def has_add_permission(self, request): """ Return true if the current user has permission to add a new page. """ if settings.CMS_PERMISSION: return has_page_add_permission(request) return super(PageAdmin, self).has_add_permission(request)
def test_has_page_add_permission_with_target(self): page = create_page('Test', 'nav_playground.html', 'en') user = self._create_user('user') request = RequestFactory().get('/', data={'target': page.pk}) request.user = user has_perm = has_page_add_permission(request) self.assertFalse(has_perm)
def render_admin_menu_item(request, page, template=None): """ Renders requested page item for the tree. This is used in case when item must be reloaded over ajax. """ if not template: template = "admin/cms/page/menu_item.html" if not page.pk: return HttpResponse(NOT_FOUND_RESPONSE) # Not found - tree will remove item # languages languages = [] if page.site_id in settings.CMS_SITE_LANGUAGES: languages = settings.CMS_SITE_LANGUAGES[page.site_id] else: languages = [x[0] for x in settings.CMS_LANGUAGES] context = RequestContext(request, { 'has_add_permission': permissions.has_page_add_permission(request), 'site_languages': languages, }) filtered = 'filtered' in request.REQUEST context.update(get_admin_menu_item_context(request, page, filtered)) # add mimetype to help out IE return render_to_response(template, context, mimetype="text/html; charset=utf-8")
def render_admin_menu_item(request, page): """Renders requested page item for the tree. This is used in case when item must be reloaded over ajax. """ if not page.pk: return HttpResponse( NOT_FOUND_RESPONSE) # Not found - tree will remove item # languages languages = [] if page.site_id in settings.CMS_SITE_LANGUAGES: languages = settings.CMS_SITE_LANGUAGES[page.site_id] else: languages = [x[0] for x in settings.CMS_LANGUAGES] context = RequestContext( request, { 'has_add_permission': has_page_add_permission(request), 'site_languages': languages, }) filtered = 'filtered' in request.REQUEST context.update(get_admin_menu_item_context(request, page, filtered)) return render_to_response('admin/cms/page/menu_item.html', context)
def render_admin_menu_item(request, page, template=None, language=None): """ Renders requested page item for the tree. This is used in case when item must be reloaded over ajax. """ if not template: template = "admin/cms/page/tree/menu_fragment.html" if not page.pk: return HttpResponse(NOT_FOUND_RESPONSE) # Not found - tree will remove item # languages from cms.utils import permissions languages = get_language_list(page.site_id) context = RequestContext(request, { 'has_add_permission': permissions.has_page_add_permission(request), 'site_languages': languages, }) filtered = 'filtered' in request.REQUEST context.update(get_admin_menu_item_context(request, page, filtered, language)) # add mimetype to help out IE if DJANGO_1_4: return render_to_response(template, context, mimetype="text/html; charset=utf-8") else: return render_to_response(template, context, content_type="text/html; charset=utf-8")
def render_admin_menu_item(request, page, template=None): """ Renders requested page item for the tree. This is used in case when item must be reloaded over ajax. """ if not template: template = "admin/cms/page/menu_fragment.html" if not page.pk: return HttpResponse( NOT_FOUND_RESPONSE) # Not found - tree will remove item # languages languages = get_language_list(page.site_id) context = RequestContext( request, { 'has_add_permission': permissions.has_page_add_permission(request), 'site_languages': languages, }) filtered = 'filtered' in request.REQUEST context.update(get_admin_menu_item_context(request, page, filtered)) # add mimetype to help out IE return render_to_response(template, context, mimetype="text/html; charset=utf-8")
def user_has_add_permission(self, user, page=None, **kwargs): if not page or not page.site_id: site = Site.objects.get_current() else: site = Site.objects.get(pk=page.site_id) return permissions.has_page_add_permission( user, page, position="right", site=site)
def user_has_add_permission(self, user, page=None, **kwargs): if not page or not page.site_id: site = Site.objects.get_current() else: site = Site.objects.get(pk=page.site_id) return permissions.has_page_add_permission(user, page, position="right", site=site)
def user_has_add_permission(self, user, page=None, **kwargs): if not page or page.application_urls: # We can't really add a sub-page to a non-existent page. Or to an # app-hooked page. return False if not page.site_id: site = Site.objects.get_current() else: site = Site.objects.get(pk=page.site_id) return permissions.has_page_add_permission( user, page, position="last-child", site=site)
def render_admin_menu_item(request, page): """Renders requested page item for the tree. This is used in case when item must be reloaded over ajax. """ if not page.pk: return HttpResponse(NOT_FOUND_RESPONSE) # Not found - tree will remove item context = RequestContext(request, {"has_add_permission": has_page_add_permission(request)}) filtered = "filtered" in request.REQUEST context.update(get_admin_menu_item_context(request, page, filtered)) return render_to_response("admin/cms/page/menu_item.html", context)
def user_has_add_permission(self, user, page=None, **kwargs): if not page or page.application_urls: # We can't really add a sub-page to a non-existent page. Or to an # app-hooked page. return False if not page.site_id: site = Site.objects.get_current() else: site = Site.objects.get(pk=page.site_id) return permissions.has_page_add_permission(user, page, position="last-child", site=site)
def render_admin_menu_item(request, page): """Renders requested page item for the tree. This is used in case when item must be reloaded over ajax. """ if not page.pk: return HttpResponse( NOT_FOUND_RESPONSE) # Not found - tree will remove item context = RequestContext( request, { 'has_add_permission': has_page_add_permission(request), }) filtered = 'filtered' in request.REQUEST context.update(get_admin_menu_item_context(request, page, filtered)) return render_to_response('admin/cms/page/menu_item.html', context)
def render_admin_menu_item(request, page, template=None, language=None): """ Renders requested page item for the tree. This is used in case when item must be reloaded over ajax. """ if not template: template = "admin/cms/page/tree/menu_fragment.html" if not page.pk: return HttpResponse(NOT_FOUND_RESPONSE) # Not found - tree will remove item # languages from cms.utils import permissions languages = get_language_list(page.site_id) context = {"has_add_permission": permissions.has_page_add_permission(request), "site_languages": languages} filtered = "filtered" in request.GET or "filtered" in request.POST context.update(get_admin_menu_item_context(request, page, filtered, language)) return render(request, template, context)
def render_admin_menu_item(request, page): """ Renders requested page item for the tree. This is used in case when item must be reloaded over ajax. """ if not page.pk: return HttpResponse(NOT_FOUND_RESPONSE) # Not found - tree will remove item # languages languages = [] if page.site_id in settings.CMS_SITE_LANGUAGES: languages = settings.CMS_SITE_LANGUAGES[page.site_id] else: languages = [x[0] for x in settings.CMS_LANGUAGES] context = RequestContext( request, {"has_add_permission": permissions.has_page_add_permission(request), "site_languages": languages} ) filtered = "filtered" in request.REQUEST context.update(get_admin_menu_item_context(request, page, filtered)) return render_to_response("admin/cms/page/menu_item.html", context)
def render_admin_menu_item(request, page, template=None, language=None): """ Renders requested page item for the tree. This is used in case when item must be reloaded over ajax. """ if not template: template = "admin/cms/page/tree/menu_fragment.html" if not page.pk: return HttpResponse( NOT_FOUND_RESPONSE) # Not found - tree will remove item # languages from cms.utils import permissions languages = get_language_list(page.site_id) context = { 'has_add_permission': permissions.has_page_add_permission(request), 'site_languages': languages, } filtered = 'filtered' in request.REQUEST context.update( get_admin_menu_item_context(request, page, filtered, language)) return render(request, template, context)
def test_emulate_admin_index(self): """ Call methods that emulate the adminsite instance's index. This test was basically the reason for the new manager, in light of the problem highlighted in ticket #1120, which asserts that giving a user no site-specific rights when creating a GlobalPagePermission should allow access to all sites. """ # create and then ignore this user. superuser = self._create_user("super", is_staff=True, is_active=True, is_superuser=True) superuser.set_password("super") superuser.save() # create 2 staff users SITES = [ Site.objects.get(pk=1), Site.objects.create(domain='example2.com', name='example2.com'), ] USERS = [ self._create_user("staff", is_staff=True, is_active=True), self._create_user("staff_2", is_staff=True, is_active=True), ] for user in USERS: user.set_password('staff') # re-use the same methods the UserPage form does. # Note that it internally calls .save(), as we've not done so. save_permissions({ 'can_add_page': True, 'can_change_page': True, 'can_delete_page': False }, user) GlobalPagePermission.objects.create(can_add=True, can_change=True, can_delete=False, user=USERS[0]) # we're querying here to ensure that even though we've created two users # above, we should have successfully filtered to just one perm. self.assertEqual(1, GlobalPagePermission.objects.with_user(USERS[0]).count()) # this will confirm explicit permissions still work, by adding the first # site instance to the many2many relationship 'sites' GlobalPagePermission.objects.create(can_add=True, can_change=True, can_delete=False, user=USERS[1]).sites.add(SITES[0]) self.assertEqual(1, GlobalPagePermission.objects.with_user(USERS[1]).count()) homepage = create_page(title="master", template="nav_playground.html", language="en", in_navigation=True, slug='/') publish_page(page=homepage, user=superuser, language='en') with SettingsOverride(CMS_PERMISSION=True): # for all users, they should have access to site 1 request = RequestFactory().get(path='/', data={'site__exact': 1}) # we need a session attribute for current_site(request), which is # used by has_page_add_permission and has_page_change_permission request.session = {} for user in USERS: # has_page_add_permission and has_page_change_permission both test # for this explicitly, to see if it's a superuser. request.user = user # Note, the query count is inflated by doing additional lookups # because there's a site param in the request. with self.assertNumQueries(FuzzyInt(6,7)): # PageAdmin swaps out the methods called for permissions # if the setting is true, it makes use of cms.utils.permissions self.assertTrue(has_page_add_permission(request)) self.assertTrue(has_page_change_permission(request)) # internally this calls PageAdmin.has_[add|change|delete]_permission() self.assertEqual({'add': True, 'change': True, 'delete': False}, site._registry[Page].get_model_perms(request)) # can't use the above loop for this test, as we're testing that # user 1 has access, but user 2 does not, as they are only assigned # to site 1 request = RequestFactory().get('/', data={'site__exact': 2}) request.session = {} # As before, the query count is inflated by doing additional lookups # because there's a site param in the request with self.assertNumQueries(FuzzyInt(11, 20)): # this user shouldn't have access to site 2 request.user = USERS[1] self.assertTrue(not has_page_add_permission(request)) self.assertTrue(not has_page_change_permission(request)) self.assertEqual({'add': False, 'change': False, 'delete': False}, site._registry[Page].get_model_perms(request)) # but, going back to the first user, they should. request = RequestFactory().get('/', data={'site__exact': 2}) request.user = USERS[0] self.assertTrue(has_page_add_permission(request)) self.assertTrue(has_page_change_permission(request)) self.assertEqual({'add': True, 'change': True, 'delete': False}, site._registry[Page].get_model_perms(request))
def save(self, **kwargs): from cms.api import create_page, add_plugin from cms.utils.permissions import has_page_add_permission # Check to see if this user has permissions to make this page. We've # already checked this when producing a list of wizard entries, but this # is to prevent people from possible form-hacking. if 'sub_page' in self.cleaned_data: sub_page = self.cleaned_data['sub_page'] else: sub_page = False if self.page: if sub_page: parent = self.page position = "last-child" else: parent = self.page.parent position = "right" else: parent = None position = "last-child" # Before we do this, verify this user has perms to do so. if not (self.user.is_superuser or has_page_add_permission( self.user, self.page, position=position, site=self.page.site)): raise NoPermissionsException( _(u"User does not have permission to add page.")) page = create_page( title=self.cleaned_data['title'], slug=self.cleaned_data['slug'], template=get_cms_setting('PAGE_WIZARD_DEFAULT_TEMPLATE'), language=self.language_code, created_by=smart_text(self.user), parent=parent, in_navigation=True, published=False) page_type = self.cleaned_data.get("page_type") if page_type: copy_target = Page.objects.filter(pk=page_type).first() else: copy_target = None if copy_target: # If the user selected a page type, copy that. if not user_has_view_permission(self.user, copy_target): raise PermissionDenied() # Copy page attributes copy_target._copy_attributes(page, clean=True) page.save() # Copy contents (for each language) for lang in copy_target.get_languages(): copy_target._copy_contents(page, lang) # Copy extensions from cms.extensions import extension_pool extension_pool.copy_extensions(copy_target, page) else: # If the user provided content, then use that instead. content = self.cleaned_data.get('content') plugin_type = get_cms_setting('PAGE_WIZARD_CONTENT_PLUGIN') plugin_body = get_cms_setting('PAGE_WIZARD_CONTENT_PLUGIN_BODY') slot = get_cms_setting('PAGE_WIZARD_CONTENT_PLACEHOLDER') if plugin_type in plugin_pool.plugins and plugin_body: if content and permissions.has_plugin_permission( self.user, plugin_type, "add"): placeholder = self.get_placeholder(page, slot=slot) if placeholder: opts = { 'placeholder': placeholder, 'plugin_type': plugin_type, 'language': self.language_code, plugin_body: content, } add_plugin(**opts) # is it home? publish it right away if not self.page and page.is_home: page.publish(self.language_code) if is_installed('reversion'): from cms.utils.helpers import make_revision_with_plugins from cms.constants import REVISION_INITIAL_COMMENT from cms.utils.reversion_hacks import create_revision with create_revision(): make_revision_with_plugins( obj=page, user=self.user, message=ugettext(REVISION_INITIAL_COMMENT), ) return page
def save(self, **kwargs): from cms.api import create_page, add_plugin from cms.utils.permissions import has_page_add_permission # Check to see if this user has permissions to make this page. We've # already checked this when producing a list of wizard entries, but this # is to prevent people from possible form-hacking. if 'sub_page' in self.cleaned_data: sub_page = self.cleaned_data['sub_page'] else: sub_page = False if self.page: if sub_page: parent = self.page position = "last-child" else: parent = self.page.parent position = "right" else: parent = None position = "last-child" # Before we do this, verify this user has perms to do so. if not (self.user.is_superuser or has_page_add_permission(self.user, self.page, position=position, site=self.page.site)): raise NoPermissionsException( _(u"User does not have permission to add page.")) page = create_page( title=self.cleaned_data['title'], slug=self.cleaned_data['slug'], template=get_cms_setting('PAGE_WIZARD_DEFAULT_TEMPLATE'), language=self.language_code, created_by=smart_text(self.user), parent=parent, in_navigation=True, published=False ) page_type = self.cleaned_data.get("page_type") if page_type: copy_target = Page.objects.filter(pk=page_type).first() else: copy_target = None if copy_target: # If the user selected a page type, copy that. if not user_has_view_permission(self.user, copy_target): raise PermissionDenied() # Copy page attributes copy_target._copy_attributes(page, clean=True) page.save() # Copy contents (for each language) for lang in copy_target.get_languages(): copy_target._copy_contents(page, lang) # Copy extensions from cms.extensions import extension_pool extension_pool.copy_extensions(copy_target, page) else: # If the user provided content, then use that instead. content = self.cleaned_data.get('content') plugin_type = get_cms_setting('PAGE_WIZARD_CONTENT_PLUGIN') plugin_body = get_cms_setting('PAGE_WIZARD_CONTENT_PLUGIN_BODY') slot = get_cms_setting('PAGE_WIZARD_CONTENT_PLACEHOLDER') if plugin_type in plugin_pool.plugins and plugin_body: if content and permissions.has_plugin_permission( self.user, plugin_type, "add"): placeholder = self.get_placeholder(page, slot=slot) if placeholder: opts = { 'placeholder': placeholder, 'plugin_type': plugin_type, 'language': self.language_code, plugin_body: content, } add_plugin(**opts) # is it home? publish it right away if not self.page and page.is_home: page.publish(self.language_code) if is_installed('reversion'): from cms.utils.helpers import make_revision_with_plugins from cms.constants import REVISION_INITIAL_COMMENT from cms.utils.reversion_hacks import create_revision with create_revision(): make_revision_with_plugins( obj=page, user=self.user, message=ugettext(REVISION_INITIAL_COMMENT), ) return page