def publish(request, page_id):
page = get_object_or_404(Page, id=page_id).specific
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(page).can_publish():
raise PermissionDenied
next_url = get_valid_next_url_from_request(request)
if request.method == 'POST':
include_descendants = request.POST.get("include_descendants", False)
page.save_revision().publish()
if include_descendants:
not_live_descendant_pages = (
page.get_descendants().not_live().specific())
for not_live_descendant_page in not_live_descendant_pages:
if user_perms.for_page(not_live_descendant_page).can_publish():
not_live_descendant_page.save_revision().publish()
if next_url:
return redirect(next_url)
return redirect('wagtailadmin_explore', page.get_parent().id)
return render(request, 'wagtailadmin/pages/confirm_publish.html', {
'page': page,
'next': next_url,
'not_live_descendant_count': page.get_descendants().not_live().count()
})
def test_lock_page_for_non_editing_user(self):
user = get_user_model().objects.get(username='******')
christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
perms = UserPagePermissionsProxy(user).for_page(christmas_page)
self.assertFalse(perms.can_lock())
def test_lock_page_for_moderator(self):
user = get_user_model().objects.get(username='******')
christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
perms = UserPagePermissionsProxy(user).for_page(christmas_page)
self.assertTrue(perms.can_lock())
def test_editable_pages_for_non_editing_user(self):
user = get_user_model().objects.get(username='******')
homepage = Page.objects.get(url_path='/home/')
christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
unpublished_event_page = EventPage.objects.get(url_path='/home/events/tentative-unpublished-event/')
someone_elses_event_page = EventPage.objects.get(url_path='/home/events/someone-elses-event/')
user_perms = UserPagePermissionsProxy(user)
editable_pages = user_perms.editable_pages()
can_edit_pages = user_perms.can_edit_pages()
publishable_pages = user_perms.publishable_pages()
can_publish_pages = user_perms.can_publish_pages()
self.assertFalse(editable_pages.filter(id=homepage.id).exists())
self.assertFalse(editable_pages.filter(id=christmas_page.id).exists())
self.assertFalse(editable_pages.filter(id=unpublished_event_page.id).exists())
self.assertFalse(editable_pages.filter(id=someone_elses_event_page.id).exists())
self.assertFalse(can_edit_pages)
self.assertFalse(publishable_pages.filter(id=homepage.id).exists())
self.assertFalse(publishable_pages.filter(id=christmas_page.id).exists())
self.assertFalse(publishable_pages.filter(id=unpublished_event_page.id).exists())
self.assertFalse(publishable_pages.filter(id=someone_elses_event_page.id).exists())
self.assertFalse(can_publish_pages)
def revisions_unschedule(request, page_id, revision_id):
page = get_object_or_404(Page, id=page_id).specific
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(page).can_unschedule():
raise PermissionDenied
revision = get_object_or_404(page.revisions, id=revision_id)
next_url = get_valid_next_url_from_request(request)
subtitle = _('revision {0} of "{1}"').format(revision.id, page.get_admin_display_title())
if request.method == 'POST':
revision.approved_go_live_at = None
revision.save(update_fields=['approved_go_live_at'])
messages.success(request, _('Revision {0} of "{1}" unscheduled.').format(revision.id, page.get_admin_display_title()), buttons=[
messages.button(reverse('wagtailadmin_pages:edit', args=(page.id,)), _('Edit'))
])
if next_url:
return redirect(next_url)
return redirect('wagtailadmin_pages:revisions_index', page.id)
return render(request, 'wagtailadmin/pages/revisions/confirm_unschedule.html', {
'page': page,
'revision': revision,
'next': next_url,
'subtitle': subtitle
})
def unpublish(request, page_id):
page = get_object_or_404(Page, id=page_id).specific
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(page).can_unpublish():
raise PermissionDenied
next_url = get_valid_next_url_from_request(request)
if request.method == 'POST':
include_descendants = request.POST.get("include_descendants", False)
page.unpublish()
if include_descendants:
live_descendant_pages = page.get_descendants().live().specific()
for live_descendant_page in live_descendant_pages:
if user_perms.for_page(live_descendant_page).can_unpublish():
live_descendant_page.unpublish()
messages.success(request, _("Page '{0}' unpublished.").format(page.get_admin_display_title()), buttons=[
messages.button(reverse('wagtailadmin_pages:edit', args=(page.id,)), _('Edit'))
])
if next_url:
return redirect(next_url)
return redirect('wagtailadmin_explore', page.get_parent().id)
return render(request, 'wagtailadmin/pages/confirm_unpublish.html', {
'page': page,
'next': next_url,
'live_descendant_count': page.get_descendants().live().count(),
})
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
user_perms = UserPagePermissionsProxy(self.instance.user)
if not user_perms.can_publish_pages():
del self.fields['submitted_notifications']
if not user_perms.can_edit_pages():
del self.fields['approved_notifications']
del self.fields['rejected_notifications']
def register_account_notification_preferences(request):
user_perms = UserPagePermissionsProxy(request.user)
if user_perms.can_edit_pages() or user_perms.can_publish_pages():
return {
'url': reverse('wagtailadmin_account_notification_preferences'),
'label': _('Notification preferences'),
'help_text': _('Choose which email notifications to receive.'),
}
def account(request):
user_perms = UserPagePermissionsProxy(request.user)
show_notification_preferences = user_perms.can_edit_pages() or user_perms.can_publish_pages()
return render(request, 'wagtailadmin/account/account.html', {
'show_change_password': password_management_enabled() and request.user.has_usable_password(),
'show_notification_preferences': show_notification_preferences,
'show_preferred_language_preferences': len(get_available_admin_languages()) > 1
})
def test_lock_page_for_superuser(self):
user = get_user_model().objects.get(username='******')
christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
locked_page = Page.objects.get(url_path='/home/my-locked-page/')
perms = UserPagePermissionsProxy(user).for_page(christmas_page)
locked_perms = UserPagePermissionsProxy(user).for_page(locked_page)
self.assertTrue(perms.can_lock())
self.assertFalse(locked_perms.can_unpublish()) # locked pages can't be unpublished
def get_forms_for_user(user):
"""
Return a queryset of form pages that this user is allowed to access the submissions for
"""
editable_forms = UserPagePermissionsProxy(user).editable_pages()
editable_forms = editable_forms.filter(content_type__in=get_form_types())
# Apply hooks
for fn in hooks.get_hooks('filter_form_submissions_for_user'):
editable_forms = fn(user, editable_forms)
return editable_forms
def test_explorable_pages_with_permission_gap_in_hierarchy(self):
corporate_editor = get_user_model().objects.get(username='******')
user_perms = UserPagePermissionsProxy(corporate_editor)
about_us_page = Page.objects.get(url_path='/home/about-us/')
businessy_events = Page.objects.get(url_path='/home/events/businessy-events/')
events_page = Page.objects.get(url_path='/home/events/')
explorable_pages = user_perms.explorable_pages()
self.assertTrue(explorable_pages.filter(id=about_us_page.id).exists())
self.assertTrue(explorable_pages.filter(id=businessy_events.id).exists())
self.assertTrue(explorable_pages.filter(id=events_page.id).exists())
def test_explorable_pages(self):
event_editor = get_user_model().objects.get(username='******')
christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
unpublished_event_page = EventPage.objects.get(url_path='/home/events/tentative-unpublished-event/')
someone_elses_event_page = EventPage.objects.get(url_path='/home/events/someone-elses-event/')
about_us_page = Page.objects.get(url_path='/home/about-us/')
user_perms = UserPagePermissionsProxy(event_editor)
explorable_pages = user_perms.explorable_pages()
# Verify all pages below /home/events/ are explorable
self.assertTrue(explorable_pages.filter(id=christmas_page.id).exists())
self.assertTrue(explorable_pages.filter(id=unpublished_event_page.id).exists())
self.assertTrue(explorable_pages.filter(id=someone_elses_event_page.id).exists())
# Verify page outside /events/ tree are not explorable
self.assertFalse(explorable_pages.filter(id=about_us_page.id).exists())
def unpublish(request, page_id):
page = get_object_or_404(Page, id=page_id).specific
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(page).can_unpublish():
raise PermissionDenied
next_url = get_valid_next_url_from_request(request)
if request.method == 'POST':
include_descendants = request.POST.get("include_descendants", False)
for fn in hooks.get_hooks('before_unpublish_page'):
result = fn(request, page)
if hasattr(result, 'status_code'):
return result
action = UnpublishPageAction(page,
user=request.user,
include_descendants=include_descendants)
action.execute(skip_permission_checks=True)
for fn in hooks.get_hooks('after_unpublish_page'):
result = fn(request, page)
if hasattr(result, 'status_code'):
return result
messages.success(request,
_("Page '{0}' unpublished.").format(
page.get_admin_display_title()),
buttons=[
messages.button(
reverse('wagtailadmin_pages:edit',
args=(page.id, )), _('Edit'))
])
if next_url:
return redirect(next_url)
return redirect('wagtailadmin_explore', page.get_parent().id)
return TemplateResponse(
request, 'wagtailadmin/pages/confirm_unpublish.html', {
'page': page,
'next': next_url,
'live_descendant_count': page.get_descendants().live().count(),
})
def _get_user_page_permissions(context):
# Create a UserPagePermissionsProxy object to represent the user's global permissions, and
# cache it in the context for the duration of the page request, if one does not exist already
if 'user_page_permissions' not in context:
context['user_page_permissions'] = UserPagePermissionsProxy(
context['request'].user)
return context['user_page_permissions']
def new_page_from_modal(request):
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.can_edit_pages():
raise PermissionDenied
if request.method == 'POST':
# Get the page data
body = json.loads(request.body)
print(body['type'])
data = {}
if body['type'] != 'department' and body['type'] != 'topic':
if body['department'] != None:
data['department'] = DepartmentPage.objects.get(id=body['department'])
data['title'] = body['title']
data['owner'] = request.user
# Create the page
if body['type'] == 'service':
page = ServicePage(**data)
if body['type'] == 'process':
page = ProcessPage(**data)
if body['type'] == 'information':
page = InformationPage(**data)
if body['type'] == 'topic':
page = TopicPage(**data)
if body['type'] == 'topiccollection':
if body['theme'] != None:
data['theme'] = Theme.objects.get(id=body['theme'])
page = TopicCollectionPage(**data)
if body['type'] == 'department':
data['what_we_do'] = 'What we do'
data['mission'] = 'Mission'
page = DepartmentPage(**data)
# Add it as a child of home
home = Page.objects.get(id=3)
home.add_child(instance=page)
# Save our draft
page.save_revision()
page.unpublish() # Not sure why it seems to go live by default
# Respond with the id of the new page
response = HttpResponse(json.dumps({'id': page.id}), content_type="application/json")
return response
def test_lock_page_for_moderator_whole_locked_page_without_unlock_permission(self):
user = get_user_model().objects.get(username='******')
christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
# Lock the page
christmas_page.locked = True
christmas_page.locked_by = user
christmas_page.locked_at = timezone.now()
christmas_page.save()
GroupPagePermission.objects.filter(group__name='Event moderators', permission_type='unlock').delete()
perms = UserPagePermissionsProxy(user).for_page(christmas_page)
# Unlike in the previous test, the user can unlock this page as it was them who locked
self.assertTrue(perms.can_lock())
self.assertTrue(perms.can_unlock())
def user_keys_accept( request, user_id ):
r_user = RUBIONUser.objects.get( id = user_id )
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(r_user).can_edit():
raise PermissionDenied
num = request.POST.get('keyId', None)
if num:
r_user.key_number = num
r_user.save_revision_and_publish( user = request.user )
messages.success(request, _('{} now was assigned the key with number {}.').format( r_user.full_name(), r_user.key_number ))
return JsonResponse({'redirect' : reverse('wagtailadmin_home')})
else:
return JsonResponse({'wrong' : 'Did not receive a keyId'})
def get_queryset(self):
pages = (
UserPagePermissionsProxy(self.request.user)
.editable_pages()
.filter(locked=True)
)
self.queryset = pages
return super().get_queryset()
def usage(request, pk):
workflow = get_object_or_404(Workflow, id=pk)
perms = UserPagePermissionsProxy(request.user)
pages = workflow.all_pages() & perms.editable_pages()
paginator = Paginator(pages, per_page=10)
pages = paginator.get_page(request.GET.get("p"))
return render(
request,
"wagtailadmin/workflows/usage.html",
{
"workflow": workflow,
"used_by": pages,
},
)
def test_explorable_pages(self):
event_editor = get_user_model().objects.get(username='******')
christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
unpublished_event_page = EventPage.objects.get(url_path='/home/events/tentative-unpublished-event/')
someone_elses_event_page = EventPage.objects.get(url_path='/home/events/someone-elses-event/')
about_us_page = Page.objects.get(url_path='/home/about-us/')
user_perms = UserPagePermissionsProxy(event_editor)
explorable_pages = user_perms.explorable_pages()
# Verify all pages below /home/events/ are explorable
self.assertTrue(explorable_pages.filter(id=christmas_page.id).exists())
self.assertTrue(explorable_pages.filter(id=unpublished_event_page.id).exists())
self.assertTrue(explorable_pages.filter(id=someone_elses_event_page.id).exists())
# Verify page outside /events/ tree are not explorable
self.assertFalse(explorable_pages.filter(id=about_us_page.id).exists())
def codered_forms(user, editable_forms):
from coderedcms.models import CoderedFormMixin
"""
Add our own CoderedFormPage to editable_forms, since wagtail is unaware
of its existence. Essentially this is a fork of wagtail.contrib.forms.get_forms_for_user()
and wagtail.contrib.forms.get_form_types()
"""
form_models = [
model for model in get_page_models()
if issubclass(model, CoderedFormMixin)
]
form_types = list(
ContentType.objects.get_for_models(*form_models).values())
editable_forms = UserPagePermissionsProxy(user).editable_pages()
editable_forms = editable_forms.filter(content_type__in=form_types)
return editable_forms
def workflow_history(request, page_id):
page = get_object_or_404(Page, id=page_id)
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(page).can_edit():
raise PermissionDenied
workflow_states = WorkflowState.objects.filter(
page=page).order_by('-created_at')
paginator = Paginator(workflow_states, per_page=20)
workflow_states = paginator.get_page(request.GET.get('p'))
return TemplateResponse(request,
'wagtailadmin/pages/workflow_history/index.html', {
'page': page,
'workflow_states': workflow_states,
})
def filter_queryset(self, request, queryset, view):
if request.GET.get('for_explorer'):
if not hasattr(queryset, '_filtered_by_child_of'):
raise BadRequestError(
"filtering by for_explorer without child_of is not supported"
)
parent_page = queryset._filtered_by_child_of
##TODO: This is where the code is broken, see: https://github.com/wagtail/wagtail/blob/17e541715a80a43bc4eb1f1b07183bf22bb1869a/wagtail/contrib/modeladmin/options.py#L49
# for hook in hooks.get_hooks('construct_explorer_page_queryset'):
# queryset = hook(parent_page, queryset, request)
user_perms = UserPagePermissionsProxy(request.user)
# This is returning an empty list! WRONG!
#print(user_perms.explorable_pages())
queryset = queryset & user_perms.explorable_pages()
return queryset
def test_with_user_no_permission(self):
homepage = Page.objects.get(url_path='/home/')
# event editor does not have permissions on homepage
event_editor = get_user_model().objects.get(username='******')
permission_proxy = UserPagePermissionsProxy(event_editor)
result = can_choose_page(homepage,
permission_proxy,
self.desired_classes,
user_perm='copy_to')
self.assertFalse(result)
def revisions_unschedule(request, page_id, revision_id):
page = get_object_or_404(Page, id=page_id).specific
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(page).can_unschedule():
raise PermissionDenied
revision = get_object_or_404(page.revisions, id=revision_id)
next_url = get_valid_next_url_from_request(request)
subtitle = _('revision {0} of "{1}"').format(
revision.id, page.get_admin_display_title())
if request.method == "POST":
revision.approved_go_live_at = None
revision.save(user=request.user, update_fields=["approved_go_live_at"])
messages.success(
request,
_('Version {0} of "{1}" unscheduled.').format(
revision.id, page.get_admin_display_title()),
buttons=[
messages.button(
reverse("wagtailadmin_pages:edit", args=(page.id, )),
_("Edit"))
],
)
if next_url:
return redirect(next_url)
return redirect("wagtailadmin_pages:history", page.id)
return TemplateResponse(
request,
"wagtailadmin/pages/revisions/confirm_unschedule.html",
{
"page": page,
"revision": revision,
"next": next_url,
"subtitle": subtitle
},
)
def get_pages_with_reviews_for_user(cls, user):
"""
Return a queryset of pages which have reviews, for which the user has edit permission
"""
user_perms = UserPagePermissionsProxy(user)
reviewed_pages = (cls.objects.order_by('-created_at').values_list(
'page_revision__page_id', 'created_at'))
# Annotate datetime when a review was last created for this page
last_review_requested_at = Case(
*[
When(pk=pk, then=Value(created_at))
for pk, created_at in reviewed_pages
],
output_field=models.DateTimeField(),
)
return (user_perms.editable_pages().filter(
pk__in=(page[0] for page in reviewed_pages)).annotate(
last_review_requested_at=last_review_requested_at).order_by(
'-last_review_requested_at'))
def get_queryset(self):
pages = ((UserPagePermissionsProxy(self.request.user).editable_pages()
| Page.objects.filter(locked_by=self.request.user)).filter(
locked=True).specific(defer=True))
if getattr(settings, "WAGTAIL_I18N_ENABLED", False):
pages = pages.select_related("locale")
self.queryset = pages
return super().get_queryset()
def safety_instruction_helper(request, user_id, instruction_id):
from .models import RUBIONUser
r_user = get_object_or_404(RUBIONUser, pk=user_id)
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(r_user).can_edit() or not request.is_ajax():
raise PermissionDenied
si = get_object_or_404(SafetyInstructionsSnippet, pk=instruction_id)
instructions = r_user.needs_safety_instructions.all()
response = {
'del_link':
reverse('rubionadmin:user_safety_instruction_del',
args=[user_id, instruction_id]),
'add_link':
reverse('rubionadmin:user_safety_instruction_add',
args=[user_id, instruction_id])
}
return [r_user, si, instructions, response]
def render(self):
return render_to_string('wagtailadmin/home/locked_pages.html', {
'locked_pages':
Page.objects.filter(
locked=True,
locked_by=self.request.user,
),
'can_remove_locks':
UserPagePermissionsProxy(self.request.user).can_remove_locks()
},
request=self.request)
def test_with_user_no_permission(self):
homepage = Page.objects.get(url_path="/home/")
# event editor does not have permissions on homepage
event_editor = get_user_model().objects.get(
email="*****@*****.**")
permission_proxy = UserPagePermissionsProxy(event_editor)
result = can_choose_page(homepage,
permission_proxy,
self.desired_classes,
user_perm="copy_to")
self.assertFalse(result)
def get_context_data(self, parent_context):
request = parent_context['request']
context = super().get_context_data(parent_context)
context.update({
'locked_pages': Page.objects.filter(
locked=True,
locked_by=request.user,
),
'can_remove_locks': UserPagePermissionsProxy(request.user).can_remove_locks(),
'request': request,
})
return context
def get_queryset(self):
latest_publishing_log = PageLogEntry.objects.filter(
page=OuterRef("pk"), action__exact="wagtail.publish")
self.queryset = (UserPagePermissionsProxy(
self.request.user).publishable_pages().exclude(
last_published_at__isnull=True).prefetch_workflow_states(
).select_related("content_type").annotate_approved_schedule().
order_by("last_published_at").annotate(
last_published_by=Subquery(
latest_publishing_log.values("user")[:1])))
return super().get_queryset()
def execute(self, skip_permission_checks=False):
self.check(skip_permission_checks=skip_permission_checks)
self._unpublish_page(
self.page,
set_expired=self.set_expired,
commit=self.commit,
user=self.user,
log_action=self.log_action,
)
if self.include_descendants:
from wagtail.core.models import UserPagePermissionsProxy
user_perms = UserPagePermissionsProxy(self.user)
for live_descendant_page in (
self.page.get_descendants().live().defer_streamfields().specific()
):
action = UnpublishPageAction(live_descendant_page)
if user_perms.for_page(live_descendant_page).can_unpublish():
action.execute(skip_permission_checks=True)
def test_editable_pages_for_user_with_edit_permission(self):
event_moderator = get_user_model().objects.get(
email='*****@*****.**')
homepage = Page.objects.get(url_path='/home/')
christmas_page = EventPage.objects.get(
url_path='/home/events/christmas/')
unpublished_event_page = EventPage.objects.get(
url_path='/home/events/tentative-unpublished-event/')
someone_elses_event_page = EventPage.objects.get(
url_path='/home/events/someone-elses-event/')
user_perms = UserPagePermissionsProxy(event_moderator)
editable_pages = user_perms.editable_pages()
can_edit_pages = user_perms.can_edit_pages()
publishable_pages = user_perms.publishable_pages()
can_publish_pages = user_perms.can_publish_pages()
self.assertFalse(editable_pages.filter(id=homepage.id).exists())
self.assertTrue(editable_pages.filter(id=christmas_page.id).exists())
self.assertTrue(
editable_pages.filter(id=unpublished_event_page.id).exists())
self.assertTrue(
editable_pages.filter(id=someone_elses_event_page.id).exists())
self.assertTrue(can_edit_pages)
self.assertFalse(publishable_pages.filter(id=homepage.id).exists())
self.assertTrue(
publishable_pages.filter(id=christmas_page.id).exists())
self.assertTrue(
publishable_pages.filter(id=unpublished_event_page.id).exists())
self.assertTrue(
publishable_pages.filter(id=someone_elses_event_page.id).exists())
self.assertTrue(can_publish_pages)
def test_editable_pages_for_non_editing_user(self):
user = get_user_model().objects.get(username='******')
homepage = Page.objects.get(url_path='/home/')
christmas_page = EventPage.objects.get(
url_path='/home/events/christmas/')
unpublished_event_page = EventPage.objects.get(
url_path='/home/events/tentative-unpublished-event/')
someone_elses_event_page = EventPage.objects.get(
url_path='/home/events/someone-elses-event/')
user_perms = UserPagePermissionsProxy(user)
editable_pages = user_perms.editable_pages()
can_edit_pages = user_perms.can_edit_pages()
publishable_pages = user_perms.publishable_pages()
can_publish_pages = user_perms.can_publish_pages()
self.assertFalse(editable_pages.filter(id=homepage.id).exists())
self.assertFalse(editable_pages.filter(id=christmas_page.id).exists())
self.assertFalse(
editable_pages.filter(id=unpublished_event_page.id).exists())
self.assertFalse(
editable_pages.filter(id=someone_elses_event_page.id).exists())
self.assertFalse(can_edit_pages)
self.assertFalse(publishable_pages.filter(id=homepage.id).exists())
self.assertFalse(
publishable_pages.filter(id=christmas_page.id).exists())
self.assertFalse(
publishable_pages.filter(id=unpublished_event_page.id).exists())
self.assertFalse(
publishable_pages.filter(id=someone_elses_event_page.id).exists())
self.assertFalse(can_publish_pages)
def test_editable_pages_for_superuser(self):
user = get_user_model().objects.get(email="*****@*****.**")
homepage = Page.objects.get(url_path="/home/")
christmas_page = EventPage.objects.get(
url_path="/home/events/christmas/")
unpublished_event_page = EventPage.objects.get(
url_path="/home/events/tentative-unpublished-event/")
someone_elses_event_page = EventPage.objects.get(
url_path="/home/events/someone-elses-event/")
user_perms = UserPagePermissionsProxy(user)
editable_pages = user_perms.editable_pages()
can_edit_pages = user_perms.can_edit_pages()
publishable_pages = user_perms.publishable_pages()
can_publish_pages = user_perms.can_publish_pages()
self.assertTrue(editable_pages.filter(id=homepage.id).exists())
self.assertTrue(editable_pages.filter(id=christmas_page.id).exists())
self.assertTrue(
editable_pages.filter(id=unpublished_event_page.id).exists())
self.assertTrue(
editable_pages.filter(id=someone_elses_event_page.id).exists())
self.assertTrue(can_edit_pages)
self.assertTrue(publishable_pages.filter(id=homepage.id).exists())
self.assertTrue(
publishable_pages.filter(id=christmas_page.id).exists())
self.assertTrue(
publishable_pages.filter(id=unpublished_event_page.id).exists())
self.assertTrue(
publishable_pages.filter(id=someone_elses_event_page.id).exists())
self.assertTrue(can_publish_pages)
def test_lock_page_for_superuser(self):
user = get_user_model().objects.get(username='******')
christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
locked_page = Page.objects.get(url_path='/home/my-locked-page/')
perms = UserPagePermissionsProxy(user).for_page(christmas_page)
locked_perms = UserPagePermissionsProxy(user).for_page(locked_page)
self.assertTrue(perms.can_lock())
self.assertFalse(locked_perms.can_unpublish()) # locked pages can't be unpublished
self.assertTrue(perms.can_unlock())
def unpublish(request, page_id):
page = get_object_or_404(Page, id=page_id).specific
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(page).can_unpublish():
raise PermissionDenied
next_url = get_valid_next_url_from_request(request)
if request.method == 'POST':
include_descendants = request.POST.get("include_descendants", False)
page.unpublish()
if include_descendants:
live_descendant_pages = page.get_descendants().live().specific()
for live_descendant_page in live_descendant_pages:
if user_perms.for_page(live_descendant_page).can_unpublish():
live_descendant_page.unpublish()
messages.success(request,
_("Page '{0}' unpublished.").format(
page.get_admin_display_title()),
buttons=[
messages.button(
reverse('wagtailadmin_pages:edit',
args=(page.id, )), _('Edit'))
])
if next_url:
return redirect(next_url)
return redirect('wagtailadmin_explore', page.get_parent().id)
return render(
request, 'wagtailadmin/pages/confirm_unpublish.html', {
'page': page,
'next': next_url,
'live_descendant_count': page.get_descendants().live().count(),
})
def page_permissions(context, page):
"""
Usage: {% page_permissions page as page_perms %}
Sets the variable 'page_perms' to a PagePermissionTester object that can be queried to find out
what actions the current logged-in user can perform on the given page.
"""
# Create a UserPagePermissionsProxy object to represent the user's global permissions, and
# cache it in the context for the duration of the page request, if one does not exist already
if 'user_page_permissions' not in context:
context['user_page_permissions'] = UserPagePermissionsProxy(context['request'].user)
# Now retrieve a PagePermissionTester from it, specific to the given page
return context['user_page_permissions'].for_page(page)
def revisions_unschedule(request, page_id, revision_id):
page = get_object_or_404(Page, id=page_id).specific
user_perms = UserPagePermissionsProxy(request.user)
if not user_perms.for_page(page).can_unschedule():
raise PermissionDenied
revision = get_object_or_404(page.revisions, id=revision_id)
next_url = get_valid_next_url_from_request(request)
subtitle = _('revision {0} of "{1}"').format(
revision.id, page.get_admin_display_title())
if request.method == 'POST':
revision.approved_go_live_at = None
revision.save(user=request.user, update_fields=['approved_go_live_at'])
messages.success(request,
_('Version {0} of "{1}" unscheduled.').format(
revision.id, page.get_admin_display_title()),
buttons=[
messages.button(
reverse('wagtailadmin_pages:edit',
args=(page.id, )), _('Edit'))
])
if next_url:
return redirect(next_url)
return redirect('wagtailadmin_pages:history', page.id)
return TemplateResponse(
request, 'wagtailadmin/pages/revisions/confirm_unschedule.html', {
'page': page,
'revision': revision,
'next': next_url,
'subtitle': subtitle
})
def check(self, skip_permission_checks=False):
from wagtail.core.models import UserPagePermissionsProxy
# Essential data model checks
if self.page._state.adding:
raise CopyPageIntegrityError("Page.copy() called on an unsaved page")
if (
self.to
and self.recursive
and (self.to.id == self.page.id or self.to.is_descendant_of(self.page))
):
raise CopyPageIntegrityError(
"You cannot copy a tree branch recursively into itself"
)
# Permission checks
if self.user and not skip_permission_checks:
to = self.to
if to is None:
to = self.page.get_parent()
if not self.page.permissions_for_user(self.user).can_copy_to(
to, self.recursive
):
raise CopyPagePermissionError(
"You do not have permission to copy this page"
)
if self.keep_live:
destination_perms = UserPagePermissionsProxy(self.user).for_page(
self.to
)
if not destination_perms.can_publish_subpage():
raise CopyPagePermissionError(
"You do not have permission to publish a page at the destination"
)
def get_queryset(self):
q = Q(page__in=UserPagePermissionsProxy(
self.request.user).explorable_pages().values_list('pk', flat=True))
root_page_permissions = Page.get_first_root_node(
).permissions_for_user(self.request.user)
if (self.request.user.is_superuser
or root_page_permissions.can_add_subpage()
or root_page_permissions.can_edit()):
# Include deleted entries
q = q | Q(page_id__in=Subquery(
PageLogEntry.objects.filter(deleted=True).values('page_id')))
return PageLogEntry.objects.filter(q)
def index(request, parent_page_id=None):
if parent_page_id:
parent_page = get_object_or_404(Page, id=parent_page_id)
else:
parent_page = Page.get_first_root_node()
# This will always succeed because of the @user_passes_test above.
root_page = get_explorable_root_page(request.user)
# If this page isn't a descendant of the user's explorable root page,
# then redirect to that explorable root page instead.
if not (
parent_page.pk == root_page.pk
or parent_page.is_descendant_of(root_page)
):
return redirect('wagtailadmin_explore', root_page.pk)
parent_page = parent_page.specific
user_perms = UserPagePermissionsProxy(request.user)
pages = (
parent_page.get_children().prefetch_related(
"content_type", "sites_rooted_here"
)
& user_perms.explorable_pages()
)
# Get page ordering
ordering = request.GET.get('ordering', '-latest_revision_created_at')
if ordering not in [
'title',
'-title',
'content_type',
'-content_type',
'live', '-live',
'latest_revision_created_at',
'-latest_revision_created_at',
'ord'
]:
ordering = '-latest_revision_created_at'
if ordering == 'ord':
# preserve the native ordering from get_children()
pass
elif ordering == 'latest_revision_created_at':
# order by oldest revision first.
# Special case NULL entries - these should go at the top of the list.
# Do this by annotating with Count('latest_revision_created_at'),
# which returns 0 for these
pages = pages.annotate(
null_position=Count('latest_revision_created_at')
).order_by('null_position', 'latest_revision_created_at')
elif ordering == '-latest_revision_created_at':
# order by oldest revision first.
# Special case NULL entries - these should go at the end of the list.
pages = pages.annotate(
null_position=Count('latest_revision_created_at')
).order_by('-null_position', '-latest_revision_created_at')
else:
pages = pages.order_by(ordering)
# Don't paginate if sorting by page order - all pages must be shown to
# allow drag-and-drop reordering
do_paginate = ordering != 'ord'
if do_paginate or pages.count() < 100:
# Retrieve pages in their most specific form, so that custom
# get_admin_display_title and get_url_parts methods on subclasses are respected.
# However, skip this on unpaginated listings with >100 child pages as this could
# be a significant performance hit. (This should only happen on the reorder view,
# and hopefully no-one is having to do manual reordering on listings that large...)
pages = pages.specific(defer=True)
# allow hooks to modify the queryset
for hook in hooks.get_hooks('construct_explorer_page_queryset'):
pages = hook(parent_page, pages, request)
# Pagination
if do_paginate:
paginator = Paginator(pages, per_page=50)
pages = paginator.get_page(request.GET.get('p'))
return render(request, 'wagtailadmin/pages/index.html', {
'parent_page': parent_page.specific,
'ordering': ordering,
'pagination_query_params': "ordering=%s" % ordering,
'pages': pages,
'do_paginate': do_paginate,
})
def __init__(self, request):
self.request = request
user_perms = UserPagePermissionsProxy(request.user)
self.page_revisions_for_moderation = (user_perms.revisions_for_moderation()
.select_related('page', 'user').order_by('-created_at'))
def get_surveys_for_user(user):
"""
Return a queryset of form pages that this user is allowed to access the submissions for
"""
editable_pages = UserPagePermissionsProxy(user).editable_pages()
return editable_pages.filter(content_type__in=get_survey_types())
