def register(self, model, **kwargs): """ Register a model as a setting, adding it to the wagtail admin menu """ # Don't bother registering this if it is already registered if model in self: return model self.append(model) # Register a new menu item in the settings menu @hooks.register('register_settings_menu_item') def menu_hook(): return SettingMenuItem(model, **kwargs) @hooks.register('register_permissions') def permissions_hook(): return Permission.objects.filter( content_type__app_label=model._meta.app_label, codename='change_{}'.format(model._meta.model_name)) # Register an admin URL finder permission_policy = ModelPermissionPolicy(model) finder_class = type('_SettingsAdminURLFinder', (SettingsAdminURLFinder, ), { 'model': model, 'permission_policy': permission_policy }) register_admin_url_finder(model, finder_class) return model
def get_permission_policy(self): # if no permission policy is specified, use ModelPermissionPolicy # (which enforces standard Django model permissions) if not self.permission_policy: self.permission_policy = ModelPermissionPolicy(self.model) return self.permission_policy
from wagtail.core.models import Collection, Locale, Site, Task, Workflow from wagtail.core.permission_policies import ModelPermissionPolicy from wagtail.core.permission_policies.collections import ( CollectionMangementPermissionPolicy, ) site_permission_policy = ModelPermissionPolicy(Site) collection_permission_policy = CollectionMangementPermissionPolicy(Collection) task_permission_policy = ModelPermissionPolicy(Task) workflow_permission_policy = ModelPermissionPolicy(Workflow) locale_permission_policy = ModelPermissionPolicy(Locale)
def permission_policy(self): return ModelPermissionPolicy(self.model)
from wagtail.core.models import Collection from core.models import Site from wagtail.core.permission_policies import ModelPermissionPolicy site_permission_policy = ModelPermissionPolicy(Site) collection_permission_policy = ModelPermissionPolicy(Collection)
class SearchPromotionAdminURLFinder(ModelAdminURLFinder): permission_policy = ModelPermissionPolicy(SearchPromotion) def construct_edit_url(self, instance): return reverse('wagtailsearchpromotions:edit', args=(instance.query.id, ))
from wagtail.core.permission_policies import ModelPermissionPolicy from wagtail.contrib.redirects.models import Redirect permission_policy = ModelPermissionPolicy(Redirect)
from daash.tenant.models import Tenant from wagtail.core.permission_policies import ModelPermissionPolicy tenant_permission_policy = ModelPermissionPolicy(Tenant)
from wagtail.core.models import Collection, Site, Task, Workflow from wagtail.core.permission_policies import ModelPermissionPolicy site_permission_policy = ModelPermissionPolicy(Site) collection_permission_policy = ModelPermissionPolicy(Collection) task_permission_policy = ModelPermissionPolicy(Task) workflow_permission_policy = ModelPermissionPolicy(Workflow)
class UserAdminURLFinder(ModelAdminURLFinder): edit_url_name = "wagtailusers_users:edit" permission_policy = ModelPermissionPolicy(User)
def setUp(self): super().setUp() self.policy = ModelPermissionPolicy(Image)
class TestModelPermissionPolicy(PermissionPolicyTestCase): def setUp(self): super().setUp() self.policy = ModelPermissionPolicy(Image) def test_user_has_permission(self): self.assertUserPermissionMatrix([ # Superuser has permission to do everything (self.superuser, True, True, True, True), # Inactive superuser can do nothing (self.inactive_superuser, False, False, False, False), # User with 'add' permission via group can only add (self.image_adder, True, False, False, False), # User with 'add' permission via user can only add (self.oneoff_image_adder, True, False, False, False), # Inactive user with 'add' permission can do nothing (self.inactive_image_adder, False, False, False, False), # User with 'change' permission via group can only change (self.image_changer, False, True, False, False), # User with 'change' permission via user can only change (self.oneoff_image_changer, False, True, False, False), # Inactive user with 'add' permission can do nothing (self.inactive_image_changer, False, False, False, False), # User with 'delete' permission can only delete (self.oneoff_image_deleter, False, False, True, False), # User with no permissions can do nothing (self.useless_user, False, False, False, False), # Anonymous user can do nothing (self.anonymous_user, False, False, False, False), ]) def test_user_has_any_permission(self): # Superuser can do everything self.assertTrue( self.policy.user_has_any_permission(self.superuser, ['add', 'change'])) # Inactive superuser can do nothing self.assertFalse( self.policy.user_has_any_permission(self.inactive_superuser, ['add', 'change'])) # Only one of the permissions in the list needs to pass # in order for user_has_any_permission to return true self.assertTrue( self.policy.user_has_any_permission(self.image_adder, ['add', 'change'])) self.assertTrue( self.policy.user_has_any_permission(self.oneoff_image_adder, ['add', 'change'])) self.assertTrue( self.policy.user_has_any_permission(self.image_changer, ['add', 'change'])) # User with some permission, but not the ones in the list, # should return false self.assertFalse( self.policy.user_has_any_permission(self.image_changer, ['add', 'delete'])) # Inactive user with the appropriate permissions can do nothing self.assertFalse( self.policy.user_has_any_permission(self.inactive_image_adder, ['add', 'delete'])) # User with no permissions can do nothing self.assertFalse( self.policy.user_has_any_permission(self.useless_user, ['add', 'change'])) # Anonymous user can do nothing self.assertFalse( self.policy.user_has_any_permission(self.anonymous_user, ['add', 'change'])) def test_users_with_permission(self): users_with_add_permission = self.policy.users_with_permission('add') self.assertResultSetEqual(users_with_add_permission, [ self.superuser, self.image_adder, self.oneoff_image_adder, ]) users_with_change_permission = self.policy.users_with_permission( 'change') self.assertResultSetEqual(users_with_change_permission, [ self.superuser, self.image_changer, self.oneoff_image_changer, ]) def test_users_with_any_permission(self): users_with_add_or_change_permission = self.policy.users_with_any_permission( ['add', 'change']) self.assertResultSetEqual(users_with_add_or_change_permission, [ self.superuser, self.image_adder, self.oneoff_image_adder, self.image_changer, self.oneoff_image_changer, ]) users_with_change_or_delete_permission = self.policy.users_with_any_permission( ['change', 'delete']) self.assertResultSetEqual(users_with_change_or_delete_permission, [ self.superuser, self.image_changer, self.oneoff_image_changer, self.oneoff_image_deleter, ]) def test_user_has_permission_for_instance(self): # Permissions for this policy are applied at the model level, # so rules for a specific instance will match rules for the # model as a whole self.assertUserInstancePermissionMatrix(self.adder_image, [ (self.superuser, True, True, True), (self.inactive_superuser, False, False, False), (self.image_adder, False, False, False), (self.oneoff_image_adder, False, False, False), (self.inactive_image_adder, False, False, False), (self.image_changer, True, False, False), (self.oneoff_image_changer, True, False, False), (self.inactive_image_changer, False, False, False), (self.oneoff_image_deleter, False, True, False), (self.useless_user, False, False, False), (self.anonymous_user, False, False, False), ]) def test_user_has_any_permission_for_instance(self): # Superuser can do everything self.assertTrue( self.policy.user_has_any_permission_for_instance( self.superuser, ['change', 'delete'], self.adder_image)) # Inactive superuser can do nothing self.assertFalse( self.policy.user_has_any_permission_for_instance( self.inactive_superuser, ['change', 'delete'], self.adder_image)) # Only one of the permissions in the list needs to pass # in order for user_has_any_permission to return true self.assertTrue( self.policy.user_has_any_permission_for_instance( self.image_changer, ['change', 'delete'], self.adder_image)) self.assertTrue( self.policy.user_has_any_permission_for_instance( self.oneoff_image_changer, ['change', 'delete'], self.adder_image)) # User with some permission, but not the ones in the list, # should return false self.assertFalse( self.policy.user_has_any_permission_for_instance( self.image_adder, ['change', 'delete'], self.adder_image)) # Inactive user with the appropriate permissions can do nothing self.assertFalse( self.policy.user_has_any_permission_for_instance( self.inactive_image_changer, ['change', 'delete'], self.adder_image)) # User with no permissions can do nothing self.assertFalse( self.policy.user_has_any_permission_for_instance( self.useless_user, ['change', 'delete'], self.adder_image)) # Anonymous user can do nothing self.assertFalse( self.policy.user_has_any_permission_for_instance( self.anonymous_user, ['change', 'delete'], self.adder_image)) def test_instances_user_has_permission_for(self): all_images = [ self.adder_image, self.useless_image, self.anonymous_image ] no_images = [] # the set of images editable by superuser includes all images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.superuser, 'change'), all_images) # the set of images editable by inactive superuser includes no images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.inactive_superuser, 'change'), no_images) # given the relevant model permission at the group level, a user can edit all images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.image_changer, 'change'), all_images) # given the relevant model permission at the user level, a user can edit all images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.oneoff_image_changer, 'change'), all_images) # a user with no permission can edit no images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.useless_user, 'change'), no_images) # an inactive user with the relevant permission can edit no images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.inactive_image_changer, 'change'), no_images) # a user with permission, but not the matching one, can edit no images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.image_changer, 'delete'), no_images) # the set of images editable by anonymous user includes no images self.assertResultSetEqual( self.policy.instances_user_has_permission_for( self.anonymous_user, 'change'), no_images) def test_instances_user_has_any_permission_for(self): all_images = [ self.adder_image, self.useless_image, self.anonymous_image ] no_images = [] # the set of images editable by superuser includes all images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.superuser, ['change', 'delete']), all_images) # the set of images editable by inactive superuser includes no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.inactive_superuser, ['change', 'delete']), no_images) # given the relevant model permission at the group level, a user can edit all images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.image_changer, ['change', 'delete']), all_images) # given the relevant model permission at the user level, a user can edit all images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.oneoff_image_changer, ['change', 'delete']), all_images) # a user with no permission can edit no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.useless_user, ['change', 'delete']), no_images) # an inactive user with the relevant permission can edit no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.inactive_image_changer, ['change', 'delete']), no_images) # a user with permission, but not the matching one, can edit no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.image_adder, ['change', 'delete']), no_images) # the set of images editable by anonymous user includes no images self.assertResultSetEqual( self.policy.instances_user_has_any_permission_for( self.anonymous_user, ['change', 'delete']), no_images) def test_users_with_permission_for_instance(self): users_with_change_permission = self.policy.users_with_permission_for_instance( 'change', self.useless_image) self.assertResultSetEqual(users_with_change_permission, [ self.superuser, self.image_changer, self.oneoff_image_changer, ]) users_with_delete_permission = self.policy.users_with_permission_for_instance( 'delete', self.useless_image) self.assertResultSetEqual(users_with_delete_permission, [ self.superuser, self.oneoff_image_deleter, ]) def test_users_with_any_permission_for_instance(self): users_with_change_or_del_permission = self.policy.users_with_any_permission_for_instance( ['change', 'delete'], self.useless_image) self.assertResultSetEqual(users_with_change_or_del_permission, [ self.superuser, self.image_changer, self.oneoff_image_changer, self.oneoff_image_deleter, ])