def _get_page_ids_for_action(user, site, action, check_global=True, use_cache=True): if user.is_superuser or not get_cms_setting('PERMISSION'): # got superuser, or permissions aren't enabled? # just return grant all mark return GRANT_ALL_PERMISSIONS if use_cache: # read from cache if possible cached = get_permission_cache(user, action) get_page_actions = get_page_actions_for_user else: cached = None get_page_actions = get_page_actions_for_user.without_cache if cached is not None: return cached if check_global and has_global_permission( user, site, action=action, use_cache=use_cache): return GRANT_ALL_PERMISSIONS page_actions = get_page_actions(user, site) page_ids = list(page_actions[action]) set_permission_cache(user, action, page_ids) return page_ids
def test_cache_invalidation(self): """ Test permission cache clearing on page save """ set_permission_cache(self.user_normal, "can_change", [self.home_page.id]) self.home_page.save() cached_permissions = get_permission_cache(self.user_normal, "can_change") self.assertIsNone(cached_permissions)
def test_basic_permissions(self): """ Test basic permissions cache get / set / clear low-level api """ cached_permissions = get_permission_cache(self.user_normal, "can_change") self.assertIsNone(cached_permissions) set_permission_cache(self.user_normal, "can_change", [self.home_page.id]) cached_permissions = get_permission_cache(self.user_normal, "can_change") self.assertEqual(cached_permissions, [self.home_page.id]) clear_user_permission_cache(self.user_normal) cached_permissions = get_permission_cache(self.user_normal, "can_change") self.assertIsNone(cached_permissions)
def test_basic_permissions(self): """ Test basic permissions cache get / set / clear low-level api """ cached_permissions = get_permission_cache(self.user_normal, "change_page") self.assertIsNone(cached_permissions) set_permission_cache(self.user_normal, "change_page", [self.home_page.id]) cached_permissions = get_permission_cache(self.user_normal, "change_page") self.assertEqual(cached_permissions, [self.home_page.id]) clear_user_permission_cache(self.user_normal) cached_permissions = get_permission_cache(self.user_normal, "change_page") self.assertIsNone(cached_permissions)
def __get_id_list(self, user, site, attr): if site and not isinstance(site, six.integer_types): site = site.pk from cms.models import (GlobalPagePermission, PagePermission, MASK_PAGE, MASK_CHILDREN, MASK_DESCENDANTS) if attr != "can_view": if not user.is_authenticated() or not user.is_staff: return [] if user.is_superuser or not get_cms_setting('PERMISSION'): # got superuser, or permissions aren't enabled? just return grant # all mark return PagePermissionsPermissionManager.GRANT_ALL # read from cache if possible cached = get_permission_cache(user, attr) if cached is not None: return cached # check global permissions global_perm = GlobalPagePermission.objects.user_has_permission( user, site, attr).exists() if global_perm: # user or his group are allowed to do `attr` action # !IMPORTANT: page permissions must not override global permissions return PagePermissionsPermissionManager.GRANT_ALL # for standard users without global permissions, get all pages for him or # his group/s qs = PagePermission.objects.with_user(user) qs.filter(**{ 'page__site_id': site }).order_by('page__path').select_related('page') # default is denny... page_id_allow_list = [] for permission in qs: if getattr(permission, attr): # can add is special - we are actually adding page under current page if permission.grant_on & MASK_PAGE or attr is "can_add": page_id_allow_list.append(permission.page_id) if permission.grant_on & MASK_CHILDREN and not attr is "can_add": page_id_allow_list.extend( permission.page.get_children().values_list('id', flat=True)) elif permission.grant_on & MASK_DESCENDANTS: page_id_allow_list.extend( permission.page.get_descendants().values_list( 'id', flat=True)) # store value in cache set_permission_cache(user, attr, page_id_allow_list) return page_id_allow_list
def __get_id_list(self, user, attr): # TODO: result of this method should be cached per user, and cache should # be cleaned after some change in permissions / globalpermission if not user.is_authenticated() or not user.is_staff: return [] if user.is_superuser or not settings.CMS_PERMISSION: # got superuser, or permissions aren't enabled? just return grant # all mark return PagePermissionsPermissionManager.GRANT_ALL # read from cache if posssible cached = get_permission_cache(user, attr) if cached is not None: return cached from cms.models import GlobalPagePermission, PagePermission, MASK_PAGE,\ MASK_CHILDREN, MASK_DESCENDANTS # check global permissions in_global_permissions = GlobalPagePermission.objects.with_user(user).filter(**{attr: True}) if in_global_permissions: # user or his group are allowed to do `attr` action # !IMPORTANT: page permissions must not override global permissions return PagePermissionsPermissionManager.GRANT_ALL # for standard users without global permissions, get all pages for him or # his group/s qs = PagePermission.objects.with_user(user) qs.order_by('page__tree_id', 'page__level', 'page__lft') # default is denny... page_id_allow_list = [] for permission in qs: is_allowed = getattr(permission, attr) if is_allowed: # can add is special - we are actually adding page under current page if permission.grant_on & MASK_PAGE or attr is "can_add": page_id_allow_list.append(permission.page.id) if permission.grant_on & MASK_CHILDREN: page_id_allow_list.extend(permission.page.get_children().values_list('id', flat=True)) elif permission.grant_on & MASK_DESCENDANTS: page_id_allow_list.extend(permission.page.get_descendants().values_list('id', flat=True)) # store value in cache set_permission_cache(user, attr, page_id_allow_list) return page_id_allow_list
def test_cached_permission_precedence(self): # refs - https://github.com/divio/django-cms/issues/6335 # cached page permissions should not override global permissions page = create_page( "test page", "nav_playground.html", "en", created_by=self.user_super, ) page_permission = GlobalPagePermission.objects.create( can_change=True, can_publish=True, user=self.user_normal, ) page_permission.sites.add(Site.objects.get_current()) set_permission_cache(self.user_normal, "publish_page", []) can_publish = user_can_publish_page(self.user_normal, page) self.assertTrue(can_publish)
def __get_id_list(self, user, site, attr): from cms.models import (GlobalPagePermission, PagePermission, MASK_PAGE, MASK_CHILDREN, MASK_DESCENDANTS) if attr != "can_view": if not user.is_authenticated() or not user.is_staff: return [] if user.is_superuser or not get_cms_setting('PERMISSION'): # got superuser, or permissions aren't enabled? just return grant # all mark return PagePermissionsPermissionManager.GRANT_ALL # read from cache if possible cached = get_permission_cache(user, attr) if cached is not None: return cached # check global permissions global_permissions = GlobalPagePermission.objects.with_user(user) if global_permissions.filter(**{ attr: True, 'sites__in': [site] }).exists(): # user or his group are allowed to do `attr` action # !IMPORTANT: page permissions must not override global permissions return PagePermissionsPermissionManager.GRANT_ALL # for standard users without global permissions, get all pages for him or # his group/s qs = PagePermission.objects.with_user(user) qs.order_by('page__tree_id', 'page__level', 'page__lft') # default is denny... page_id_allow_list = [] for permission in qs: if getattr(permission, attr): # can add is special - we are actually adding page under current page if permission.grant_on & MASK_PAGE or attr is "can_add": page_id_allow_list.append(permission.page.id) if permission.grant_on & MASK_CHILDREN and not attr is "can_add": page_id_allow_list.extend(permission.page.get_children().values_list('id', flat=True)) elif permission.grant_on & MASK_DESCENDANTS: page_id_allow_list.extend(permission.page.get_descendants().values_list('id', flat=True)) # store value in cache set_permission_cache(user, attr, page_id_allow_list) return page_id_allow_list
def _get_page_ids_for_action(user, site, action, check_global=True, use_cache=True): if user.is_superuser or not get_cms_setting('PERMISSION'): # got superuser, or permissions aren't enabled? # just return grant all mark return GRANT_ALL_PERMISSIONS if use_cache: # read from cache if possible cached = get_permission_cache(user, action) get_page_actions = get_page_actions_for_user else: cached = None get_page_actions = get_page_actions_for_user.without_cache if cached is not None: return cached if check_global and has_global_permission(user, site, action=action, use_cache=use_cache): return GRANT_ALL_PERMISSIONS page_actions = get_page_actions(user, site) page_ids = list(page_actions[action]) set_permission_cache(user, action, page_ids) return page_ids