Beispiel #1
0
    def create_page_user(self,
                         username,
                         password=None,
                         can_add_page=True,
                         can_change_page=True,
                         can_delete_page=True,
                         can_recover_page=True,
                         can_add_pageuser=True,
                         can_change_pageuser=True,
                         can_delete_pageuser=True,
                         can_add_pagepermission=True,
                         can_change_pagepermission=True,
                         can_delete_pagepermission=True,
                         grant_all=False):
        """
        Helper function for creating page user, through form on:
            /admin/cms/pageuser/add/
            
        Returns created user.
        """
        if grant_all:
            return self.create_page_user(username, password, True, True, True,
                                         True, True, True, True, True, True,
                                         True)

        if password is None:
            password = username

        data = {
            'can_add_page': can_add_page,
            'can_change_page': can_change_page,
            'can_delete_page': can_delete_page,
            'can_recover_page': can_recover_page,
            'can_add_pageuser': can_add_pageuser,
            'can_change_pageuser': can_change_pageuser,
            'can_delete_pageuser': can_delete_pageuser,
            'can_add_pagepermission': can_add_pagepermission,
            'can_change_pagepermission': can_change_pagepermission,
            'can_delete_pagepermission': can_delete_pagepermission,
        }
        if hasattr(self, 'user'):
            created_by = self.user
        else:
            created_by = User.objects.create_superuser(
                'superuser', '*****@*****.**', 'superuser')
        try:
            user = User.objects.get(username=username)
        except User.DoesNotExist:
            user = User.objects.create_user(username,
                                            '*****@*****.**',
                                            password)
            user.is_staff = True
            user.is_active = True
        page_user = PageUser(created_by=created_by)
        for field in [f.name for f in User._meta.local_fields]:
            setattr(page_user, field, getattr(user, field))
        user.save()
        page_user.save()
        save_permissions(data, page_user)
        return user
Beispiel #2
0
    def create_page_user(self,
                         username,
                         password=None,
                         can_add_page=True,
                         can_change_page=True,
                         can_delete_page=True,
                         can_recover_page=True,
                         can_add_pageuser=True,
                         can_change_pageuser=True,
                         can_delete_pageuser=True,
                         can_add_pagepermission=True,
                         can_change_pagepermission=True,
                         can_delete_pagepermission=True,
                         grant_all=False):
        """
        Helper function for creating page user, through form on:
            /admin/cms/pageuser/add/
            
        Returns created user.
        """
        if grant_all:
            return self.create_page_user(username, password, True, True, True,
                                         True, True, True, True, True, True,
                                         True)

        if password is None:
            password = username

        data = {
            'can_add_page': can_add_page,
            'can_change_page': can_change_page,
            'can_delete_page': can_delete_page,
            'can_recover_page': can_recover_page,
            'can_add_pageuser': can_add_pageuser,
            'can_change_pageuser': can_change_pageuser,
            'can_delete_pageuser': can_delete_pageuser,
            'can_add_pagepermission': can_add_pagepermission,
            'can_change_pagepermission': can_change_pagepermission,
            'can_delete_pagepermission': can_delete_pagepermission,
        }
        if hasattr(self, 'user'):
            created_by = self.user
        else:
            created_by = User.objects.create_superuser(
                'superuser', '*****@*****.**', 'superuser')
        try:
            user = User.objects.get(username=username)
        except User.DoesNotExist:
            user = User.objects.create_user(
                username, '*****@*****.**', password)
            user.is_staff = True
            user.is_active = True
        page_user = PageUser(created_by=created_by)
        for field in [f.name for f in User._meta.local_fields]:
            setattr(page_user, field, getattr(user, field))
        user.save()
        page_user.save()
        save_permissions(data, page_user)
        return user
Beispiel #3
0
def create_page_user(created_by,
                     user,
                     can_add_page=True,
                     can_view_page=True,
                     can_change_page=True,
                     can_delete_page=True,
                     can_recover_page=True,
                     can_add_pageuser=True,
                     can_change_pageuser=True,
                     can_delete_pageuser=True,
                     can_add_pagepermission=True,
                     can_change_pagepermission=True,
                     can_delete_pagepermission=True,
                     grant_all=False):
    """
    Creates a page user.

    See docs/extending_cms/api_reference.rst for more info
    """
    from cms.admin.forms import save_permissions
    if grant_all:
        # just be lazy
        return create_page_user(created_by, user, True, True, True, True, True,
                                True, True, True, True, True, True)

    # validate created_by
    assert isinstance(created_by, get_user_model())

    data = {
        'can_add_page': can_add_page,
        'can_view_page': can_view_page,
        'can_change_page': can_change_page,
        'can_delete_page': can_delete_page,
        'can_recover_page': can_recover_page,
        'can_add_pageuser': can_add_pageuser,
        'can_change_pageuser': can_change_pageuser,
        'can_delete_pageuser': can_delete_pageuser,
        'can_add_pagepermission': can_add_pagepermission,
        'can_change_pagepermission': can_change_pagepermission,
        'can_delete_pagepermission': can_delete_pagepermission,
    }
    user.is_staff = True
    user.is_active = True
    page_user = PageUser(created_by=created_by)
    for field in [f.name for f in get_user_model()._meta.local_fields]:
        setattr(page_user, field, getattr(user, field))
    user.save()
    page_user.save()
    save_permissions(data, page_user)
    return user
Beispiel #4
0
def create_page_user(created_by, user,
                     can_add_page=True, can_view_page=True,
                     can_change_page=True, can_delete_page=True,
                     can_recover_page=True, can_add_pageuser=True,
                     can_change_pageuser=True, can_delete_pageuser=True,
                     can_add_pagepermission=True,
                     can_change_pagepermission=True,
                     can_delete_pagepermission=True, grant_all=False):
    """
    Creates a page user.

    See docs/extending_cms/api_reference.rst for more info
    """
    from cms.admin.forms import save_permissions
    if grant_all:
        # just be lazy
        return create_page_user(created_by, user, True, True, True, True,
                                True, True, True, True, True, True, True)

    # validate created_by
    assert isinstance(created_by, get_user_model())

    data = {
        'can_add_page': can_add_page,
        'can_view_page': can_view_page,
        'can_change_page': can_change_page,
        'can_delete_page': can_delete_page,
        'can_recover_page': can_recover_page,
        'can_add_pageuser': can_add_pageuser,
        'can_change_pageuser': can_change_pageuser,
        'can_delete_pageuser': can_delete_pageuser,
        'can_add_pagepermission': can_add_pagepermission,
        'can_change_pagepermission': can_change_pagepermission,
        'can_delete_pagepermission': can_delete_pagepermission,
    }
    user.is_staff = True
    user.is_active = True
    page_user = PageUser(created_by=created_by)
    for field in [f.name for f in get_user_model()._meta.local_fields]:
        setattr(page_user, field, getattr(user, field))
    user.save()
    page_user.save()
    save_permissions(data, page_user)
    return user
Beispiel #5
0
def create_page_user(created_by, user,
                     can_add_page=True, can_view_page=True,
                     can_change_page=True, can_delete_page=True, 
                     can_recover_page=True, can_add_pageuser=True,
                     can_change_pageuser=True, can_delete_pageuser=True,
                     can_add_pagepermission=True,
                     can_change_pagepermission=True,
                     can_delete_pagepermission=True, grant_all=False):
    """
    Creates a page user.
    
    See docs/extending_cms/api_reference.rst for more info
    """
    if grant_all:
        # just be lazy
        return create_page_user(created_by, user, True, True, True, True,
                                True, True, True, True, True, True, True)
    
    # validate created_by
    assert isinstance(created_by, auth.get_user_model())
    
    data = {
        'can_add_page': can_add_page, 
        'can_view_page': can_view_page, 
        'can_change_page': can_change_page, 
        'can_delete_page': can_delete_page, 
        'can_recover_page': can_recover_page, 
        'can_add_pageuser': can_add_pageuser, 
        'can_change_pageuser': can_change_pageuser, 
        'can_delete_pageuser': can_delete_pageuser, 
        'can_add_pagepermission': can_add_pagepermission,
        'can_change_pagepermission': can_change_pagepermission,
        'can_delete_pagepermission': can_delete_pagepermission,
    }
    user.is_staff = True
    user.is_active = True
    user.save()
    page_user = PageUser(user, created_by=created_by)
    page_user.save()
    save_permissions(data, page_user)
    return user
Beispiel #6
0
    def test_emulate_admin_index(self):
        """ Call methods that emulate the adminsite instance's index.
        This test was basically the reason for the new manager, in light of the
        problem highlighted in ticket #1120, which asserts that giving a user
        no site-specific rights when creating a GlobalPagePermission should
        allow access to all sites.
        """
        # create and then ignore this user.
        superuser = self._create_user("super", is_staff=True, is_active=True,
                                      is_superuser=True)
        superuser.set_password("super")
        superuser.save()
        # create 2 staff users
        SITES = [
            Site.objects.get(pk=1),
            Site.objects.create(domain='example2.com', name='example2.com'),
        ]
        USERS = [
            self._create_user("staff", is_staff=True, is_active=True),
            self._create_user("staff_2", is_staff=True, is_active=True),
        ]
        for user in USERS:
            user.set_password('staff')
            # re-use the same methods the UserPage form does.
            # Note that it internally calls .save(), as we've not done so.
            save_permissions({
                'can_add_page': True,
                'can_change_page': True,
                'can_delete_page': False
            }, user)

        GlobalPagePermission.objects.create(can_add=True, can_change=True,
                                            can_delete=False, user=USERS[0])
        # we're querying here to ensure that even though we've created two users
        # above, we should have successfully filtered to just one perm.
        self.assertEqual(1, GlobalPagePermission.objects.with_user(USERS[0]).count())

        # this will confirm explicit permissions still work, by adding the first
        # site instance to the many2many relationship 'sites'
        GlobalPagePermission.objects.create(can_add=True, can_change=True,
                                            can_delete=False,
                                            user=USERS[1]).sites.add(SITES[0])
        self.assertEqual(1, GlobalPagePermission.objects.with_user(USERS[1]).count())

        homepage = create_page(title="master", template="nav_playground.html",
                               language="en", in_navigation=True, slug='/')
        publish_page(page=homepage, user=superuser, language='en')

        with SettingsOverride(CMS_PERMISSION=True):
            # for all users, they should have access to site 1
            request = RequestFactory().get(path='/', data={'site__exact': 1})
            # we need a session attribute for current_site(request), which is
            # used by has_page_add_permission and has_page_change_permission
            request.session = {}
            for user in USERS:
                # has_page_add_permission and has_page_change_permission both test
                # for this explicitly, to see if it's a superuser.
                request.user = user
                # Note, the query count is inflated by doing additional lookups
                # because there's a site param in the request.
                with self.assertNumQueries(FuzzyInt(6,7)):
                    # PageAdmin swaps out the methods called for permissions
                    # if the setting is true, it makes use of cms.utils.permissions
                    self.assertTrue(has_page_add_permission(request))
                    self.assertTrue(has_page_change_permission(request))
                    # internally this calls PageAdmin.has_[add|change|delete]_permission()
                    self.assertEqual({'add': True, 'change': True, 'delete': False},
                                     site._registry[Page].get_model_perms(request))

            # can't use the above loop for this test, as we're testing that
            # user 1 has access, but user 2 does not, as they are only assigned
            # to site 1
            request = RequestFactory().get('/', data={'site__exact': 2})
            request.session = {}
            # As before, the query count is inflated by doing additional lookups
            # because there's a site param in the request
            with self.assertNumQueries(FuzzyInt(11, 20)):
                # this user shouldn't have access to site 2
                request.user = USERS[1]
                self.assertTrue(not has_page_add_permission(request))
                self.assertTrue(not has_page_change_permission(request))
                self.assertEqual({'add': False, 'change': False, 'delete': False},
                                 site._registry[Page].get_model_perms(request))
                # but, going back to the first user, they should.
                request = RequestFactory().get('/', data={'site__exact': 2})
                request.user = USERS[0]
                self.assertTrue(has_page_add_permission(request))
                self.assertTrue(has_page_change_permission(request))
                self.assertEqual({'add': True, 'change': True, 'delete': False},
                                 site._registry[Page].get_model_perms(request))
Beispiel #7
0
    def test_emulate_admin_index(self):
        """ Call methods that emulate the adminsite instance's index.
        This test was basically the reason for the new manager, in light of the
        problem highlighted in ticket #1120, which asserts that giving a user
        no site-specific rights when creating a GlobalPagePermission should
        allow access to all sites.
        """
        # create and then ignore this user.
        superuser = self._create_user("super",
                                      is_staff=True,
                                      is_active=True,
                                      is_superuser=True)
        superuser.set_password("super")
        superuser.save()

        site_1 = Site.objects.get(pk=1)
        site_2 = Site.objects.create(domain='example2.com',
                                     name='example2.com')

        SITES = [site_1, site_2]

        # create 2 staff users
        USERS = [
            self._create_user("staff", is_staff=True, is_active=True),
            self._create_user("staff_2", is_staff=True, is_active=True),
        ]
        for user in USERS:
            user.set_password('staff')
            # re-use the same methods the UserPage form does.
            # Note that it internally calls .save(), as we've not done so.
            save_permissions(
                {
                    'can_add_page': True,
                    'can_change_page': True,
                    'can_delete_page': False
                }, user)

        GlobalPagePermission.objects.create(can_add=True,
                                            can_change=True,
                                            can_delete=False,
                                            user=USERS[0])
        # we're querying here to ensure that even though we've created two users
        # above, we should have successfully filtered to just one perm.
        self.assertEqual(
            1,
            GlobalPagePermission.objects.with_user(USERS[0]).count())

        # this will confirm explicit permissions still work, by adding the first
        # site instance to the many2many relationship 'sites'
        GlobalPagePermission.objects.create(can_add=True,
                                            can_change=True,
                                            can_delete=False,
                                            user=USERS[1]).sites.add(SITES[0])
        self.assertEqual(
            1,
            GlobalPagePermission.objects.with_user(USERS[1]).count())

        homepage = create_page(title="master",
                               template="nav_playground.html",
                               language="en",
                               in_navigation=True,
                               slug='/')
        publish_page(page=homepage, user=superuser, language='en')

        with self.settings(CMS_PERMISSION=True):
            # for all users, they should have access to site 1
            request = RequestFactory().get(path='/')
            request.session = {'cms_admin_site': site_1.pk}
            request.current_page = None
            for user in USERS:
                request.user = user
                # Note, the query count is inflated by doing additional lookups
                # because there's a site param in the request.
                # max_queries = 5 for >dj21 because it's introduce default view permissions
                max_queries = 4 if DJANGO_2_0 else 5
                with self.assertNumQueries(FuzzyInt(3, max_queries)):
                    # internally this calls PageAdmin.has_[add|change|delete|view]_permission()
                    expected_perms = {
                        'add': True,
                        'change': True,
                        'delete': False
                    }
                    if not DJANGO_2_0:
                        expected_perms.update({'view': True})
                    self.assertEqual(
                        expected_perms,
                        site._registry[Page].get_model_perms(request))

            # can't use the above loop for this test, as we're testing that
            # user 1 has access, but user 2 does not, as they are only assigned
            # to site 1
            request = RequestFactory().get(path='/')
            request.session = {'cms_admin_site': site_2.pk}
            request.current_page = None

            # Refresh internal user cache
            USERS[0] = self.reload(USERS[0])
            USERS[1] = self.reload(USERS[1])

            # As before, the query count is inflated by doing additional lookups
            # because there's a site param in the request
            with self.assertNumQueries(FuzzyInt(5, 15)):
                # this user shouldn't have access to site 2
                request.user = USERS[1]
                expected_perms = {
                    'add': False,
                    'change': False,
                    'delete': False
                }
                if not DJANGO_2_0:
                    expected_perms.update({'view': False})
                self.assertEqual(expected_perms,
                                 site._registry[Page].get_model_perms(request))
                # but, going back to the first user, they should.
                request = RequestFactory().get('/',
                                               data={'site__exact': site_2.pk})
                request.user = USERS[0]
                request.current_page = None
                request.session = {}
                expected_perms = {'add': True, 'change': True, 'delete': False}
                if not DJANGO_2_0:
                    expected_perms.update({'view': True})
                self.assertEqual(expected_perms,
                                 site._registry[Page].get_model_perms(request))