def test_editors_cannot_unpublish_child_pages(root_page): env = two_branches_with_users(root_page) resp = env.editor_1_client.post( reverse('wagtailadmin_pages:unpublish', args=[env.article_1.pk]) ) assert resp.status_code == status.HTTP_403_FORBIDDEN
def test_moderators_cannot_access_pages_not_from_their_branch(root_page): """ This reproduces situation when a moderator would try to access page that doesn't belong to they branch by simply changing page ID in the URL """ env = two_branches_with_users(root_page) resp_1 = env.moderator_1_client.get( f'/admin/pages/{env.home_2.pk}/edit/' ) assert resp_1.status_code == status.HTTP_403_FORBIDDEN resp_2 = env.moderator_2_client.get( f'/admin/pages/{env.home_1.pk}/edit/' ) assert resp_2.status_code == status.HTTP_403_FORBIDDEN resp_3 = env.moderator_1_client.get(f'/admin/pages/{env.home_2.pk}/') assert resp_3.status_code == status.HTTP_302_FOUND assert resp_3.url == f'/admin/pages/{env.home_1.pk}/' resp_4 = env.moderator_2_client.get(f'/admin/pages/{env.home_1.pk}/') assert resp_4.status_code == status.HTTP_302_FOUND assert resp_4.url == f'/admin/pages/{env.home_2.pk}/' # Unfortunately on API level Wagtail allows users to list pages that # belong to different branch resp_6 = env.moderator_1_client.get( f'/admin/api/v2beta/pages/?child_of={env.landing_2.pk}&for_explorer=1' ) assert resp_6.status_code == status.HTTP_200_OK assert resp_6.json()['meta']['total_count'] == 1 assert resp_6.json()['items'][0]['id'] == env.listing_2.pk
def test_admins_can_create_pages_in_any_branch(root_page): env = two_branches_with_users(root_page) # Add ExRed Article page data_1 = { 'article_title': 'test article', 'article_teaser': 'test article', 'article_body_text': 'test article', 'title_en_gb': 'test article', 'slug': 'test-article', 'action-publish': 'action-publish', } resp_1 = env.admin_client.post( reverse( 'wagtailadmin_pages:add', args=[ env.article_1._meta.app_label, env.article_1._meta.model_name, env.listing_1.pk ], ), data=data_1, ) assert resp_1.status_code == status.HTTP_302_FOUND assert resp_1.url.startswith('/admin/pages/') # format is /admin/pages/3/ # Add FAS Industry Article page data_2 = { 'article_title': 'test article', 'article_teaser': 'test article', 'article_body_text': 'test article', 'title_en_gb': 'test article', 'body': 'this is a test page', 'slug': 'test-article', 'action-publish': 'action-publish', 'breadcrumbs_label_en_gb': 'test breadcrumb', 'introduction_title_en_gb': 'test introduction', 'author_name_en_gb': 'dit', 'job_title_en_gb': 'dit', 'proposition_text_en_gb': 'test proposition', 'call_to_action_text_en_gb': 'contact us', 'back_to_home_link_text_en_gb': 'home', 'social_share_title_en_gb': 'share', 'date_en_gb': '2019-01-01', } resp_2 = env.admin_client.post( reverse( 'wagtailadmin_pages:add', args=[ env.article_2._meta.app_label, env.article_2._meta.model_name, env.listing_2.pk ], ), data=data_2, ) assert resp_2.status_code == status.HTTP_302_FOUND assert resp_2.url.startswith('/admin/pages/') # format is /admin/pages/3/
def test_moderators_and_admins_can_view_revisions_from_other_branches( root_page ): """ Unfortunately on API level Wagtail allows Moderators to view revisions from other branches. """ env = two_branches_with_users(root_page) revision_1 = env.article_1.save_revision( user=env.editor_1, submitted_for_moderation=True ) revision_2 = env.article_2.save_revision( user=env.editor_2, submitted_for_moderation=True ) revert_path_1 = f'/admin/pages/{env.article_1.pk}/revisions/{revision_1.pk}/revert/' # NOQA revert_path_2 = f'/admin/pages/{env.article_2.pk}/revisions/{revision_2.pk}/revert/' # NOQA resp_1 = env.moderator_1_client.get( reverse('wagtailadmin_pages:revisions_index', args=[env.article_1.pk]) ) assert resp_1.status_code == status.HTTP_200_OK content_1 = resp_1.content.decode() assert revert_path_1 in content_1 assert revert_path_2 not in content_1 resp_2 = env.moderator_1_client.get( reverse('wagtailadmin_pages:revisions_index', args=[env.article_2.pk]) ) assert resp_2.status_code == status.HTTP_200_OK content_2 = resp_2.content.decode() assert revert_path_1 not in content_2 assert revert_path_2 in content_2 resp_3 = env.moderator_2_client.get( reverse('wagtailadmin_pages:revisions_index', args=[env.article_1.pk]) ) assert resp_3.status_code == status.HTTP_200_OK content_3 = resp_3.content.decode() assert revert_path_1 in content_3 assert revert_path_2 not in content_3 resp_4 = env.moderator_2_client.get( reverse('wagtailadmin_pages:revisions_index', args=[env.article_2.pk]) ) assert resp_4.status_code == status.HTTP_200_OK content_4 = resp_4.content.decode() assert revert_path_1 not in content_4 assert revert_path_2 in content_4
def test_admins_should_be_able_to_reject_revision_from_any_branch(root_page): """ Somehow Wagtail doesn't show to the editor that revision was rejected and thus we have to use Admin client to check that (in last assertion) """ env = two_branches_with_users(root_page) # At this point there should be no revisions resp_1 = env.editor_1_client.get( reverse( 'wagtailadmin_pages:revisions_index', args=[env.article_1.pk] ) ) assert 'No revision of this page exist' in resp_1.content.decode() # Make a change and save revision new_title = 'The title was modified' env.article_1.title = new_title revision = env.article_1.save_revision( user=env.editor_1, submitted_for_moderation=True ) # Check if revision is visible resp_2 = env.editor_1_client.get( reverse( 'wagtailadmin_pages:revisions_index', args=[env.article_1.pk] ) ) assert new_title in resp_2.content.decode() revert_url = f'/admin/pages/{env.article_1.pk}/revisions/{revision.pk}/revert/' # NOQA assert revert_url in resp_2.content.decode() # Reject request for moderation resp_3 = env.admin_client.post( reverse('wagtailadmin_pages:reject_moderation', args=[revision.pk]) ) assert resp_3.status_code == status.HTTP_302_FOUND assert resp_3.url == '/admin/' # Verify if rejection is visible resp_4 = env.admin_client.get( reverse( 'wagtailadmin_pages:revisions_index', args=[env.article_1.pk] ) ) assert resp_4.status_code == status.HTTP_200_OK assert 'rejected for publication' in resp_4.content.decode()
def test_moderators_cannot_reject_revision_from_other_branch(root_page): env = two_branches_with_users(root_page) new_title = 'The title was modified' env.article_1.title = new_title revision = env.article_1.save_revision( user=env.editor_1, submitted_for_moderation=True ) # Reject request for moderation resp = env.moderator_2_client.post( reverse('wagtailadmin_pages:reject_moderation', args=[revision.pk]) ) assert resp.status_code == status.HTTP_403_FORBIDDEN
def test_editors_cannot_publish_child_pages(root_page): env = two_branches_with_users(root_page) draft_page = ArticlePageFactory( parent=env.landing_1, live=False ) revision = draft_page.save_revision( user=env.editor_1, submitted_for_moderation=True ) resp = env.editor_1_client.post( reverse('wagtailadmin_pages:approve_moderation', args=[revision.pk]) ) assert resp.status_code == status.HTTP_403_FORBIDDEN
def test_branch_moderators_should_only_see_pages_from_their_branch(root_page): """ This reproduces Wagtail's admin call to list pages in the 'Pages' menu. Moderators should only see app pages that share common root page """ env = two_branches_with_users(root_page) resp_1 = env.moderator_1_client.get( f'/admin/api/v2beta/pages/?child_of={env.landing_1.pk}&for_explorer=1' ) assert resp_1.status_code == status.HTTP_200_OK assert resp_1.json()['meta']['total_count'] == 1 assert resp_1.json()['items'][0]['id'] == env.listing_1.pk resp_2 = env.moderator_2_client.get( f'/admin/api/v2beta/pages/?child_of={env.landing_2.pk}&for_explorer=1' ) assert resp_2.status_code == status.HTTP_200_OK assert resp_2.json()['meta']['total_count'] == 1 assert resp_2.json()['items'][0]['id'] == env.listing_2.pk
def test_admins_should_be_able_to_access_all_pages_in_any_branch(root_page): env = two_branches_with_users(root_page) resp_1 = env.admin_client.get( f'/admin/api/v2beta/pages/?child_of={env.landing_1.pk}&for_explorer=1' ) assert resp_1.status_code == status.HTTP_200_OK resp_2 = env.admin_client.get( f'/admin/api/v2beta/pages/?child_of={env.landing_2.pk}&for_explorer=1' ) assert resp_2.status_code == status.HTTP_200_OK resp_3 = env.admin_client.get( f'/admin/api/v2beta/pages/?child_of={env.article_1.pk}&for_explorer=1' ) assert resp_3.status_code == status.HTTP_200_OK resp_4 = env.admin_client.get( f'/admin/api/v2beta/pages/?child_of={env.article_2.pk}&for_explorer=1' ) assert resp_4.status_code == status.HTTP_200_OK
def test_admins_can_reject_revision(root_page): env = two_branches_with_users(root_page) new_title = 'The title was modified' env.article_1.title = new_title revision = env.article_1.save_revision( user=env.editor_1, submitted_for_moderation=True ) # Reject request for moderation resp_1 = env.admin_client.post( reverse('wagtailadmin_pages:reject_moderation', args=[revision.pk]) ) assert resp_1.status_code == status.HTTP_302_FOUND assert resp_1.url == '/admin/' # Verify if rejection is visible resp_2 = env.admin_client.get( reverse('wagtailadmin_pages:revisions_index', args=[env.article_1.pk]) ) assert resp_2.status_code == status.HTTP_200_OK assert 'rejected for publication' in resp_2.content.decode()
def test_moderators_can_approve_revisions_only_for_pages_in_their_branch( root_page ): env = two_branches_with_users(root_page) new_title = 'The title was modified' env.article_2.title = new_title revision = env.article_2.save_revision( user=env.editor_2, submitted_for_moderation=True ) resp_1 = env.moderator_1_client.post( reverse('wagtailadmin_pages:approve_moderation', args=[revision.pk]) ) assert resp_1.status_code == status.HTTP_403_FORBIDDEN # after publishing a page, user is redirected to the '/admin/' page resp_2 = env.moderator_2_client.post( reverse('wagtailadmin_pages:approve_moderation', args=[revision.pk]), follow=True, ) assert resp_2.status_code == status.HTTP_200_OK