def get_visible_page_objects(request, pages, site=None): """ This code is basically a many-pages-at-once version of Page.has_view_permission. pages contains all published pages check if there is ANY restriction that needs a permission page visibility calculation """ public_for = get_cms_setting('PUBLIC_FOR') can_see_unrestricted = public_for == 'all' or (public_for == 'staff' and request.user.is_staff) is_auth_user = request.user.is_authenticated() restricted_pages = load_view_restrictions(request, pages) if not restricted_pages: if can_see_unrestricted: return pages elif not is_auth_user: return [ ] # Unauth user can't acquire global or user perm to see pages if get_cms_setting('PERMISSION') and not site: site = current_site(request) # avoid one extra query when possible if has_global_page_permission(request, site, can_view=True): return pages has_global_perm = SimpleLazyObject( lambda: request.user.has_perm('cms.view_page')) user_groups = SimpleLazyObject( lambda: set(request.user.groups.values_list('pk', flat=True))) def has_permission_membership(page_id): """ PagePermission user group membership tests """ user_pk = request.user.pk for perm in restricted_pages[page_id]: if perm.user_id == user_pk or perm.group_id in user_groups: return True return False visible_pages = [] for page in pages: to_add = False page_id = page.pk is_restricted = page_id in restricted_pages # restricted_pages contains as key any page.pk that is # affected by a permission grant_on if not is_restricted and can_see_unrestricted: to_add = True elif is_auth_user: # setting based handling of unrestricted pages # check group and user memberships to restricted pages if is_restricted and has_permission_membership( page_id) or has_global_perm: to_add = True if to_add: visible_pages.append(page) return visible_pages
def get_nodes(self, request): page_queryset = get_page_queryset(request) site = current_site(request) lang = get_language_from_request(request) filters = { 'site': site, } if hide_untranslated(lang, site.pk): filters['title_set__language'] = lang if not use_draft(request): filters['title_set__published'] = True if not use_draft(request): page_queryset = page_queryset.published() pages = page_queryset.filter(**filters).order_by("path") ids = {} nodes = [] first = True home_cut = False home_children = [] home = None actual_pages = [] # cache view perms visible_pages = get_visible_pages(request, pages, site) for page in pages: # Pages are ordered by path, therefore the first page is the root # of the page tree (a.k.a "home") if page.pk not in visible_pages: # Don't include pages the user doesn't have access to continue if not home: home = page if first and page.pk != home.pk: home_cut = True if (home_cut and (page.parent_id == home.pk or page.parent_id in home_children)): home_children.append(page.pk) if ((page.pk == home.pk and home.in_navigation) or page.pk != home.pk): first = False ids[page.id] = page actual_pages.append(page) page.title_cache = {} langs = [lang] if not hide_untranslated(lang): langs.extend(get_fallback_languages(lang)) titles = list(get_title_queryset(request).filter( page__in=ids, language__in=langs)) for title in titles: # add the title and slugs and some meta data page = ids[title.page_id] page.title_cache[title.language] = title for page in actual_pages: if page.title_cache: nodes.append(page_to_node(page, home, home_cut)) return nodes
def has_any_page_change_permissions(request): from cms.utils.helpers import current_site if not request.user.is_authenticated(): return False return request.user.is_superuser or PagePermission.objects.filter( page__site=current_site(request)).filter( Q(user=request.user) | Q(group__in=request.user.groups.all())).exists()
def get_visible_page_objects(request, pages, site=None): """ This code is basically a many-pages-at-once version of Page.has_view_permission. pages contains all published pages check if there is ANY restriction that needs a permission page visibility calculation """ public_for = get_cms_setting('PUBLIC_FOR') can_see_unrestricted = public_for == 'all' or ( public_for == 'staff' and request.user.is_staff) is_auth_user = request.user.is_authenticated() restricted_pages = load_view_restrictions(request, pages) if not restricted_pages: if can_see_unrestricted: return pages elif not is_auth_user: return [] # Unauth user can't acquire global or user perm to see pages if get_cms_setting('PERMISSION') and not site: site = current_site(request) # avoid one extra query when possible if has_global_page_permission(request, site, can_view=True): return pages has_global_perm = SimpleLazyObject(lambda: request.user.has_perm('cms.view_page')) user_groups = SimpleLazyObject(lambda: set(request.user.groups.values_list('pk', flat=True))) def has_permission_membership(page_id): """ PagePermission user group membership tests """ user_pk = request.user.pk for perm in restricted_pages[page_id]: if perm.user_id == user_pk or perm.group_id in user_groups: return True return False visible_pages = [] for page in pages: to_add = False page_id = page.pk is_restricted = page_id in restricted_pages # restricted_pages contains as key any page.pk that is # affected by a permission grant_on if not is_restricted and can_see_unrestricted: to_add = True elif is_auth_user: # setting based handling of unrestricted pages # check group and user memberships to restricted pages if is_restricted and has_permission_membership(page_id) or has_global_perm: to_add = True if to_add: visible_pages.append(page) return visible_pages
def get_visible_page_objects(request, pages, site=None): """ This code is basically a many-pages-at-once version of cms.utils.page_permissions.user_can_view_page pages contains all published pages """ user = request.user public_for = get_cms_setting('PUBLIC_FOR') can_see_unrestricted = public_for == 'all' or (public_for == 'staff' and user.is_staff) if not user.is_authenticated() and not can_see_unrestricted: # User is not authenticated and can't see unrestricted pages, # no need to check for page restrictions because if there's some, # user is anon and if there is not any, user can't see unrestricted. return [] if not site: site = current_site(request) if user_can_view_all_pages(user, site): return pages restricted_pages = get_view_restrictions(pages) if not restricted_pages: # If there's no restrictions, let the user see all pages # only if he can see unrestricted, otherwise return no pages. return pages if can_see_unrestricted else [] user_id = user.pk user_groups = SimpleLazyObject(lambda: frozenset(user.groups.values_list('pk', flat=True))) is_auth_user = user.is_authenticated() def user_can_see_page(page): if page.publisher_is_draft: page_id = page.pk else: page_id = page.publisher_public_id page_permissions = restricted_pages.get(page_id, []) if not page_permissions: # Page has no view restrictions, fallback to the project's # CMS_PUBLIC_FOR setting. return can_see_unrestricted if not is_auth_user: return False for perm in page_permissions: if perm.user_id == user_id or perm.group_id in user_groups: return True return False return [page for page in pages if user_can_see_page(page)]
def has_any_page_change_permissions(request): from cms.utils.helpers import current_site if not request.user.is_authenticated(): return False return request.user.is_superuser or PagePermission.objects.filter( page__site=current_site(request) ).filter( Q(user=request.user) | Q(group__in=request.user.groups.all()) ).exists()
def __init__(self, request, *args, **kwargs): from cms.utils.helpers import current_site self._current_site = current_site(request) super(CMSChangeList, self).__init__(request, *args, **kwargs) try: self.queryset = self.get_queryset(request) except: # pragma: no cover raise self.get_results(request) if self._current_site: request.session['cms_admin_site'] = self._current_site.pk self.set_sites(request)
def __init__(self, request, *args, **kwargs): from cms.utils.helpers import current_site self._current_site = current_site(request) super(CMSChangeList, self).__init__(request, *args, **kwargs) try: self.queryset = self.get_queryset(request) except: raise self.get_results(request) if self._current_site: request.session['cms_admin_site'] = self._current_site.pk self.set_sites(request)
def has_page_change_permission(request): """ Return true if the current user has permission to change this page. To be granted this permission, you need the cms.change_page permission. In addition, if CMS_PERMISSION is enabled you also need to either have global can_change permission or just on this page. """ from cms.utils.helpers import current_site user = request.user site = current_site(request) global_change_perm = GlobalPagePermission.objects.user_has_change_permission( user, site).exists() return user.is_superuser or ( has_auth_page_permission(user, action='change') and global_change_perm or has_any_page_change_permissions(request))
def has_page_change_permission(request): """ Return true if the current user has permission to change this page. To be granted this permission, you need the cms.change_page permission. In addition, if CMS_PERMISSION is enabled you also need to either have global can_change permission or just on this page. """ from cms.utils.helpers import current_site opts = Page._meta site = current_site(request) global_change_perm = GlobalPagePermission.objects.user_has_change_permission( request.user, site).exists() return request.user.is_superuser or ( request.user.has_perm(opts.app_label + '.' + get_permission_codename('change', opts)) and global_change_perm or has_any_page_change_permissions(request))
def has_page_add_permission(request): """ Return true if the current user has permission to add a new page. This is just used for general add buttons - only superuser, or user with can_add in globalpagepermission can add page. Special case occur when page is going to be added from add page button in change list - then we have target and position there, so check if user can add page under target page will occur. """ opts = Page._meta if request.user.is_superuser: return True # if add under page target = request.GET.get('target', None) position = request.GET.get('position', None) from cms.utils.helpers import current_site site = current_site(request) if target: try: page = Page.objects.get(pk=target) except Page.DoesNotExist: return False global_add_perm = GlobalPagePermission.objects.user_has_add_permission( request.user, site).exists() if (request.user.has_perm(opts.app_label + '.' + get_permission_codename('add', opts)) and global_add_perm): return True if position in ("first-child", "last-child"): return page.has_add_permission(request) elif position in ("left", "right"): if page.parent_id: return has_generic_permission(page.parent_id, request.user, "add", page.site) else: global_add_perm = GlobalPagePermission.objects.user_has_add_permission( request.user, site).exists() if (request.user.has_perm(opts.app_label + '.' + get_permission_codename('add', opts)) and global_add_perm): return True return False
def has_page_add_permission(request): """ Return true if the current user has permission to add a new page. This is just used for general add buttons - only superuser, or user with can_add in globalpagepermission can add page. Special case occur when page is going to be added from add page button in change list - then we have target and position there, so check if user can add page under target page will occur. """ opts = Page._meta if request.user.is_superuser: return True # if add under page target = request.GET.get('target', None) position = request.GET.get('position', None) from cms.utils.helpers import current_site site = current_site(request) if target: try: page = Page.objects.get(pk=target) except Page.DoesNotExist: return False global_add_perm = GlobalPagePermission.objects.user_has_add_permission( request.user, site).exists() perm_str = opts.app_label + '.' + get_permission_codename('add', opts) if request.user.has_perm(perm_str) and global_add_perm: return True if position in ("first-child", "last-child"): return page.has_add_permission(request) elif position in ("left", "right"): if page.parent_id: return has_generic_permission( page.parent_id, request.user, "add", page.site) else: global_add_perm = GlobalPagePermission.objects.user_has_add_permission( request.user, site).exists() perm_str = opts.app_label + '.' + get_permission_codename('add', opts) if request.user.has_perm(perm_str) and global_add_perm: return True return False
def has_page_add_permission_from_request(request): from cms.utils.helpers import current_site if request.user.is_superuser: return True position = request.GET.get('position', None) target_page_id = request.GET.get('target', None) if target_page_id: try: target = Page.objects.get(pk=target_page_id) except Page.DoesNotExist: return False else: target = None has_add_permission = has_page_add_permission( user=request.user, target=target, position=position, site=current_site(request), ) return has_add_permission
def current_site(self): return helpers.current_site(self.request)