def publish(request, page_id): page = get_object_or_404(Page, id=page_id).specific user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(page).can_publish(): raise PermissionDenied next_url = get_valid_next_url_from_request(request) if request.method == 'POST': include_descendants = request.POST.get("include_descendants", False) page.save_revision().publish() if include_descendants: not_live_descendant_pages = ( page.get_descendants().not_live().specific()) for not_live_descendant_page in not_live_descendant_pages: if user_perms.for_page(not_live_descendant_page).can_publish(): not_live_descendant_page.save_revision().publish() if next_url: return redirect(next_url) return redirect('wagtailadmin_explore', page.get_parent().id) return render(request, 'wagtailadmin/pages/confirm_publish.html', { 'page': page, 'next': next_url, 'not_live_descendant_count': page.get_descendants().not_live().count() })
def test_lock_page_for_non_editing_user(self): user = get_user_model().objects.get(username='******') christmas_page = EventPage.objects.get(url_path='/home/events/christmas/') perms = UserPagePermissionsProxy(user).for_page(christmas_page) self.assertFalse(perms.can_lock())
def test_lock_page_for_moderator(self): user = get_user_model().objects.get(username='******') christmas_page = EventPage.objects.get(url_path='/home/events/christmas/') perms = UserPagePermissionsProxy(user).for_page(christmas_page) self.assertTrue(perms.can_lock())
def test_editable_pages_for_non_editing_user(self): user = get_user_model().objects.get(username='******') homepage = Page.objects.get(url_path='/home/') christmas_page = EventPage.objects.get(url_path='/home/events/christmas/') unpublished_event_page = EventPage.objects.get(url_path='/home/events/tentative-unpublished-event/') someone_elses_event_page = EventPage.objects.get(url_path='/home/events/someone-elses-event/') user_perms = UserPagePermissionsProxy(user) editable_pages = user_perms.editable_pages() can_edit_pages = user_perms.can_edit_pages() publishable_pages = user_perms.publishable_pages() can_publish_pages = user_perms.can_publish_pages() self.assertFalse(editable_pages.filter(id=homepage.id).exists()) self.assertFalse(editable_pages.filter(id=christmas_page.id).exists()) self.assertFalse(editable_pages.filter(id=unpublished_event_page.id).exists()) self.assertFalse(editable_pages.filter(id=someone_elses_event_page.id).exists()) self.assertFalse(can_edit_pages) self.assertFalse(publishable_pages.filter(id=homepage.id).exists()) self.assertFalse(publishable_pages.filter(id=christmas_page.id).exists()) self.assertFalse(publishable_pages.filter(id=unpublished_event_page.id).exists()) self.assertFalse(publishable_pages.filter(id=someone_elses_event_page.id).exists()) self.assertFalse(can_publish_pages)
def revisions_unschedule(request, page_id, revision_id): page = get_object_or_404(Page, id=page_id).specific user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(page).can_unschedule(): raise PermissionDenied revision = get_object_or_404(page.revisions, id=revision_id) next_url = get_valid_next_url_from_request(request) subtitle = _('revision {0} of "{1}"').format(revision.id, page.get_admin_display_title()) if request.method == 'POST': revision.approved_go_live_at = None revision.save(update_fields=['approved_go_live_at']) messages.success(request, _('Revision {0} of "{1}" unscheduled.').format(revision.id, page.get_admin_display_title()), buttons=[ messages.button(reverse('wagtailadmin_pages:edit', args=(page.id,)), _('Edit')) ]) if next_url: return redirect(next_url) return redirect('wagtailadmin_pages:revisions_index', page.id) return render(request, 'wagtailadmin/pages/revisions/confirm_unschedule.html', { 'page': page, 'revision': revision, 'next': next_url, 'subtitle': subtitle })
def unpublish(request, page_id): page = get_object_or_404(Page, id=page_id).specific user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(page).can_unpublish(): raise PermissionDenied next_url = get_valid_next_url_from_request(request) if request.method == 'POST': include_descendants = request.POST.get("include_descendants", False) page.unpublish() if include_descendants: live_descendant_pages = page.get_descendants().live().specific() for live_descendant_page in live_descendant_pages: if user_perms.for_page(live_descendant_page).can_unpublish(): live_descendant_page.unpublish() messages.success(request, _("Page '{0}' unpublished.").format(page.get_admin_display_title()), buttons=[ messages.button(reverse('wagtailadmin_pages:edit', args=(page.id,)), _('Edit')) ]) if next_url: return redirect(next_url) return redirect('wagtailadmin_explore', page.get_parent().id) return render(request, 'wagtailadmin/pages/confirm_unpublish.html', { 'page': page, 'next': next_url, 'live_descendant_count': page.get_descendants().live().count(), })
def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) user_perms = UserPagePermissionsProxy(self.instance.user) if not user_perms.can_publish_pages(): del self.fields['submitted_notifications'] if not user_perms.can_edit_pages(): del self.fields['approved_notifications'] del self.fields['rejected_notifications']
def register_account_notification_preferences(request): user_perms = UserPagePermissionsProxy(request.user) if user_perms.can_edit_pages() or user_perms.can_publish_pages(): return { 'url': reverse('wagtailadmin_account_notification_preferences'), 'label': _('Notification preferences'), 'help_text': _('Choose which email notifications to receive.'), }
def account(request): user_perms = UserPagePermissionsProxy(request.user) show_notification_preferences = user_perms.can_edit_pages() or user_perms.can_publish_pages() return render(request, 'wagtailadmin/account/account.html', { 'show_change_password': password_management_enabled() and request.user.has_usable_password(), 'show_notification_preferences': show_notification_preferences, 'show_preferred_language_preferences': len(get_available_admin_languages()) > 1 })
def test_lock_page_for_superuser(self): user = get_user_model().objects.get(username='******') christmas_page = EventPage.objects.get(url_path='/home/events/christmas/') locked_page = Page.objects.get(url_path='/home/my-locked-page/') perms = UserPagePermissionsProxy(user).for_page(christmas_page) locked_perms = UserPagePermissionsProxy(user).for_page(locked_page) self.assertTrue(perms.can_lock()) self.assertFalse(locked_perms.can_unpublish()) # locked pages can't be unpublished
def get_forms_for_user(user): """ Return a queryset of form pages that this user is allowed to access the submissions for """ editable_forms = UserPagePermissionsProxy(user).editable_pages() editable_forms = editable_forms.filter(content_type__in=get_form_types()) # Apply hooks for fn in hooks.get_hooks('filter_form_submissions_for_user'): editable_forms = fn(user, editable_forms) return editable_forms
def test_explorable_pages_with_permission_gap_in_hierarchy(self): corporate_editor = get_user_model().objects.get(username='******') user_perms = UserPagePermissionsProxy(corporate_editor) about_us_page = Page.objects.get(url_path='/home/about-us/') businessy_events = Page.objects.get(url_path='/home/events/businessy-events/') events_page = Page.objects.get(url_path='/home/events/') explorable_pages = user_perms.explorable_pages() self.assertTrue(explorable_pages.filter(id=about_us_page.id).exists()) self.assertTrue(explorable_pages.filter(id=businessy_events.id).exists()) self.assertTrue(explorable_pages.filter(id=events_page.id).exists())
def test_explorable_pages(self): event_editor = get_user_model().objects.get(username='******') christmas_page = EventPage.objects.get(url_path='/home/events/christmas/') unpublished_event_page = EventPage.objects.get(url_path='/home/events/tentative-unpublished-event/') someone_elses_event_page = EventPage.objects.get(url_path='/home/events/someone-elses-event/') about_us_page = Page.objects.get(url_path='/home/about-us/') user_perms = UserPagePermissionsProxy(event_editor) explorable_pages = user_perms.explorable_pages() # Verify all pages below /home/events/ are explorable self.assertTrue(explorable_pages.filter(id=christmas_page.id).exists()) self.assertTrue(explorable_pages.filter(id=unpublished_event_page.id).exists()) self.assertTrue(explorable_pages.filter(id=someone_elses_event_page.id).exists()) # Verify page outside /events/ tree are not explorable self.assertFalse(explorable_pages.filter(id=about_us_page.id).exists())
def unpublish(request, page_id): page = get_object_or_404(Page, id=page_id).specific user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(page).can_unpublish(): raise PermissionDenied next_url = get_valid_next_url_from_request(request) if request.method == 'POST': include_descendants = request.POST.get("include_descendants", False) for fn in hooks.get_hooks('before_unpublish_page'): result = fn(request, page) if hasattr(result, 'status_code'): return result action = UnpublishPageAction(page, user=request.user, include_descendants=include_descendants) action.execute(skip_permission_checks=True) for fn in hooks.get_hooks('after_unpublish_page'): result = fn(request, page) if hasattr(result, 'status_code'): return result messages.success(request, _("Page '{0}' unpublished.").format( page.get_admin_display_title()), buttons=[ messages.button( reverse('wagtailadmin_pages:edit', args=(page.id, )), _('Edit')) ]) if next_url: return redirect(next_url) return redirect('wagtailadmin_explore', page.get_parent().id) return TemplateResponse( request, 'wagtailadmin/pages/confirm_unpublish.html', { 'page': page, 'next': next_url, 'live_descendant_count': page.get_descendants().live().count(), })
def _get_user_page_permissions(context): # Create a UserPagePermissionsProxy object to represent the user's global permissions, and # cache it in the context for the duration of the page request, if one does not exist already if 'user_page_permissions' not in context: context['user_page_permissions'] = UserPagePermissionsProxy( context['request'].user) return context['user_page_permissions']
def new_page_from_modal(request): user_perms = UserPagePermissionsProxy(request.user) if not user_perms.can_edit_pages(): raise PermissionDenied if request.method == 'POST': # Get the page data body = json.loads(request.body) print(body['type']) data = {} if body['type'] != 'department' and body['type'] != 'topic': if body['department'] != None: data['department'] = DepartmentPage.objects.get(id=body['department']) data['title'] = body['title'] data['owner'] = request.user # Create the page if body['type'] == 'service': page = ServicePage(**data) if body['type'] == 'process': page = ProcessPage(**data) if body['type'] == 'information': page = InformationPage(**data) if body['type'] == 'topic': page = TopicPage(**data) if body['type'] == 'topiccollection': if body['theme'] != None: data['theme'] = Theme.objects.get(id=body['theme']) page = TopicCollectionPage(**data) if body['type'] == 'department': data['what_we_do'] = 'What we do' data['mission'] = 'Mission' page = DepartmentPage(**data) # Add it as a child of home home = Page.objects.get(id=3) home.add_child(instance=page) # Save our draft page.save_revision() page.unpublish() # Not sure why it seems to go live by default # Respond with the id of the new page response = HttpResponse(json.dumps({'id': page.id}), content_type="application/json") return response
def test_lock_page_for_moderator_whole_locked_page_without_unlock_permission(self): user = get_user_model().objects.get(username='******') christmas_page = EventPage.objects.get(url_path='/home/events/christmas/') # Lock the page christmas_page.locked = True christmas_page.locked_by = user christmas_page.locked_at = timezone.now() christmas_page.save() GroupPagePermission.objects.filter(group__name='Event moderators', permission_type='unlock').delete() perms = UserPagePermissionsProxy(user).for_page(christmas_page) # Unlike in the previous test, the user can unlock this page as it was them who locked self.assertTrue(perms.can_lock()) self.assertTrue(perms.can_unlock())
def user_keys_accept( request, user_id ): r_user = RUBIONUser.objects.get( id = user_id ) user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(r_user).can_edit(): raise PermissionDenied num = request.POST.get('keyId', None) if num: r_user.key_number = num r_user.save_revision_and_publish( user = request.user ) messages.success(request, _('{} now was assigned the key with number {}.').format( r_user.full_name(), r_user.key_number )) return JsonResponse({'redirect' : reverse('wagtailadmin_home')}) else: return JsonResponse({'wrong' : 'Did not receive a keyId'})
def get_queryset(self): pages = ( UserPagePermissionsProxy(self.request.user) .editable_pages() .filter(locked=True) ) self.queryset = pages return super().get_queryset()
def usage(request, pk): workflow = get_object_or_404(Workflow, id=pk) perms = UserPagePermissionsProxy(request.user) pages = workflow.all_pages() & perms.editable_pages() paginator = Paginator(pages, per_page=10) pages = paginator.get_page(request.GET.get("p")) return render( request, "wagtailadmin/workflows/usage.html", { "workflow": workflow, "used_by": pages, }, )
def codered_forms(user, editable_forms): from coderedcms.models import CoderedFormMixin """ Add our own CoderedFormPage to editable_forms, since wagtail is unaware of its existence. Essentially this is a fork of wagtail.contrib.forms.get_forms_for_user() and wagtail.contrib.forms.get_form_types() """ form_models = [ model for model in get_page_models() if issubclass(model, CoderedFormMixin) ] form_types = list( ContentType.objects.get_for_models(*form_models).values()) editable_forms = UserPagePermissionsProxy(user).editable_pages() editable_forms = editable_forms.filter(content_type__in=form_types) return editable_forms
def workflow_history(request, page_id): page = get_object_or_404(Page, id=page_id) user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(page).can_edit(): raise PermissionDenied workflow_states = WorkflowState.objects.filter( page=page).order_by('-created_at') paginator = Paginator(workflow_states, per_page=20) workflow_states = paginator.get_page(request.GET.get('p')) return TemplateResponse(request, 'wagtailadmin/pages/workflow_history/index.html', { 'page': page, 'workflow_states': workflow_states, })
def filter_queryset(self, request, queryset, view): if request.GET.get('for_explorer'): if not hasattr(queryset, '_filtered_by_child_of'): raise BadRequestError( "filtering by for_explorer without child_of is not supported" ) parent_page = queryset._filtered_by_child_of ##TODO: This is where the code is broken, see: https://github.com/wagtail/wagtail/blob/17e541715a80a43bc4eb1f1b07183bf22bb1869a/wagtail/contrib/modeladmin/options.py#L49 # for hook in hooks.get_hooks('construct_explorer_page_queryset'): # queryset = hook(parent_page, queryset, request) user_perms = UserPagePermissionsProxy(request.user) # This is returning an empty list! WRONG! #print(user_perms.explorable_pages()) queryset = queryset & user_perms.explorable_pages() return queryset
def test_with_user_no_permission(self): homepage = Page.objects.get(url_path='/home/') # event editor does not have permissions on homepage event_editor = get_user_model().objects.get(username='******') permission_proxy = UserPagePermissionsProxy(event_editor) result = can_choose_page(homepage, permission_proxy, self.desired_classes, user_perm='copy_to') self.assertFalse(result)
def revisions_unschedule(request, page_id, revision_id): page = get_object_or_404(Page, id=page_id).specific user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(page).can_unschedule(): raise PermissionDenied revision = get_object_or_404(page.revisions, id=revision_id) next_url = get_valid_next_url_from_request(request) subtitle = _('revision {0} of "{1}"').format( revision.id, page.get_admin_display_title()) if request.method == "POST": revision.approved_go_live_at = None revision.save(user=request.user, update_fields=["approved_go_live_at"]) messages.success( request, _('Version {0} of "{1}" unscheduled.').format( revision.id, page.get_admin_display_title()), buttons=[ messages.button( reverse("wagtailadmin_pages:edit", args=(page.id, )), _("Edit")) ], ) if next_url: return redirect(next_url) return redirect("wagtailadmin_pages:history", page.id) return TemplateResponse( request, "wagtailadmin/pages/revisions/confirm_unschedule.html", { "page": page, "revision": revision, "next": next_url, "subtitle": subtitle }, )
def get_pages_with_reviews_for_user(cls, user): """ Return a queryset of pages which have reviews, for which the user has edit permission """ user_perms = UserPagePermissionsProxy(user) reviewed_pages = (cls.objects.order_by('-created_at').values_list( 'page_revision__page_id', 'created_at')) # Annotate datetime when a review was last created for this page last_review_requested_at = Case( *[ When(pk=pk, then=Value(created_at)) for pk, created_at in reviewed_pages ], output_field=models.DateTimeField(), ) return (user_perms.editable_pages().filter( pk__in=(page[0] for page in reviewed_pages)).annotate( last_review_requested_at=last_review_requested_at).order_by( '-last_review_requested_at'))
def get_queryset(self): pages = ((UserPagePermissionsProxy(self.request.user).editable_pages() | Page.objects.filter(locked_by=self.request.user)).filter( locked=True).specific(defer=True)) if getattr(settings, "WAGTAIL_I18N_ENABLED", False): pages = pages.select_related("locale") self.queryset = pages return super().get_queryset()
def safety_instruction_helper(request, user_id, instruction_id): from .models import RUBIONUser r_user = get_object_or_404(RUBIONUser, pk=user_id) user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(r_user).can_edit() or not request.is_ajax(): raise PermissionDenied si = get_object_or_404(SafetyInstructionsSnippet, pk=instruction_id) instructions = r_user.needs_safety_instructions.all() response = { 'del_link': reverse('rubionadmin:user_safety_instruction_del', args=[user_id, instruction_id]), 'add_link': reverse('rubionadmin:user_safety_instruction_add', args=[user_id, instruction_id]) } return [r_user, si, instructions, response]
def render(self): return render_to_string('wagtailadmin/home/locked_pages.html', { 'locked_pages': Page.objects.filter( locked=True, locked_by=self.request.user, ), 'can_remove_locks': UserPagePermissionsProxy(self.request.user).can_remove_locks() }, request=self.request)
def test_with_user_no_permission(self): homepage = Page.objects.get(url_path="/home/") # event editor does not have permissions on homepage event_editor = get_user_model().objects.get( email="*****@*****.**") permission_proxy = UserPagePermissionsProxy(event_editor) result = can_choose_page(homepage, permission_proxy, self.desired_classes, user_perm="copy_to") self.assertFalse(result)
def get_context_data(self, parent_context): request = parent_context['request'] context = super().get_context_data(parent_context) context.update({ 'locked_pages': Page.objects.filter( locked=True, locked_by=request.user, ), 'can_remove_locks': UserPagePermissionsProxy(request.user).can_remove_locks(), 'request': request, }) return context
def get_queryset(self): latest_publishing_log = PageLogEntry.objects.filter( page=OuterRef("pk"), action__exact="wagtail.publish") self.queryset = (UserPagePermissionsProxy( self.request.user).publishable_pages().exclude( last_published_at__isnull=True).prefetch_workflow_states( ).select_related("content_type").annotate_approved_schedule(). order_by("last_published_at").annotate( last_published_by=Subquery( latest_publishing_log.values("user")[:1]))) return super().get_queryset()
def execute(self, skip_permission_checks=False): self.check(skip_permission_checks=skip_permission_checks) self._unpublish_page( self.page, set_expired=self.set_expired, commit=self.commit, user=self.user, log_action=self.log_action, ) if self.include_descendants: from wagtail.core.models import UserPagePermissionsProxy user_perms = UserPagePermissionsProxy(self.user) for live_descendant_page in ( self.page.get_descendants().live().defer_streamfields().specific() ): action = UnpublishPageAction(live_descendant_page) if user_perms.for_page(live_descendant_page).can_unpublish(): action.execute(skip_permission_checks=True)
def test_editable_pages_for_user_with_edit_permission(self): event_moderator = get_user_model().objects.get( email='*****@*****.**') homepage = Page.objects.get(url_path='/home/') christmas_page = EventPage.objects.get( url_path='/home/events/christmas/') unpublished_event_page = EventPage.objects.get( url_path='/home/events/tentative-unpublished-event/') someone_elses_event_page = EventPage.objects.get( url_path='/home/events/someone-elses-event/') user_perms = UserPagePermissionsProxy(event_moderator) editable_pages = user_perms.editable_pages() can_edit_pages = user_perms.can_edit_pages() publishable_pages = user_perms.publishable_pages() can_publish_pages = user_perms.can_publish_pages() self.assertFalse(editable_pages.filter(id=homepage.id).exists()) self.assertTrue(editable_pages.filter(id=christmas_page.id).exists()) self.assertTrue( editable_pages.filter(id=unpublished_event_page.id).exists()) self.assertTrue( editable_pages.filter(id=someone_elses_event_page.id).exists()) self.assertTrue(can_edit_pages) self.assertFalse(publishable_pages.filter(id=homepage.id).exists()) self.assertTrue( publishable_pages.filter(id=christmas_page.id).exists()) self.assertTrue( publishable_pages.filter(id=unpublished_event_page.id).exists()) self.assertTrue( publishable_pages.filter(id=someone_elses_event_page.id).exists()) self.assertTrue(can_publish_pages)
def test_editable_pages_for_non_editing_user(self): user = get_user_model().objects.get(username='******') homepage = Page.objects.get(url_path='/home/') christmas_page = EventPage.objects.get( url_path='/home/events/christmas/') unpublished_event_page = EventPage.objects.get( url_path='/home/events/tentative-unpublished-event/') someone_elses_event_page = EventPage.objects.get( url_path='/home/events/someone-elses-event/') user_perms = UserPagePermissionsProxy(user) editable_pages = user_perms.editable_pages() can_edit_pages = user_perms.can_edit_pages() publishable_pages = user_perms.publishable_pages() can_publish_pages = user_perms.can_publish_pages() self.assertFalse(editable_pages.filter(id=homepage.id).exists()) self.assertFalse(editable_pages.filter(id=christmas_page.id).exists()) self.assertFalse( editable_pages.filter(id=unpublished_event_page.id).exists()) self.assertFalse( editable_pages.filter(id=someone_elses_event_page.id).exists()) self.assertFalse(can_edit_pages) self.assertFalse(publishable_pages.filter(id=homepage.id).exists()) self.assertFalse( publishable_pages.filter(id=christmas_page.id).exists()) self.assertFalse( publishable_pages.filter(id=unpublished_event_page.id).exists()) self.assertFalse( publishable_pages.filter(id=someone_elses_event_page.id).exists()) self.assertFalse(can_publish_pages)
def test_editable_pages_for_superuser(self): user = get_user_model().objects.get(email="*****@*****.**") homepage = Page.objects.get(url_path="/home/") christmas_page = EventPage.objects.get( url_path="/home/events/christmas/") unpublished_event_page = EventPage.objects.get( url_path="/home/events/tentative-unpublished-event/") someone_elses_event_page = EventPage.objects.get( url_path="/home/events/someone-elses-event/") user_perms = UserPagePermissionsProxy(user) editable_pages = user_perms.editable_pages() can_edit_pages = user_perms.can_edit_pages() publishable_pages = user_perms.publishable_pages() can_publish_pages = user_perms.can_publish_pages() self.assertTrue(editable_pages.filter(id=homepage.id).exists()) self.assertTrue(editable_pages.filter(id=christmas_page.id).exists()) self.assertTrue( editable_pages.filter(id=unpublished_event_page.id).exists()) self.assertTrue( editable_pages.filter(id=someone_elses_event_page.id).exists()) self.assertTrue(can_edit_pages) self.assertTrue(publishable_pages.filter(id=homepage.id).exists()) self.assertTrue( publishable_pages.filter(id=christmas_page.id).exists()) self.assertTrue( publishable_pages.filter(id=unpublished_event_page.id).exists()) self.assertTrue( publishable_pages.filter(id=someone_elses_event_page.id).exists()) self.assertTrue(can_publish_pages)
def test_lock_page_for_superuser(self): user = get_user_model().objects.get(username='******') christmas_page = EventPage.objects.get(url_path='/home/events/christmas/') locked_page = Page.objects.get(url_path='/home/my-locked-page/') perms = UserPagePermissionsProxy(user).for_page(christmas_page) locked_perms = UserPagePermissionsProxy(user).for_page(locked_page) self.assertTrue(perms.can_lock()) self.assertFalse(locked_perms.can_unpublish()) # locked pages can't be unpublished self.assertTrue(perms.can_unlock())
def unpublish(request, page_id): page = get_object_or_404(Page, id=page_id).specific user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(page).can_unpublish(): raise PermissionDenied next_url = get_valid_next_url_from_request(request) if request.method == 'POST': include_descendants = request.POST.get("include_descendants", False) page.unpublish() if include_descendants: live_descendant_pages = page.get_descendants().live().specific() for live_descendant_page in live_descendant_pages: if user_perms.for_page(live_descendant_page).can_unpublish(): live_descendant_page.unpublish() messages.success(request, _("Page '{0}' unpublished.").format( page.get_admin_display_title()), buttons=[ messages.button( reverse('wagtailadmin_pages:edit', args=(page.id, )), _('Edit')) ]) if next_url: return redirect(next_url) return redirect('wagtailadmin_explore', page.get_parent().id) return render( request, 'wagtailadmin/pages/confirm_unpublish.html', { 'page': page, 'next': next_url, 'live_descendant_count': page.get_descendants().live().count(), })
def page_permissions(context, page): """ Usage: {% page_permissions page as page_perms %} Sets the variable 'page_perms' to a PagePermissionTester object that can be queried to find out what actions the current logged-in user can perform on the given page. """ # Create a UserPagePermissionsProxy object to represent the user's global permissions, and # cache it in the context for the duration of the page request, if one does not exist already if 'user_page_permissions' not in context: context['user_page_permissions'] = UserPagePermissionsProxy(context['request'].user) # Now retrieve a PagePermissionTester from it, specific to the given page return context['user_page_permissions'].for_page(page)
def revisions_unschedule(request, page_id, revision_id): page = get_object_or_404(Page, id=page_id).specific user_perms = UserPagePermissionsProxy(request.user) if not user_perms.for_page(page).can_unschedule(): raise PermissionDenied revision = get_object_or_404(page.revisions, id=revision_id) next_url = get_valid_next_url_from_request(request) subtitle = _('revision {0} of "{1}"').format( revision.id, page.get_admin_display_title()) if request.method == 'POST': revision.approved_go_live_at = None revision.save(user=request.user, update_fields=['approved_go_live_at']) messages.success(request, _('Version {0} of "{1}" unscheduled.').format( revision.id, page.get_admin_display_title()), buttons=[ messages.button( reverse('wagtailadmin_pages:edit', args=(page.id, )), _('Edit')) ]) if next_url: return redirect(next_url) return redirect('wagtailadmin_pages:history', page.id) return TemplateResponse( request, 'wagtailadmin/pages/revisions/confirm_unschedule.html', { 'page': page, 'revision': revision, 'next': next_url, 'subtitle': subtitle })
def check(self, skip_permission_checks=False): from wagtail.core.models import UserPagePermissionsProxy # Essential data model checks if self.page._state.adding: raise CopyPageIntegrityError("Page.copy() called on an unsaved page") if ( self.to and self.recursive and (self.to.id == self.page.id or self.to.is_descendant_of(self.page)) ): raise CopyPageIntegrityError( "You cannot copy a tree branch recursively into itself" ) # Permission checks if self.user and not skip_permission_checks: to = self.to if to is None: to = self.page.get_parent() if not self.page.permissions_for_user(self.user).can_copy_to( to, self.recursive ): raise CopyPagePermissionError( "You do not have permission to copy this page" ) if self.keep_live: destination_perms = UserPagePermissionsProxy(self.user).for_page( self.to ) if not destination_perms.can_publish_subpage(): raise CopyPagePermissionError( "You do not have permission to publish a page at the destination" )
def get_queryset(self): q = Q(page__in=UserPagePermissionsProxy( self.request.user).explorable_pages().values_list('pk', flat=True)) root_page_permissions = Page.get_first_root_node( ).permissions_for_user(self.request.user) if (self.request.user.is_superuser or root_page_permissions.can_add_subpage() or root_page_permissions.can_edit()): # Include deleted entries q = q | Q(page_id__in=Subquery( PageLogEntry.objects.filter(deleted=True).values('page_id'))) return PageLogEntry.objects.filter(q)
def index(request, parent_page_id=None): if parent_page_id: parent_page = get_object_or_404(Page, id=parent_page_id) else: parent_page = Page.get_first_root_node() # This will always succeed because of the @user_passes_test above. root_page = get_explorable_root_page(request.user) # If this page isn't a descendant of the user's explorable root page, # then redirect to that explorable root page instead. if not ( parent_page.pk == root_page.pk or parent_page.is_descendant_of(root_page) ): return redirect('wagtailadmin_explore', root_page.pk) parent_page = parent_page.specific user_perms = UserPagePermissionsProxy(request.user) pages = ( parent_page.get_children().prefetch_related( "content_type", "sites_rooted_here" ) & user_perms.explorable_pages() ) # Get page ordering ordering = request.GET.get('ordering', '-latest_revision_created_at') if ordering not in [ 'title', '-title', 'content_type', '-content_type', 'live', '-live', 'latest_revision_created_at', '-latest_revision_created_at', 'ord' ]: ordering = '-latest_revision_created_at' if ordering == 'ord': # preserve the native ordering from get_children() pass elif ordering == 'latest_revision_created_at': # order by oldest revision first. # Special case NULL entries - these should go at the top of the list. # Do this by annotating with Count('latest_revision_created_at'), # which returns 0 for these pages = pages.annotate( null_position=Count('latest_revision_created_at') ).order_by('null_position', 'latest_revision_created_at') elif ordering == '-latest_revision_created_at': # order by oldest revision first. # Special case NULL entries - these should go at the end of the list. pages = pages.annotate( null_position=Count('latest_revision_created_at') ).order_by('-null_position', '-latest_revision_created_at') else: pages = pages.order_by(ordering) # Don't paginate if sorting by page order - all pages must be shown to # allow drag-and-drop reordering do_paginate = ordering != 'ord' if do_paginate or pages.count() < 100: # Retrieve pages in their most specific form, so that custom # get_admin_display_title and get_url_parts methods on subclasses are respected. # However, skip this on unpaginated listings with >100 child pages as this could # be a significant performance hit. (This should only happen on the reorder view, # and hopefully no-one is having to do manual reordering on listings that large...) pages = pages.specific(defer=True) # allow hooks to modify the queryset for hook in hooks.get_hooks('construct_explorer_page_queryset'): pages = hook(parent_page, pages, request) # Pagination if do_paginate: paginator = Paginator(pages, per_page=50) pages = paginator.get_page(request.GET.get('p')) return render(request, 'wagtailadmin/pages/index.html', { 'parent_page': parent_page.specific, 'ordering': ordering, 'pagination_query_params': "ordering=%s" % ordering, 'pages': pages, 'do_paginate': do_paginate, })
def __init__(self, request): self.request = request user_perms = UserPagePermissionsProxy(request.user) self.page_revisions_for_moderation = (user_perms.revisions_for_moderation() .select_related('page', 'user').order_by('-created_at'))
def get_surveys_for_user(user): """ Return a queryset of form pages that this user is allowed to access the submissions for """ editable_pages = UserPagePermissionsProxy(user).editable_pages() return editable_pages.filter(content_type__in=get_survey_types())