def register(self, model, **kwargs):
"""
Register a model as a setting, adding it to the wagtail admin menu
"""
# Don't bother registering this if it is already registered
if model in self:
return model
self.append(model)
# Register a new menu item in the settings menu
@hooks.register('register_settings_menu_item')
def menu_hook():
return SettingMenuItem(model, **kwargs)
@hooks.register('register_permissions')
def permissions_hook():
return Permission.objects.filter(
content_type__app_label=model._meta.app_label,
codename='change_{}'.format(model._meta.model_name))
# Register an admin URL finder
permission_policy = ModelPermissionPolicy(model)
finder_class = type('_SettingsAdminURLFinder', (SettingsAdminURLFinder, ), {
'model': model,
'permission_policy': permission_policy
})
register_admin_url_finder(model, finder_class)
return model
def get_permission_policy(self):
# if no permission policy is specified, use ModelPermissionPolicy
# (which enforces standard Django model permissions)
if not self.permission_policy:
self.permission_policy = ModelPermissionPolicy(self.model)
return self.permission_policy
from wagtail.core.models import Collection, Locale, Site, Task, Workflow
from wagtail.core.permission_policies import ModelPermissionPolicy
from wagtail.core.permission_policies.collections import (
CollectionMangementPermissionPolicy, )
site_permission_policy = ModelPermissionPolicy(Site)
collection_permission_policy = CollectionMangementPermissionPolicy(Collection)
task_permission_policy = ModelPermissionPolicy(Task)
workflow_permission_policy = ModelPermissionPolicy(Workflow)
locale_permission_policy = ModelPermissionPolicy(Locale)
def permission_policy(self):
return ModelPermissionPolicy(self.model)
from wagtail.core.models import Collection from core.models import Site from wagtail.core.permission_policies import ModelPermissionPolicy site_permission_policy = ModelPermissionPolicy(Site) collection_permission_policy = ModelPermissionPolicy(Collection)
class SearchPromotionAdminURLFinder(ModelAdminURLFinder):
permission_policy = ModelPermissionPolicy(SearchPromotion)
def construct_edit_url(self, instance):
return reverse('wagtailsearchpromotions:edit', args=(instance.query.id, ))
from wagtail.core.permission_policies import ModelPermissionPolicy from wagtail.contrib.redirects.models import Redirect permission_policy = ModelPermissionPolicy(Redirect)
from daash.tenant.models import Tenant from wagtail.core.permission_policies import ModelPermissionPolicy tenant_permission_policy = ModelPermissionPolicy(Tenant)
from wagtail.core.models import Collection, Site, Task, Workflow from wagtail.core.permission_policies import ModelPermissionPolicy site_permission_policy = ModelPermissionPolicy(Site) collection_permission_policy = ModelPermissionPolicy(Collection) task_permission_policy = ModelPermissionPolicy(Task) workflow_permission_policy = ModelPermissionPolicy(Workflow)
class UserAdminURLFinder(ModelAdminURLFinder):
edit_url_name = "wagtailusers_users:edit"
permission_policy = ModelPermissionPolicy(User)
def setUp(self):
super().setUp()
self.policy = ModelPermissionPolicy(Image)
class TestModelPermissionPolicy(PermissionPolicyTestCase):
def setUp(self):
super().setUp()
self.policy = ModelPermissionPolicy(Image)
def test_user_has_permission(self):
self.assertUserPermissionMatrix([
# Superuser has permission to do everything
(self.superuser, True, True, True, True),
# Inactive superuser can do nothing
(self.inactive_superuser, False, False, False, False),
# User with 'add' permission via group can only add
(self.image_adder, True, False, False, False),
# User with 'add' permission via user can only add
(self.oneoff_image_adder, True, False, False, False),
# Inactive user with 'add' permission can do nothing
(self.inactive_image_adder, False, False, False, False),
# User with 'change' permission via group can only change
(self.image_changer, False, True, False, False),
# User with 'change' permission via user can only change
(self.oneoff_image_changer, False, True, False, False),
# Inactive user with 'add' permission can do nothing
(self.inactive_image_changer, False, False, False, False),
# User with 'delete' permission can only delete
(self.oneoff_image_deleter, False, False, True, False),
# User with no permissions can do nothing
(self.useless_user, False, False, False, False),
# Anonymous user can do nothing
(self.anonymous_user, False, False, False, False),
])
def test_user_has_any_permission(self):
# Superuser can do everything
self.assertTrue(
self.policy.user_has_any_permission(self.superuser,
['add', 'change']))
# Inactive superuser can do nothing
self.assertFalse(
self.policy.user_has_any_permission(self.inactive_superuser,
['add', 'change']))
# Only one of the permissions in the list needs to pass
# in order for user_has_any_permission to return true
self.assertTrue(
self.policy.user_has_any_permission(self.image_adder,
['add', 'change']))
self.assertTrue(
self.policy.user_has_any_permission(self.oneoff_image_adder,
['add', 'change']))
self.assertTrue(
self.policy.user_has_any_permission(self.image_changer,
['add', 'change']))
# User with some permission, but not the ones in the list,
# should return false
self.assertFalse(
self.policy.user_has_any_permission(self.image_changer,
['add', 'delete']))
# Inactive user with the appropriate permissions can do nothing
self.assertFalse(
self.policy.user_has_any_permission(self.inactive_image_adder,
['add', 'delete']))
# User with no permissions can do nothing
self.assertFalse(
self.policy.user_has_any_permission(self.useless_user,
['add', 'change']))
# Anonymous user can do nothing
self.assertFalse(
self.policy.user_has_any_permission(self.anonymous_user,
['add', 'change']))
def test_users_with_permission(self):
users_with_add_permission = self.policy.users_with_permission('add')
self.assertResultSetEqual(users_with_add_permission, [
self.superuser,
self.image_adder,
self.oneoff_image_adder,
])
users_with_change_permission = self.policy.users_with_permission(
'change')
self.assertResultSetEqual(users_with_change_permission, [
self.superuser,
self.image_changer,
self.oneoff_image_changer,
])
def test_users_with_any_permission(self):
users_with_add_or_change_permission = self.policy.users_with_any_permission(
['add', 'change'])
self.assertResultSetEqual(users_with_add_or_change_permission, [
self.superuser,
self.image_adder,
self.oneoff_image_adder,
self.image_changer,
self.oneoff_image_changer,
])
users_with_change_or_delete_permission = self.policy.users_with_any_permission(
['change', 'delete'])
self.assertResultSetEqual(users_with_change_or_delete_permission, [
self.superuser,
self.image_changer,
self.oneoff_image_changer,
self.oneoff_image_deleter,
])
def test_user_has_permission_for_instance(self):
# Permissions for this policy are applied at the model level,
# so rules for a specific instance will match rules for the
# model as a whole
self.assertUserInstancePermissionMatrix(self.adder_image, [
(self.superuser, True, True, True),
(self.inactive_superuser, False, False, False),
(self.image_adder, False, False, False),
(self.oneoff_image_adder, False, False, False),
(self.inactive_image_adder, False, False, False),
(self.image_changer, True, False, False),
(self.oneoff_image_changer, True, False, False),
(self.inactive_image_changer, False, False, False),
(self.oneoff_image_deleter, False, True, False),
(self.useless_user, False, False, False),
(self.anonymous_user, False, False, False),
])
def test_user_has_any_permission_for_instance(self):
# Superuser can do everything
self.assertTrue(
self.policy.user_has_any_permission_for_instance(
self.superuser, ['change', 'delete'], self.adder_image))
# Inactive superuser can do nothing
self.assertFalse(
self.policy.user_has_any_permission_for_instance(
self.inactive_superuser, ['change', 'delete'],
self.adder_image))
# Only one of the permissions in the list needs to pass
# in order for user_has_any_permission to return true
self.assertTrue(
self.policy.user_has_any_permission_for_instance(
self.image_changer, ['change', 'delete'], self.adder_image))
self.assertTrue(
self.policy.user_has_any_permission_for_instance(
self.oneoff_image_changer, ['change', 'delete'],
self.adder_image))
# User with some permission, but not the ones in the list,
# should return false
self.assertFalse(
self.policy.user_has_any_permission_for_instance(
self.image_adder, ['change', 'delete'], self.adder_image))
# Inactive user with the appropriate permissions can do nothing
self.assertFalse(
self.policy.user_has_any_permission_for_instance(
self.inactive_image_changer, ['change', 'delete'],
self.adder_image))
# User with no permissions can do nothing
self.assertFalse(
self.policy.user_has_any_permission_for_instance(
self.useless_user, ['change', 'delete'], self.adder_image))
# Anonymous user can do nothing
self.assertFalse(
self.policy.user_has_any_permission_for_instance(
self.anonymous_user, ['change', 'delete'], self.adder_image))
def test_instances_user_has_permission_for(self):
all_images = [
self.adder_image, self.useless_image, self.anonymous_image
]
no_images = []
# the set of images editable by superuser includes all images
self.assertResultSetEqual(
self.policy.instances_user_has_permission_for(
self.superuser, 'change'), all_images)
# the set of images editable by inactive superuser includes no images
self.assertResultSetEqual(
self.policy.instances_user_has_permission_for(
self.inactive_superuser, 'change'), no_images)
# given the relevant model permission at the group level, a user can edit all images
self.assertResultSetEqual(
self.policy.instances_user_has_permission_for(
self.image_changer, 'change'), all_images)
# given the relevant model permission at the user level, a user can edit all images
self.assertResultSetEqual(
self.policy.instances_user_has_permission_for(
self.oneoff_image_changer, 'change'), all_images)
# a user with no permission can edit no images
self.assertResultSetEqual(
self.policy.instances_user_has_permission_for(
self.useless_user, 'change'), no_images)
# an inactive user with the relevant permission can edit no images
self.assertResultSetEqual(
self.policy.instances_user_has_permission_for(
self.inactive_image_changer, 'change'), no_images)
# a user with permission, but not the matching one, can edit no images
self.assertResultSetEqual(
self.policy.instances_user_has_permission_for(
self.image_changer, 'delete'), no_images)
# the set of images editable by anonymous user includes no images
self.assertResultSetEqual(
self.policy.instances_user_has_permission_for(
self.anonymous_user, 'change'), no_images)
def test_instances_user_has_any_permission_for(self):
all_images = [
self.adder_image, self.useless_image, self.anonymous_image
]
no_images = []
# the set of images editable by superuser includes all images
self.assertResultSetEqual(
self.policy.instances_user_has_any_permission_for(
self.superuser, ['change', 'delete']), all_images)
# the set of images editable by inactive superuser includes no images
self.assertResultSetEqual(
self.policy.instances_user_has_any_permission_for(
self.inactive_superuser, ['change', 'delete']), no_images)
# given the relevant model permission at the group level, a user can edit all images
self.assertResultSetEqual(
self.policy.instances_user_has_any_permission_for(
self.image_changer, ['change', 'delete']), all_images)
# given the relevant model permission at the user level, a user can edit all images
self.assertResultSetEqual(
self.policy.instances_user_has_any_permission_for(
self.oneoff_image_changer, ['change', 'delete']), all_images)
# a user with no permission can edit no images
self.assertResultSetEqual(
self.policy.instances_user_has_any_permission_for(
self.useless_user, ['change', 'delete']), no_images)
# an inactive user with the relevant permission can edit no images
self.assertResultSetEqual(
self.policy.instances_user_has_any_permission_for(
self.inactive_image_changer, ['change', 'delete']), no_images)
# a user with permission, but not the matching one, can edit no images
self.assertResultSetEqual(
self.policy.instances_user_has_any_permission_for(
self.image_adder, ['change', 'delete']), no_images)
# the set of images editable by anonymous user includes no images
self.assertResultSetEqual(
self.policy.instances_user_has_any_permission_for(
self.anonymous_user, ['change', 'delete']), no_images)
def test_users_with_permission_for_instance(self):
users_with_change_permission = self.policy.users_with_permission_for_instance(
'change', self.useless_image)
self.assertResultSetEqual(users_with_change_permission, [
self.superuser,
self.image_changer,
self.oneoff_image_changer,
])
users_with_delete_permission = self.policy.users_with_permission_for_instance(
'delete', self.useless_image)
self.assertResultSetEqual(users_with_delete_permission, [
self.superuser,
self.oneoff_image_deleter,
])
def test_users_with_any_permission_for_instance(self):
users_with_change_or_del_permission = self.policy.users_with_any_permission_for_instance(
['change', 'delete'], self.useless_image)
self.assertResultSetEqual(users_with_change_or_del_permission, [
self.superuser,
self.image_changer,
self.oneoff_image_changer,
self.oneoff_image_deleter,
])
