def _get_page_ids_for_action(user,
site,
action,
check_global=True,
use_cache=True):
if user.is_superuser or not get_cms_setting('PERMISSION'):
# got superuser, or permissions aren't enabled?
# just return grant all mark
return GRANT_ALL_PERMISSIONS
if use_cache:
# read from cache if possible
cached = get_permission_cache(user, action)
get_page_actions = get_page_actions_for_user
else:
cached = None
get_page_actions = get_page_actions_for_user.without_cache
if cached is not None:
return cached
if check_global and has_global_permission(
user, site, action=action, use_cache=use_cache):
return GRANT_ALL_PERMISSIONS
page_actions = get_page_actions(user, site)
page_ids = list(page_actions[action])
set_permission_cache(user, action, page_ids)
return page_ids
def test_cache_invalidation(self):
"""
Test permission cache clearing on page save
"""
set_permission_cache(self.user_normal, "can_change", [self.home_page.id])
self.home_page.save()
cached_permissions = get_permission_cache(self.user_normal, "can_change")
self.assertIsNone(cached_permissions)
def test_cache_invalidation(self):
"""
Test permission cache clearing on page save
"""
set_permission_cache(self.user_normal, "can_change",
[self.home_page.id])
self.home_page.save()
cached_permissions = get_permission_cache(self.user_normal,
"can_change")
self.assertIsNone(cached_permissions)
def test_basic_permissions(self):
"""
Test basic permissions cache get / set / clear low-level api
"""
cached_permissions = get_permission_cache(self.user_normal, "can_change")
self.assertIsNone(cached_permissions)
set_permission_cache(self.user_normal, "can_change", [self.home_page.id])
cached_permissions = get_permission_cache(self.user_normal, "can_change")
self.assertEqual(cached_permissions, [self.home_page.id])
clear_user_permission_cache(self.user_normal)
cached_permissions = get_permission_cache(self.user_normal, "can_change")
self.assertIsNone(cached_permissions)
def test_basic_permissions(self):
"""
Test basic permissions cache get / set / clear low-level api
"""
cached_permissions = get_permission_cache(self.user_normal, "change_page")
self.assertIsNone(cached_permissions)
set_permission_cache(self.user_normal, "change_page", [self.home_page.id])
cached_permissions = get_permission_cache(self.user_normal, "change_page")
self.assertEqual(cached_permissions, [self.home_page.id])
clear_user_permission_cache(self.user_normal)
cached_permissions = get_permission_cache(self.user_normal, "change_page")
self.assertIsNone(cached_permissions)
def __get_id_list(self, user, site, attr):
if site and not isinstance(site, six.integer_types):
site = site.pk
from cms.models import (GlobalPagePermission, PagePermission,
MASK_PAGE, MASK_CHILDREN, MASK_DESCENDANTS)
if attr != "can_view":
if not user.is_authenticated() or not user.is_staff:
return []
if user.is_superuser or not get_cms_setting('PERMISSION'):
# got superuser, or permissions aren't enabled? just return grant
# all mark
return PagePermissionsPermissionManager.GRANT_ALL
# read from cache if possible
cached = get_permission_cache(user, attr)
if cached is not None:
return cached
# check global permissions
global_perm = GlobalPagePermission.objects.user_has_permission(
user, site, attr).exists()
if global_perm:
# user or his group are allowed to do `attr` action
# !IMPORTANT: page permissions must not override global permissions
return PagePermissionsPermissionManager.GRANT_ALL
# for standard users without global permissions, get all pages for him or
# his group/s
qs = PagePermission.objects.with_user(user)
qs.filter(**{
'page__site_id': site
}).order_by('page__path').select_related('page')
# default is denny...
page_id_allow_list = []
for permission in qs:
if getattr(permission, attr):
# can add is special - we are actually adding page under current page
if permission.grant_on & MASK_PAGE or attr is "can_add":
page_id_allow_list.append(permission.page_id)
if permission.grant_on & MASK_CHILDREN and not attr is "can_add":
page_id_allow_list.extend(
permission.page.get_children().values_list('id',
flat=True))
elif permission.grant_on & MASK_DESCENDANTS:
page_id_allow_list.extend(
permission.page.get_descendants().values_list(
'id', flat=True))
# store value in cache
set_permission_cache(user, attr, page_id_allow_list)
return page_id_allow_list
def __get_id_list(self, user, attr):
# TODO: result of this method should be cached per user, and cache should
# be cleaned after some change in permissions / globalpermission
if not user.is_authenticated() or not user.is_staff:
return []
if user.is_superuser or not settings.CMS_PERMISSION:
# got superuser, or permissions aren't enabled? just return grant
# all mark
return PagePermissionsPermissionManager.GRANT_ALL
# read from cache if posssible
cached = get_permission_cache(user, attr)
if cached is not None:
return cached
from cms.models import GlobalPagePermission, PagePermission, MASK_PAGE,\
MASK_CHILDREN, MASK_DESCENDANTS
# check global permissions
in_global_permissions = GlobalPagePermission.objects.with_user(user).filter(**{attr: True})
if in_global_permissions:
# user or his group are allowed to do `attr` action
# !IMPORTANT: page permissions must not override global permissions
return PagePermissionsPermissionManager.GRANT_ALL
# for standard users without global permissions, get all pages for him or
# his group/s
qs = PagePermission.objects.with_user(user)
qs.order_by('page__tree_id', 'page__level', 'page__lft')
# default is denny...
page_id_allow_list = []
for permission in qs:
is_allowed = getattr(permission, attr)
if is_allowed:
# can add is special - we are actually adding page under current page
if permission.grant_on & MASK_PAGE or attr is "can_add":
page_id_allow_list.append(permission.page.id)
if permission.grant_on & MASK_CHILDREN:
page_id_allow_list.extend(permission.page.get_children().values_list('id', flat=True))
elif permission.grant_on & MASK_DESCENDANTS:
page_id_allow_list.extend(permission.page.get_descendants().values_list('id', flat=True))
# store value in cache
set_permission_cache(user, attr, page_id_allow_list)
return page_id_allow_list
def test_cached_permission_precedence(self):
# refs - https://github.com/divio/django-cms/issues/6335
# cached page permissions should not override global permissions
page = create_page(
"test page",
"nav_playground.html",
"en",
created_by=self.user_super,
)
page_permission = GlobalPagePermission.objects.create(
can_change=True,
can_publish=True,
user=self.user_normal,
)
page_permission.sites.add(Site.objects.get_current())
set_permission_cache(self.user_normal, "publish_page", [])
can_publish = user_can_publish_page(self.user_normal, page)
self.assertTrue(can_publish)
def __get_id_list(self, user, site, attr):
from cms.models import (GlobalPagePermission, PagePermission,
MASK_PAGE, MASK_CHILDREN, MASK_DESCENDANTS)
if attr != "can_view":
if not user.is_authenticated() or not user.is_staff:
return []
if user.is_superuser or not get_cms_setting('PERMISSION'):
# got superuser, or permissions aren't enabled? just return grant
# all mark
return PagePermissionsPermissionManager.GRANT_ALL
# read from cache if possible
cached = get_permission_cache(user, attr)
if cached is not None:
return cached
# check global permissions
global_permissions = GlobalPagePermission.objects.with_user(user)
if global_permissions.filter(**{
attr: True, 'sites__in': [site]
}).exists():
# user or his group are allowed to do `attr` action
# !IMPORTANT: page permissions must not override global permissions
return PagePermissionsPermissionManager.GRANT_ALL
# for standard users without global permissions, get all pages for him or
# his group/s
qs = PagePermission.objects.with_user(user)
qs.order_by('page__tree_id', 'page__level', 'page__lft')
# default is denny...
page_id_allow_list = []
for permission in qs:
if getattr(permission, attr):
# can add is special - we are actually adding page under current page
if permission.grant_on & MASK_PAGE or attr is "can_add":
page_id_allow_list.append(permission.page.id)
if permission.grant_on & MASK_CHILDREN and not attr is "can_add":
page_id_allow_list.extend(permission.page.get_children().values_list('id', flat=True))
elif permission.grant_on & MASK_DESCENDANTS:
page_id_allow_list.extend(permission.page.get_descendants().values_list('id', flat=True))
# store value in cache
set_permission_cache(user, attr, page_id_allow_list)
return page_id_allow_list
def _get_page_ids_for_action(user, site, action, check_global=True, use_cache=True):
if user.is_superuser or not get_cms_setting('PERMISSION'):
# got superuser, or permissions aren't enabled?
# just return grant all mark
return GRANT_ALL_PERMISSIONS
if use_cache:
# read from cache if possible
cached = get_permission_cache(user, action)
get_page_actions = get_page_actions_for_user
else:
cached = None
get_page_actions = get_page_actions_for_user.without_cache
if cached is not None:
return cached
if check_global and has_global_permission(user, site, action=action, use_cache=use_cache):
return GRANT_ALL_PERMISSIONS
page_actions = get_page_actions(user, site)
page_ids = list(page_actions[action])
set_permission_cache(user, action, page_ids)
return page_ids
