failing test for #2511 for document uploader

Make collection field on document chooser upload respect user permissions failing test for #2511 for image uploader Make collection field on image chooser upload respect user permissions
2026-05-13 01:33:16 +00:00 · 2016-04-26 11:51:14 +01:00 · 2016-04-26 11:51:14 +01:00 · ad7264fffb
commit ad7264fffb
parent aaefb81b60
6 changed files with 149 additions and 6 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -6,6 +6,7 @@ Changelog

 * Fix: The `wagtailuserbar` template tag now gracefully handles situations where the `request` object is not in the template context (Matt Westcott)
 * Fix: Meta classes on StreamField blocks now handle multiple inheritance correctly (Tim Heap)
+ * Fix: Now user can upload images / documents only into permitted collection from choosers


 1.4.3 (04.04.2016)
--- a/docs/releases/1.4.4.rst
+++ b/docs/releases/1.4.4.rst
@ -15,3 +15,4 @@ Bug fixes

 * The ``wagtailuserbar`` template tag now gracefully handles situations where the ``request`` object is not in the template context (Matt Westcott)
 * Meta classes on StreamField blocks now handle multiple inheritance correctly (Tim Heap)
+ * Now user can upload images / documents only into permitted collection from choosers
--- a/wagtail/wagtaildocs/tests.py
+++ b/wagtail/wagtaildocs/tests.py
@ -731,6 +731,78 @@ class TestDocumentChooserUploadView(TestCase, WagtailTestUtils):
        self.assertTrue(models.Document.objects.filter(title="Test document").exists())


+class TestDocumentChooserUploadViewWithLimitedPermissions(TestCase, WagtailTestUtils):
+    def setUp(self):
+        add_doc_permission = Permission.objects.get(
+            content_type__app_label='wagtaildocs', codename='add_document'
+        )
+        admin_permission = Permission.objects.get(
+            content_type__app_label='wagtailadmin', codename='access_admin'
+        )
+
+        root_collection = Collection.get_first_root_node()
+        self.evil_plans_collection = root_collection.add_child(name="Evil plans")
+
+        conspirators_group = Group.objects.create(name="Evil conspirators")
+        conspirators_group.permissions.add(admin_permission)
+        GroupCollectionPermission.objects.create(
+            group=conspirators_group,
+            collection=self.evil_plans_collection,
+            permission=add_doc_permission
+        )
+
+        user = get_user_model().objects.create_user(
+            username='moriarty',
+            email='moriarty@example.com',
+            password='password'
+        )
+        user.groups.add(conspirators_group)
+
+        self.client.login(username='moriarty', password='password')
+
+    def test_simple(self):
+        response = self.client.get(reverse('wagtaildocs:chooser_upload'))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/chooser.html')
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/chooser.js')
+
+        # user only has access to one collection -> should not see the collections field
+        self.assertNotContains(response, 'id_collection')
+
+    def test_chooser_view(self):
+        # The main chooser view also includes the form, so need to test there too
+        response = self.client.get(reverse('wagtaildocs:chooser'))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/chooser.html')
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/chooser.js')
+
+        # user only has access to one collection -> should not see the collections field
+        self.assertNotContains(response, 'id_collection')
+
+    def test_post(self):
+        # Build a fake file
+        fake_file = ContentFile(b("A boring example document"))
+        fake_file.name = 'test.txt'
+
+        # Submit
+        post_data = {
+            'title': "Test document",
+            'file': fake_file,
+        }
+        response = self.client.post(reverse('wagtaildocs:chooser_upload'), post_data)
+
+        # Check that the response is a javascript file saying the document was chosen
+        self.assertTemplateUsed(response, 'wagtaildocs/chooser/document_chosen.js')
+        self.assertContains(response, "modal.respond('documentChosen'")
+
+        # Document should be created
+        doc = models.Document.objects.filter(title="Test document")
+        self.assertTrue(doc.exists())
+
+        # Document should be in the 'evil plans' collection
+        self.assertEqual(doc.get().collection, self.evil_plans_collection)
+
+
 class TestDocumentFilenameProperties(TestCase):
    def setUp(self):
        self.document = models.Document(title="Test document")
--- a/wagtail/wagtaildocs/views/chooser.py
+++ b/wagtail/wagtaildocs/views/chooser.py
@ -36,7 +36,7 @@ def chooser(request):

    if permission_policy.user_has_permission(request.user, 'add'):
        DocumentForm = get_document_form(Document)
-        uploadform = DocumentForm()
+        uploadform = DocumentForm(user=request.user)
    else:
        uploadform = None

@ -104,7 +104,7 @@ def chooser_upload(request):

    if request.POST:
        document = Document(uploaded_by_user=request.user)
-        form = DocumentForm(request.POST, request.FILES, instance=document)
+        form = DocumentForm(request.POST, request.FILES, instance=document, user=request.user)

        if form.is_valid():
            form.save()
@ -118,7 +118,7 @@ def chooser_upload(request):
                {'document_json': get_document_json(document)}
            )
    else:
-        form = DocumentForm()
+        form = DocumentForm(user=request.user)

    documents = Document.objects.order_by('title')

--- a/wagtail/wagtailimages/tests/test_admin_views.py
+++ b/wagtail/wagtailimages/tests/test_admin_views.py
@ -500,6 +500,75 @@ class TestImageChooserUploadView(TestCase, WagtailTestUtils):
        self.assertTrue(Image.objects.filter(title="Test image").exists())


+class TestImageChooserUploadViewWithLimitedPermissions(TestCase, WagtailTestUtils):
+    def setUp(self):
+        add_image_permission = Permission.objects.get(
+            content_type__app_label='wagtailimages', codename='add_image'
+        )
+        admin_permission = Permission.objects.get(
+            content_type__app_label='wagtailadmin', codename='access_admin'
+        )
+
+        root_collection = Collection.get_first_root_node()
+        self.evil_plans_collection = root_collection.add_child(name="Evil plans")
+
+        conspirators_group = Group.objects.create(name="Evil conspirators")
+        conspirators_group.permissions.add(admin_permission)
+        GroupCollectionPermission.objects.create(
+            group=conspirators_group,
+            collection=self.evil_plans_collection,
+            permission=add_image_permission
+        )
+
+        user = get_user_model().objects.create_user(
+            username='moriarty',
+            email='moriarty@example.com',
+            password='password'
+        )
+        user.groups.add(conspirators_group)
+
+        self.client.login(username='moriarty', password='password')
+
+    def test_get(self):
+        response = self.client.get(reverse('wagtailimages:chooser_upload'))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, 'wagtailimages/chooser/chooser.html')
+
+        # user only has access to one collection, so no 'Collection' option
+        # is displayed on the form
+        self.assertNotContains(response, '<label for="id_collection">')
+
+    def test_get_chooser(self):
+        response = self.client.get(reverse('wagtailimages:chooser'))
+        self.assertEqual(response.status_code, 200)
+        self.assertTemplateUsed(response, 'wagtailimages/chooser/chooser.html')
+
+        # user only has access to one collection, so no 'Collection' option
+        # is displayed on the form
+        self.assertNotContains(response, '<label for="id_collection">')
+
+    def test_add(self):
+        response = self.client.post(reverse('wagtailimages:chooser_upload'), {
+            'title': "Test image",
+            'file': SimpleUploadedFile('test.png', get_test_image_file().file.getvalue()),
+        })
+
+        self.assertEqual(response.status_code, 200)
+
+        # Check that the image was created
+        images = Image.objects.filter(title="Test image")
+        self.assertEqual(images.count(), 1)
+
+        # Image should be created in the 'evil plans' collection,
+        # despite there being no collection field in the form, because that's the
+        # only one the user has access to
+        self.assertTrue(Image.objects.filter(title="Test image").exists())
+        self.assertEqual(
+            Image.objects.get(title="Test image").collection,
+            self.evil_plans_collection
+        )
+
+
 class TestMultipleImageUploader(TestCase, WagtailTestUtils):
    """
    This tests the multiple image upload views located in wagtailimages/views/multiple.py
--- a/wagtail/wagtailimages/views/chooser.py
+++ b/wagtail/wagtailimages/views/chooser.py
@ -43,7 +43,7 @@ def chooser(request):

    if permission_policy.user_has_permission(request.user, 'add'):
        ImageForm = get_image_form(Image)
-        uploadform = ImageForm()
+        uploadform = ImageForm(user=request.user)
    else:
        uploadform = None

@ -121,7 +121,7 @@ def chooser_upload(request):

    if request.POST:
        image = Image(uploaded_by_user=request.user)
-        form = ImageForm(request.POST, request.FILES, instance=image)
+        form = ImageForm(request.POST, request.FILES, instance=image, user=request.user)

        if form.is_valid():
            form.save()
@ -143,7 +143,7 @@ def chooser_upload(request):
                    {'image_json': get_image_json(image)}
                )
    else:
-        form = ImageForm()
+        form = ImageForm(user=request.user)

    images = Image.objects.order_by('title')