def test_editors_cannot_unpublish_child_pages(root_page):
env = two_branches_with_users(root_page)
resp = env.editor_1_client.post(
reverse('wagtailadmin_pages:unpublish', args=[env.article_1.pk])
)
assert resp.status_code == status.HTTP_403_FORBIDDEN
def test_moderators_cannot_access_pages_not_from_their_branch(root_page):
"""
This reproduces situation when a moderator would try to access page that
doesn't belong to they branch by simply changing page ID in the URL
"""
env = two_branches_with_users(root_page)
resp_1 = env.moderator_1_client.get(
f'/admin/pages/{env.home_2.pk}/edit/'
)
assert resp_1.status_code == status.HTTP_403_FORBIDDEN
resp_2 = env.moderator_2_client.get(
f'/admin/pages/{env.home_1.pk}/edit/'
)
assert resp_2.status_code == status.HTTP_403_FORBIDDEN
resp_3 = env.moderator_1_client.get(f'/admin/pages/{env.home_2.pk}/')
assert resp_3.status_code == status.HTTP_302_FOUND
assert resp_3.url == f'/admin/pages/{env.home_1.pk}/'
resp_4 = env.moderator_2_client.get(f'/admin/pages/{env.home_1.pk}/')
assert resp_4.status_code == status.HTTP_302_FOUND
assert resp_4.url == f'/admin/pages/{env.home_2.pk}/'
# Unfortunately on API level Wagtail allows users to list pages that
# belong to different branch
resp_6 = env.moderator_1_client.get(
f'/admin/api/v2beta/pages/?child_of={env.landing_2.pk}&for_explorer=1'
)
assert resp_6.status_code == status.HTTP_200_OK
assert resp_6.json()['meta']['total_count'] == 1
assert resp_6.json()['items'][0]['id'] == env.listing_2.pk
def test_admins_can_create_pages_in_any_branch(root_page):
env = two_branches_with_users(root_page)
# Add ExRed Article page
data_1 = {
'article_title': 'test article',
'article_teaser': 'test article',
'article_body_text': 'test article',
'title_en_gb': 'test article',
'slug': 'test-article',
'action-publish': 'action-publish',
}
resp_1 = env.admin_client.post(
reverse(
'wagtailadmin_pages:add',
args=[
env.article_1._meta.app_label,
env.article_1._meta.model_name,
env.listing_1.pk
],
),
data=data_1,
)
assert resp_1.status_code == status.HTTP_302_FOUND
assert resp_1.url.startswith('/admin/pages/') # format is /admin/pages/3/
# Add FAS Industry Article page
data_2 = {
'article_title': 'test article',
'article_teaser': 'test article',
'article_body_text': 'test article',
'title_en_gb': 'test article',
'body': 'this is a test page',
'slug': 'test-article',
'action-publish': 'action-publish',
'breadcrumbs_label_en_gb': 'test breadcrumb',
'introduction_title_en_gb': 'test introduction',
'author_name_en_gb': 'dit',
'job_title_en_gb': 'dit',
'proposition_text_en_gb': 'test proposition',
'call_to_action_text_en_gb': 'contact us',
'back_to_home_link_text_en_gb': 'home',
'social_share_title_en_gb': 'share',
'date_en_gb': '2019-01-01',
}
resp_2 = env.admin_client.post(
reverse(
'wagtailadmin_pages:add',
args=[
env.article_2._meta.app_label,
env.article_2._meta.model_name,
env.listing_2.pk
],
),
data=data_2,
)
assert resp_2.status_code == status.HTTP_302_FOUND
assert resp_2.url.startswith('/admin/pages/') # format is /admin/pages/3/
def test_moderators_and_admins_can_view_revisions_from_other_branches(
root_page
):
"""
Unfortunately on API level Wagtail allows Moderators to view revisions from
other branches.
"""
env = two_branches_with_users(root_page)
revision_1 = env.article_1.save_revision(
user=env.editor_1, submitted_for_moderation=True
)
revision_2 = env.article_2.save_revision(
user=env.editor_2, submitted_for_moderation=True
)
revert_path_1 = f'/admin/pages/{env.article_1.pk}/revisions/{revision_1.pk}/revert/' # NOQA
revert_path_2 = f'/admin/pages/{env.article_2.pk}/revisions/{revision_2.pk}/revert/' # NOQA
resp_1 = env.moderator_1_client.get(
reverse('wagtailadmin_pages:revisions_index',
args=[env.article_1.pk])
)
assert resp_1.status_code == status.HTTP_200_OK
content_1 = resp_1.content.decode()
assert revert_path_1 in content_1
assert revert_path_2 not in content_1
resp_2 = env.moderator_1_client.get(
reverse('wagtailadmin_pages:revisions_index',
args=[env.article_2.pk])
)
assert resp_2.status_code == status.HTTP_200_OK
content_2 = resp_2.content.decode()
assert revert_path_1 not in content_2
assert revert_path_2 in content_2
resp_3 = env.moderator_2_client.get(
reverse('wagtailadmin_pages:revisions_index',
args=[env.article_1.pk])
)
assert resp_3.status_code == status.HTTP_200_OK
content_3 = resp_3.content.decode()
assert revert_path_1 in content_3
assert revert_path_2 not in content_3
resp_4 = env.moderator_2_client.get(
reverse('wagtailadmin_pages:revisions_index',
args=[env.article_2.pk])
)
assert resp_4.status_code == status.HTTP_200_OK
content_4 = resp_4.content.decode()
assert revert_path_1 not in content_4
assert revert_path_2 in content_4
def test_admins_should_be_able_to_reject_revision_from_any_branch(root_page):
"""
Somehow Wagtail doesn't show to the editor that revision was rejected
and thus we have to use Admin client to check that (in last assertion)
"""
env = two_branches_with_users(root_page)
# At this point there should be no revisions
resp_1 = env.editor_1_client.get(
reverse(
'wagtailadmin_pages:revisions_index',
args=[env.article_1.pk]
)
)
assert 'No revision of this page exist' in resp_1.content.decode()
# Make a change and save revision
new_title = 'The title was modified'
env.article_1.title = new_title
revision = env.article_1.save_revision(
user=env.editor_1, submitted_for_moderation=True
)
# Check if revision is visible
resp_2 = env.editor_1_client.get(
reverse(
'wagtailadmin_pages:revisions_index',
args=[env.article_1.pk]
)
)
assert new_title in resp_2.content.decode()
revert_url = f'/admin/pages/{env.article_1.pk}/revisions/{revision.pk}/revert/' # NOQA
assert revert_url in resp_2.content.decode()
# Reject request for moderation
resp_3 = env.admin_client.post(
reverse('wagtailadmin_pages:reject_moderation', args=[revision.pk])
)
assert resp_3.status_code == status.HTTP_302_FOUND
assert resp_3.url == '/admin/'
# Verify if rejection is visible
resp_4 = env.admin_client.get(
reverse(
'wagtailadmin_pages:revisions_index',
args=[env.article_1.pk]
)
)
assert resp_4.status_code == status.HTTP_200_OK
assert 'rejected for publication' in resp_4.content.decode()
def test_moderators_cannot_reject_revision_from_other_branch(root_page):
env = two_branches_with_users(root_page)
new_title = 'The title was modified'
env.article_1.title = new_title
revision = env.article_1.save_revision(
user=env.editor_1, submitted_for_moderation=True
)
# Reject request for moderation
resp = env.moderator_2_client.post(
reverse('wagtailadmin_pages:reject_moderation', args=[revision.pk])
)
assert resp.status_code == status.HTTP_403_FORBIDDEN
def test_editors_cannot_publish_child_pages(root_page):
env = two_branches_with_users(root_page)
draft_page = ArticlePageFactory(
parent=env.landing_1, live=False
)
revision = draft_page.save_revision(
user=env.editor_1, submitted_for_moderation=True
)
resp = env.editor_1_client.post(
reverse('wagtailadmin_pages:approve_moderation', args=[revision.pk])
)
assert resp.status_code == status.HTTP_403_FORBIDDEN
def test_branch_moderators_should_only_see_pages_from_their_branch(root_page):
"""
This reproduces Wagtail's admin call to list pages in the 'Pages' menu.
Moderators should only see app pages that share common root page
"""
env = two_branches_with_users(root_page)
resp_1 = env.moderator_1_client.get(
f'/admin/api/v2beta/pages/?child_of={env.landing_1.pk}&for_explorer=1'
)
assert resp_1.status_code == status.HTTP_200_OK
assert resp_1.json()['meta']['total_count'] == 1
assert resp_1.json()['items'][0]['id'] == env.listing_1.pk
resp_2 = env.moderator_2_client.get(
f'/admin/api/v2beta/pages/?child_of={env.landing_2.pk}&for_explorer=1'
)
assert resp_2.status_code == status.HTTP_200_OK
assert resp_2.json()['meta']['total_count'] == 1
assert resp_2.json()['items'][0]['id'] == env.listing_2.pk
def test_admins_should_be_able_to_access_all_pages_in_any_branch(root_page):
env = two_branches_with_users(root_page)
resp_1 = env.admin_client.get(
f'/admin/api/v2beta/pages/?child_of={env.landing_1.pk}&for_explorer=1'
)
assert resp_1.status_code == status.HTTP_200_OK
resp_2 = env.admin_client.get(
f'/admin/api/v2beta/pages/?child_of={env.landing_2.pk}&for_explorer=1'
)
assert resp_2.status_code == status.HTTP_200_OK
resp_3 = env.admin_client.get(
f'/admin/api/v2beta/pages/?child_of={env.article_1.pk}&for_explorer=1'
)
assert resp_3.status_code == status.HTTP_200_OK
resp_4 = env.admin_client.get(
f'/admin/api/v2beta/pages/?child_of={env.article_2.pk}&for_explorer=1'
)
assert resp_4.status_code == status.HTTP_200_OK
def test_admins_can_reject_revision(root_page):
env = two_branches_with_users(root_page)
new_title = 'The title was modified'
env.article_1.title = new_title
revision = env.article_1.save_revision(
user=env.editor_1, submitted_for_moderation=True
)
# Reject request for moderation
resp_1 = env.admin_client.post(
reverse('wagtailadmin_pages:reject_moderation', args=[revision.pk])
)
assert resp_1.status_code == status.HTTP_302_FOUND
assert resp_1.url == '/admin/'
# Verify if rejection is visible
resp_2 = env.admin_client.get(
reverse('wagtailadmin_pages:revisions_index', args=[env.article_1.pk])
)
assert resp_2.status_code == status.HTTP_200_OK
assert 'rejected for publication' in resp_2.content.decode()
def test_moderators_can_approve_revisions_only_for_pages_in_their_branch(
root_page
):
env = two_branches_with_users(root_page)
new_title = 'The title was modified'
env.article_2.title = new_title
revision = env.article_2.save_revision(
user=env.editor_2, submitted_for_moderation=True
)
resp_1 = env.moderator_1_client.post(
reverse('wagtailadmin_pages:approve_moderation', args=[revision.pk])
)
assert resp_1.status_code == status.HTTP_403_FORBIDDEN
# after publishing a page, user is redirected to the '/admin/' page
resp_2 = env.moderator_2_client.post(
reverse('wagtailadmin_pages:approve_moderation', args=[revision.pk]),
follow=True,
)
assert resp_2.status_code == status.HTTP_200_OK