Hopiu/wagtail
1
0
Fork 0
mirror of https://github.com/Hopiu/wagtail.git synced 2026-05-19 12:41:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Stop users without page permissions from browsing pages

Browse source
This commit is contained in:
Tim Heap 2016-10-11 15:05:37 +11:00 committed by Matt Westcott
parent c5017ce0c2
commit f1731e0646
3 changed files with 46 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
wagtail/wagtailadmin/tests/test_explorer_nav.py
View file

@ -146,10 +146,8 @@ class TestExplorerNavView(TestCase, WagtailTestUtils):
self.assertEqual(response.context['nodes'][0][0], Page.objects.get(id=2).specific)
self.assertEqual(len(response.context['nodes'][0][1]), 0)
def test_nonadmin_with_no_page_perms_sees_nothing_in_nav(self):
def test_nonadmin_with_no_page_perms_is_redirected(self):
self.assertTrue(self.client.login(username='mary', password='password'))
response = self.client.get(reverse('wagtailadmin_explorer_nav'))
self.assertEqual(response.status_code, 200)
# Being in no Groups, Mary should ot be shown any nodes.
self.assertEqual(len(response.context['nodes']), 0)
self.assertRedirects(response, reverse('wagtailadmin_home'))

47
wagtail/wagtailadmin/tests/test_pages_views.py
View file

@ -18,12 +18,10 @@ from django.http import HttpRequest, HttpResponse
from django.test import TestCase, modify_settings
from django.utils import formats, timezone
from django.utils.dateparse import parse_date
from wagtail.tests.testapp.models import (
EVENT_AUDIENCE_CHOICES, Advert, AdvertPlacement, BusinessChild, BusinessIndex, BusinessSubIndex,
DefaultStreamPage, EventCategory,
EventPage, EventPageCarouselItem, FilePage, SimplePage, SingleEventPage, SingletonPage,
StandardChild, StandardIndex, TaggedPage)
DefaultStreamPage, EventCategory, EventPage, EventPageCarouselItem, FilePage, SimplePage,
SingleEventPage, SingletonPage, StandardChild, StandardIndex, TaggedPage)
from wagtail.tests.utils import WagtailTestUtils
from wagtail.wagtailadmin.views.home import RecentEditsPanel
from wagtail.wagtailcore.models import GroupPagePermission, Page, PageRevision, Site
@ -78,7 +76,7 @@ class TestPageExplorer(TestCase, WagtailTestUtils):
self.root_page.add_child(instance=self.new_page)
# Login
self.login()
self.user = self.login()
def test_explore(self):
response = self.client.get(reverse('wagtailadmin_explore', args=(self.root_page.id, )))
@ -255,6 +253,20 @@ class TestPageExplorer(TestCase, WagtailTestUtils):
self.assertIsInstance(response.context['parent_page'], SimplePage)
def test_explorer_no_perms(self):
self.user.is_superuser = False
self.user.user_permissions.add(
Permission.objects.get(content_type__app_label='wagtailadmin', codename='access_admin')
)
self.user.save()
admin = reverse('wagtailadmin_home')
self.assertRedirects(
self.client.get(reverse('wagtailadmin_explore', args=(self.root_page.id, ))),
admin)
self.assertRedirects(
self.client.get(reverse('wagtailadmin_explore_root')), admin)
class TestPageExplorerSignposting(TestCase, WagtailTestUtils):
fixtures = ['test.json']
@ -1946,8 +1958,7 @@ class TestPageSearch(TestCase, WagtailTestUtils):
Permission.objects.get(content_type__app_label='wagtailadmin', codename='access_admin')
)
self.user.save()
response = self.get()
self.assertRedirects(response, '/admin/')
self.assertRedirects(self.get(), '/admin/')
class TestPageMove(TestCase, WagtailTestUtils):
@ -1999,6 +2010,7 @@ class TestPageMove(TestCase, WagtailTestUtils):
class TestPageCopy(TestCase, WagtailTestUtils):
def setUp(self):
# Find root page
self.root_page = Page.objects.get(id=2)
@ -2063,7 +2075,26 @@ class TestPageCopy(TestCase, WagtailTestUtils):
}
response = self.client.post(reverse('wagtailadmin_pages:copy', args=(self.test_page.id, )), post_data)
# Check that the user received a 403 response
# A user with no page permissions at all should be redirected to the admin home
self.assertRedirects(response, reverse('wagtailadmin_home'))
# A user with page permissions, but not add permission at the destination,
# should receive a PermissionDenied response
publishers = Group.objects.create(name='Publishers')
GroupPagePermission.objects.create(
group=publishers, page=self.root_page, permission_type='publish'
)
self.user.groups.add(publishers)
self.user.save()
# Get copy page
post_data = {
'new_title': "Hello world 2",
'new_slug': 'hello-world',
'new_parent_page': str(self.test_page.id),
'copy_subpages': False,
}
response = self.client.post(reverse('wagtailadmin_pages:copy', args=(self.test_page.id, )), post_data)
self.assertEqual(response.status_code, 403)
def test_page_copy_post(self):

5
wagtail/wagtailadmin/views/pages.py
View file

@ -31,12 +31,14 @@ def get_valid_next_url_from_request(request):
return next_url
@user_passes_test(user_has_any_page_permission)
def explorer_nav(request):
return render(request, 'wagtailadmin/shared/explorer_nav.html', {
'nodes': get_navigation_menu_items(request.user),
})
@user_passes_test(user_has_any_page_permission)
def index(request, parent_page_id=None):
if parent_page_id:
parent_page = get_object_or_404(Page, id=parent_page_id).specific
@ -812,6 +814,7 @@ def set_page_position(request, page_to_move_id):
return HttpResponse('')
@user_passes_test(user_has_any_page_permission)
def copy(request, page_id):
page = Page.objects.get(id=page_id)
@ -1026,6 +1029,7 @@ def unlock(request, page_id):
return redirect('wagtailadmin_explore', page.get_parent().id)
@user_passes_test(user_has_any_page_permission)
def revisions_index(request, page_id):
page = get_object_or_404(Page, id=page_id).specific
@ -1085,6 +1089,7 @@ def revisions_revert(request, page_id, revision_id):
})
@user_passes_test(user_has_any_page_permission)
def revisions_view(request, page_id, revision_id):
page = get_object_or_404(Page, id=page_id).specific
revision = get_object_or_404(page.revisions, id=revision_id)