From a4b60715b99135ffe7bc452d312f043125a1d685 Mon Sep 17 00:00:00 2001 From: Matt Westcott Date: Tue, 17 Jun 2014 22:27:11 +0100 Subject: [PATCH] Check that the content type passed to wagtailadmin.pages.create is valid according to subpage_types --- wagtail/wagtailadmin/tests/test_pages_views.py | 13 +++++++++++++ wagtail/wagtailadmin/views/pages.py | 12 ++++-------- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/wagtail/wagtailadmin/tests/test_pages_views.py b/wagtail/wagtailadmin/tests/test_pages_views.py index 09e6b6f5c..986bb260c 100644 --- a/wagtail/wagtailadmin/tests/test_pages_views.py +++ b/wagtail/wagtailadmin/tests/test_pages_views.py @@ -719,3 +719,16 @@ class TestSubpageBusinessRules(TestCase, WagtailTestUtils): self.assertEqual(response.status_code, 200) self.assertNotContains(response, 'Standard Child') self.assertEqual(0, len(response.context['page_types'])) + + def test_cannot_add_invalid_subpage_type(self): + # cannot add SimplePage as a child of BusinessIndex, as SimplePage is not present in subpage_types + response = self.client.get(reverse('wagtailadmin_pages_create', args=('tests', 'simplepage', self.business_index.id))) + self.assertEqual(response.status_code, 403) + + # likewise for BusinessChild which has an empty subpage_types list + response = self.client.get(reverse('wagtailadmin_pages_create', args=('tests', 'simplepage', self.business_child.id))) + self.assertEqual(response.status_code, 403) + + # but we can add a BusinessChild to BusinessIndex + response = self.client.get(reverse('wagtailadmin_pages_create', args=('tests', 'businesschild', self.business_index.id))) + self.assertEqual(response.status_code, 200) diff --git a/wagtail/wagtailadmin/views/pages.py b/wagtail/wagtailadmin/views/pages.py index c60a1800e..559adb922 100644 --- a/wagtail/wagtailadmin/views/pages.py +++ b/wagtail/wagtailadmin/views/pages.py @@ -111,15 +111,11 @@ def create(request, content_type_app_name, content_type_model_name, parent_page_ except ContentType.DoesNotExist: raise Http404 - page_class = content_type.model_class() - # page must be in the list of allowed subpage types for this parent ID - # == Restriction temporarily relaxed so that as superusers we can add index pages and things - - # == TODO: reinstate this for regular editors when we have distinct user types - # - # if page_class not in parent_page.clean_subpage_types(): - # messages.error(request, "Sorry, you do not have access to create a page of type '%s' here." % content_type.name) - # return redirect('wagtailadmin_pages_select_type') + if content_type not in parent_page.clean_subpage_types(): + raise PermissionDenied + + page_class = content_type.model_class() page = page_class(owner=request.user) edit_handler_class = get_page_edit_handler(page_class)