diff --git a/wagtail/wagtailadmin/tests/test_explorer_nav.py b/wagtail/wagtailadmin/tests/test_explorer_nav.py index bf78ab5c6..db062dadd 100644 --- a/wagtail/wagtailadmin/tests/test_explorer_nav.py +++ b/wagtail/wagtailadmin/tests/test_explorer_nav.py @@ -146,10 +146,8 @@ class TestExplorerNavView(TestCase, WagtailTestUtils): self.assertEqual(response.context['nodes'][0][0], Page.objects.get(id=2).specific) self.assertEqual(len(response.context['nodes'][0][1]), 0) - def test_nonadmin_with_no_page_perms_sees_nothing_in_nav(self): + def test_nonadmin_with_no_page_perms_is_redirected(self): self.assertTrue(self.client.login(username='mary', password='password')) response = self.client.get(reverse('wagtailadmin_explorer_nav')) - self.assertEqual(response.status_code, 200) - # Being in no Groups, Mary should ot be shown any nodes. - self.assertEqual(len(response.context['nodes']), 0) + self.assertRedirects(response, reverse('wagtailadmin_home')) diff --git a/wagtail/wagtailadmin/tests/test_pages_views.py b/wagtail/wagtailadmin/tests/test_pages_views.py index ed2eb7777..88871e785 100644 --- a/wagtail/wagtailadmin/tests/test_pages_views.py +++ b/wagtail/wagtailadmin/tests/test_pages_views.py @@ -18,12 +18,10 @@ from django.http import HttpRequest, HttpResponse from django.test import TestCase, modify_settings from django.utils import formats, timezone from django.utils.dateparse import parse_date - from wagtail.tests.testapp.models import ( EVENT_AUDIENCE_CHOICES, Advert, AdvertPlacement, BusinessChild, BusinessIndex, BusinessSubIndex, - DefaultStreamPage, EventCategory, - EventPage, EventPageCarouselItem, FilePage, SimplePage, SingleEventPage, SingletonPage, - StandardChild, StandardIndex, TaggedPage) + DefaultStreamPage, EventCategory, EventPage, EventPageCarouselItem, FilePage, SimplePage, + SingleEventPage, SingletonPage, StandardChild, StandardIndex, TaggedPage) from wagtail.tests.utils import WagtailTestUtils from wagtail.wagtailadmin.views.home import RecentEditsPanel from wagtail.wagtailcore.models import GroupPagePermission, Page, PageRevision, Site @@ -78,7 +76,7 @@ class TestPageExplorer(TestCase, WagtailTestUtils): self.root_page.add_child(instance=self.new_page) # Login - self.login() + self.user = self.login() def test_explore(self): response = self.client.get(reverse('wagtailadmin_explore', args=(self.root_page.id, ))) @@ -255,6 +253,20 @@ class TestPageExplorer(TestCase, WagtailTestUtils): self.assertIsInstance(response.context['parent_page'], SimplePage) + def test_explorer_no_perms(self): + self.user.is_superuser = False + self.user.user_permissions.add( + Permission.objects.get(content_type__app_label='wagtailadmin', codename='access_admin') + ) + self.user.save() + + admin = reverse('wagtailadmin_home') + self.assertRedirects( + self.client.get(reverse('wagtailadmin_explore', args=(self.root_page.id, ))), + admin) + self.assertRedirects( + self.client.get(reverse('wagtailadmin_explore_root')), admin) + class TestPageExplorerSignposting(TestCase, WagtailTestUtils): fixtures = ['test.json'] @@ -1946,8 +1958,7 @@ class TestPageSearch(TestCase, WagtailTestUtils): Permission.objects.get(content_type__app_label='wagtailadmin', codename='access_admin') ) self.user.save() - response = self.get() - self.assertRedirects(response, '/admin/') + self.assertRedirects(self.get(), '/admin/') class TestPageMove(TestCase, WagtailTestUtils): @@ -1999,6 +2010,7 @@ class TestPageMove(TestCase, WagtailTestUtils): class TestPageCopy(TestCase, WagtailTestUtils): + def setUp(self): # Find root page self.root_page = Page.objects.get(id=2) @@ -2063,7 +2075,26 @@ class TestPageCopy(TestCase, WagtailTestUtils): } response = self.client.post(reverse('wagtailadmin_pages:copy', args=(self.test_page.id, )), post_data) - # Check that the user received a 403 response + # A user with no page permissions at all should be redirected to the admin home + self.assertRedirects(response, reverse('wagtailadmin_home')) + + # A user with page permissions, but not add permission at the destination, + # should receive a PermissionDenied response + publishers = Group.objects.create(name='Publishers') + GroupPagePermission.objects.create( + group=publishers, page=self.root_page, permission_type='publish' + ) + self.user.groups.add(publishers) + self.user.save() + + # Get copy page + post_data = { + 'new_title': "Hello world 2", + 'new_slug': 'hello-world', + 'new_parent_page': str(self.test_page.id), + 'copy_subpages': False, + } + response = self.client.post(reverse('wagtailadmin_pages:copy', args=(self.test_page.id, )), post_data) self.assertEqual(response.status_code, 403) def test_page_copy_post(self): diff --git a/wagtail/wagtailadmin/views/pages.py b/wagtail/wagtailadmin/views/pages.py index dd3ed6196..0a443d8db 100644 --- a/wagtail/wagtailadmin/views/pages.py +++ b/wagtail/wagtailadmin/views/pages.py @@ -31,12 +31,14 @@ def get_valid_next_url_from_request(request): return next_url +@user_passes_test(user_has_any_page_permission) def explorer_nav(request): return render(request, 'wagtailadmin/shared/explorer_nav.html', { 'nodes': get_navigation_menu_items(request.user), }) +@user_passes_test(user_has_any_page_permission) def index(request, parent_page_id=None): if parent_page_id: parent_page = get_object_or_404(Page, id=parent_page_id).specific @@ -812,6 +814,7 @@ def set_page_position(request, page_to_move_id): return HttpResponse('') +@user_passes_test(user_has_any_page_permission) def copy(request, page_id): page = Page.objects.get(id=page_id) @@ -1026,6 +1029,7 @@ def unlock(request, page_id): return redirect('wagtailadmin_explore', page.get_parent().id) +@user_passes_test(user_has_any_page_permission) def revisions_index(request, page_id): page = get_object_or_404(Page, id=page_id).specific @@ -1085,6 +1089,7 @@ def revisions_revert(request, page_id, revision_id): }) +@user_passes_test(user_has_any_page_permission) def revisions_view(request, page_id, revision_id): page = get_object_or_404(Page, id=page_id).specific revision = get_object_or_404(page.revisions, id=revision_id)