len(response.context['page_types']))
+
+    def test_cannot_add_invalid_subpage_type(self):
+        # cannot add SimplePage as a child of BusinessIndex, as SimplePage is not present in subpage_types
+        response = self.client.get(reverse('wagtailadmin_pages_create', args=('tests', 'simplepage', self.business_index.id)))
+        self.assertEqual(response.status_code, 403)
+
+        # likewise for BusinessChild which has an empty subpage_types list
+        response = self.client.get(reverse('wagtailadmin_pages_create', args=('tests', 'simplepage', self.business_child.id)))
+        self.assertEqual(response.status_code, 403)
+
+        # but we can add a BusinessChild to BusinessIndex
+        response = self.client.get(reverse('wagtailadmin_pages_create', args=('tests', 'businesschild', self.business_index.id)))
+        self.assertEqual(response.status_code, 200)
--- a/wagtail/wagtailadmin/views/pages.py
+++ b/wagtail/wagtailadmin/views/pages.py
@ -111,15 +111,11 @@ def create(request, content_type_app_name, content_type_model_name, parent_page_
    except ContentType.DoesNotExist:
        raise Http404

-    page_class = content_type.model_class()
-
    # page must be in the list of allowed subpage types for this parent ID
-    # == Restriction temporarily relaxed so that as superusers we can add index pages and things -
-    # == TODO: reinstate this for regular editors when we have distinct user types
-    #
-    # if page_class not in parent_page.clean_subpage_types():
-    #     messages.error(request, "Sorry, you do not have access to create a page of type '%s' here." % content_type.name)
-    #     return redirect('wagtailadmin_pages_select_type')
+    if content_type not in parent_page.clean_subpage_types():
+        raise PermissionDenied
+
+    page_class = content_type.model_class()

    page = page_class(owner=request.user)
    edit_handler_class = get_page_edit_handler(page_class)