def create_page_user(self, username, password=None, can_add_page=True, can_change_page=True, can_delete_page=True, can_recover_page=True, can_add_pageuser=True, can_change_pageuser=True, can_delete_pageuser=True, can_add_pagepermission=True, can_change_pagepermission=True, can_delete_pagepermission=True, grant_all=False): """ Helper function for creating page user, through form on: /admin/cms/pageuser/add/ Returns created user. """ if grant_all: return self.create_page_user(username, password, True, True, True, True, True, True, True, True, True, True) if password is None: password = username data = { 'can_add_page': can_add_page, 'can_change_page': can_change_page, 'can_delete_page': can_delete_page, 'can_recover_page': can_recover_page, 'can_add_pageuser': can_add_pageuser, 'can_change_pageuser': can_change_pageuser, 'can_delete_pageuser': can_delete_pageuser, 'can_add_pagepermission': can_add_pagepermission, 'can_change_pagepermission': can_change_pagepermission, 'can_delete_pagepermission': can_delete_pagepermission, } if hasattr(self, 'user'): created_by = self.user else: created_by = User.objects.create_superuser( 'superuser', '*****@*****.**', 'superuser') try: user = User.objects.get(username=username) except User.DoesNotExist: user = User.objects.create_user(username, '*****@*****.**', password) user.is_staff = True user.is_active = True page_user = PageUser(created_by=created_by) for field in [f.name for f in User._meta.local_fields]: setattr(page_user, field, getattr(user, field)) user.save() page_user.save() save_permissions(data, page_user) return user
def create_page_user(self, username, password=None, can_add_page=True, can_change_page=True, can_delete_page=True, can_recover_page=True, can_add_pageuser=True, can_change_pageuser=True, can_delete_pageuser=True, can_add_pagepermission=True, can_change_pagepermission=True, can_delete_pagepermission=True, grant_all=False): """ Helper function for creating page user, through form on: /admin/cms/pageuser/add/ Returns created user. """ if grant_all: return self.create_page_user(username, password, True, True, True, True, True, True, True, True, True, True) if password is None: password = username data = { 'can_add_page': can_add_page, 'can_change_page': can_change_page, 'can_delete_page': can_delete_page, 'can_recover_page': can_recover_page, 'can_add_pageuser': can_add_pageuser, 'can_change_pageuser': can_change_pageuser, 'can_delete_pageuser': can_delete_pageuser, 'can_add_pagepermission': can_add_pagepermission, 'can_change_pagepermission': can_change_pagepermission, 'can_delete_pagepermission': can_delete_pagepermission, } if hasattr(self, 'user'): created_by = self.user else: created_by = User.objects.create_superuser( 'superuser', '*****@*****.**', 'superuser') try: user = User.objects.get(username=username) except User.DoesNotExist: user = User.objects.create_user( username, '*****@*****.**', password) user.is_staff = True user.is_active = True page_user = PageUser(created_by=created_by) for field in [f.name for f in User._meta.local_fields]: setattr(page_user, field, getattr(user, field)) user.save() page_user.save() save_permissions(data, page_user) return user
def create_page_user(created_by, user, can_add_page=True, can_view_page=True, can_change_page=True, can_delete_page=True, can_recover_page=True, can_add_pageuser=True, can_change_pageuser=True, can_delete_pageuser=True, can_add_pagepermission=True, can_change_pagepermission=True, can_delete_pagepermission=True, grant_all=False): """ Creates a page user. See docs/extending_cms/api_reference.rst for more info """ from cms.admin.forms import save_permissions if grant_all: # just be lazy return create_page_user(created_by, user, True, True, True, True, True, True, True, True, True, True, True) # validate created_by assert isinstance(created_by, get_user_model()) data = { 'can_add_page': can_add_page, 'can_view_page': can_view_page, 'can_change_page': can_change_page, 'can_delete_page': can_delete_page, 'can_recover_page': can_recover_page, 'can_add_pageuser': can_add_pageuser, 'can_change_pageuser': can_change_pageuser, 'can_delete_pageuser': can_delete_pageuser, 'can_add_pagepermission': can_add_pagepermission, 'can_change_pagepermission': can_change_pagepermission, 'can_delete_pagepermission': can_delete_pagepermission, } user.is_staff = True user.is_active = True page_user = PageUser(created_by=created_by) for field in [f.name for f in get_user_model()._meta.local_fields]: setattr(page_user, field, getattr(user, field)) user.save() page_user.save() save_permissions(data, page_user) return user
def create_page_user(created_by, user, can_add_page=True, can_view_page=True, can_change_page=True, can_delete_page=True, can_recover_page=True, can_add_pageuser=True, can_change_pageuser=True, can_delete_pageuser=True, can_add_pagepermission=True, can_change_pagepermission=True, can_delete_pagepermission=True, grant_all=False): """ Creates a page user. See docs/extending_cms/api_reference.rst for more info """ if grant_all: # just be lazy return create_page_user(created_by, user, True, True, True, True, True, True, True, True, True, True, True) # validate created_by assert isinstance(created_by, auth.get_user_model()) data = { 'can_add_page': can_add_page, 'can_view_page': can_view_page, 'can_change_page': can_change_page, 'can_delete_page': can_delete_page, 'can_recover_page': can_recover_page, 'can_add_pageuser': can_add_pageuser, 'can_change_pageuser': can_change_pageuser, 'can_delete_pageuser': can_delete_pageuser, 'can_add_pagepermission': can_add_pagepermission, 'can_change_pagepermission': can_change_pagepermission, 'can_delete_pagepermission': can_delete_pagepermission, } user.is_staff = True user.is_active = True user.save() page_user = PageUser(user, created_by=created_by) page_user.save() save_permissions(data, page_user) return user
def test_emulate_admin_index(self): """ Call methods that emulate the adminsite instance's index. This test was basically the reason for the new manager, in light of the problem highlighted in ticket #1120, which asserts that giving a user no site-specific rights when creating a GlobalPagePermission should allow access to all sites. """ # create and then ignore this user. superuser = self._create_user("super", is_staff=True, is_active=True, is_superuser=True) superuser.set_password("super") superuser.save() # create 2 staff users SITES = [ Site.objects.get(pk=1), Site.objects.create(domain='example2.com', name='example2.com'), ] USERS = [ self._create_user("staff", is_staff=True, is_active=True), self._create_user("staff_2", is_staff=True, is_active=True), ] for user in USERS: user.set_password('staff') # re-use the same methods the UserPage form does. # Note that it internally calls .save(), as we've not done so. save_permissions({ 'can_add_page': True, 'can_change_page': True, 'can_delete_page': False }, user) GlobalPagePermission.objects.create(can_add=True, can_change=True, can_delete=False, user=USERS[0]) # we're querying here to ensure that even though we've created two users # above, we should have successfully filtered to just one perm. self.assertEqual(1, GlobalPagePermission.objects.with_user(USERS[0]).count()) # this will confirm explicit permissions still work, by adding the first # site instance to the many2many relationship 'sites' GlobalPagePermission.objects.create(can_add=True, can_change=True, can_delete=False, user=USERS[1]).sites.add(SITES[0]) self.assertEqual(1, GlobalPagePermission.objects.with_user(USERS[1]).count()) homepage = create_page(title="master", template="nav_playground.html", language="en", in_navigation=True, slug='/') publish_page(page=homepage, user=superuser, language='en') with SettingsOverride(CMS_PERMISSION=True): # for all users, they should have access to site 1 request = RequestFactory().get(path='/', data={'site__exact': 1}) # we need a session attribute for current_site(request), which is # used by has_page_add_permission and has_page_change_permission request.session = {} for user in USERS: # has_page_add_permission and has_page_change_permission both test # for this explicitly, to see if it's a superuser. request.user = user # Note, the query count is inflated by doing additional lookups # because there's a site param in the request. with self.assertNumQueries(FuzzyInt(6,7)): # PageAdmin swaps out the methods called for permissions # if the setting is true, it makes use of cms.utils.permissions self.assertTrue(has_page_add_permission(request)) self.assertTrue(has_page_change_permission(request)) # internally this calls PageAdmin.has_[add|change|delete]_permission() self.assertEqual({'add': True, 'change': True, 'delete': False}, site._registry[Page].get_model_perms(request)) # can't use the above loop for this test, as we're testing that # user 1 has access, but user 2 does not, as they are only assigned # to site 1 request = RequestFactory().get('/', data={'site__exact': 2}) request.session = {} # As before, the query count is inflated by doing additional lookups # because there's a site param in the request with self.assertNumQueries(FuzzyInt(11, 20)): # this user shouldn't have access to site 2 request.user = USERS[1] self.assertTrue(not has_page_add_permission(request)) self.assertTrue(not has_page_change_permission(request)) self.assertEqual({'add': False, 'change': False, 'delete': False}, site._registry[Page].get_model_perms(request)) # but, going back to the first user, they should. request = RequestFactory().get('/', data={'site__exact': 2}) request.user = USERS[0] self.assertTrue(has_page_add_permission(request)) self.assertTrue(has_page_change_permission(request)) self.assertEqual({'add': True, 'change': True, 'delete': False}, site._registry[Page].get_model_perms(request))
def test_emulate_admin_index(self): """ Call methods that emulate the adminsite instance's index. This test was basically the reason for the new manager, in light of the problem highlighted in ticket #1120, which asserts that giving a user no site-specific rights when creating a GlobalPagePermission should allow access to all sites. """ # create and then ignore this user. superuser = self._create_user("super", is_staff=True, is_active=True, is_superuser=True) superuser.set_password("super") superuser.save() site_1 = Site.objects.get(pk=1) site_2 = Site.objects.create(domain='example2.com', name='example2.com') SITES = [site_1, site_2] # create 2 staff users USERS = [ self._create_user("staff", is_staff=True, is_active=True), self._create_user("staff_2", is_staff=True, is_active=True), ] for user in USERS: user.set_password('staff') # re-use the same methods the UserPage form does. # Note that it internally calls .save(), as we've not done so. save_permissions( { 'can_add_page': True, 'can_change_page': True, 'can_delete_page': False }, user) GlobalPagePermission.objects.create(can_add=True, can_change=True, can_delete=False, user=USERS[0]) # we're querying here to ensure that even though we've created two users # above, we should have successfully filtered to just one perm. self.assertEqual( 1, GlobalPagePermission.objects.with_user(USERS[0]).count()) # this will confirm explicit permissions still work, by adding the first # site instance to the many2many relationship 'sites' GlobalPagePermission.objects.create(can_add=True, can_change=True, can_delete=False, user=USERS[1]).sites.add(SITES[0]) self.assertEqual( 1, GlobalPagePermission.objects.with_user(USERS[1]).count()) homepage = create_page(title="master", template="nav_playground.html", language="en", in_navigation=True, slug='/') publish_page(page=homepage, user=superuser, language='en') with self.settings(CMS_PERMISSION=True): # for all users, they should have access to site 1 request = RequestFactory().get(path='/') request.session = {'cms_admin_site': site_1.pk} request.current_page = None for user in USERS: request.user = user # Note, the query count is inflated by doing additional lookups # because there's a site param in the request. # max_queries = 5 for >dj21 because it's introduce default view permissions max_queries = 4 if DJANGO_2_0 else 5 with self.assertNumQueries(FuzzyInt(3, max_queries)): # internally this calls PageAdmin.has_[add|change|delete|view]_permission() expected_perms = { 'add': True, 'change': True, 'delete': False } if not DJANGO_2_0: expected_perms.update({'view': True}) self.assertEqual( expected_perms, site._registry[Page].get_model_perms(request)) # can't use the above loop for this test, as we're testing that # user 1 has access, but user 2 does not, as they are only assigned # to site 1 request = RequestFactory().get(path='/') request.session = {'cms_admin_site': site_2.pk} request.current_page = None # Refresh internal user cache USERS[0] = self.reload(USERS[0]) USERS[1] = self.reload(USERS[1]) # As before, the query count is inflated by doing additional lookups # because there's a site param in the request with self.assertNumQueries(FuzzyInt(5, 15)): # this user shouldn't have access to site 2 request.user = USERS[1] expected_perms = { 'add': False, 'change': False, 'delete': False } if not DJANGO_2_0: expected_perms.update({'view': False}) self.assertEqual(expected_perms, site._registry[Page].get_model_perms(request)) # but, going back to the first user, they should. request = RequestFactory().get('/', data={'site__exact': site_2.pk}) request.user = USERS[0] request.current_page = None request.session = {} expected_perms = {'add': True, 'change': True, 'delete': False} if not DJANGO_2_0: expected_perms.update({'view': True}) self.assertEqual(expected_perms, site._registry[Page].get_model_perms(request))