Permalink
Browse files

Added more tests for view permission in menu

Fixed an issue that PagePermission were not respected in cms.menu.get_visible_pages
  • Loading branch information...
1 parent 2a78372 commit b8b54ba400ac69b05a674cd7abf8c2df9c9bab88 Jonas Obrist committed Aug 5, 2011
Showing with 93 additions and 19 deletions.
  1. +22 −3 cms/menu.py
  2. +71 −16 cms/tests/menu.py
View
@@ -1,4 +1,5 @@
# -*- coding: utf-8 -*-
+from collections import defaultdict
from cms.apphook_pool import apphook_pool
from cms.models.moderatormodels import (ACCESS_DESCENDANTS,
ACCESS_PAGE_AND_DESCENDANTS, ACCESS_CHILDREN, ACCESS_PAGE_AND_CHILDREN)
@@ -31,8 +32,11 @@ def get_visible_pages(request, pages, site=None):
)
pages_perms_q |= page_q
pages_perms_q &= Q(can_view=True)
- page_permissions = PagePermission.objects.filter(pages_perms_q).select_related('page')
- restriced_pages = [page_permission.page.pk for page_permission in page_permissions]
+ page_permissions = PagePermission.objects.filter(pages_perms_q).select_related('page', 'group__users')
+
+ restricted_pages = defaultdict(list)
+ for perm in page_permissions:
+ restricted_pages[perm.page.pk].append(perm)
if site is None:
site = current_site(request)
@@ -50,9 +54,22 @@ def has_global_perm():
return bool(has_global_perm.cache)
has_global_perm.cache = -1
+ def has_permission(page):
+ """
+ PagePermission tests
+ """
+ for perm in restricted_pages[page.pk]:
+ if perm.user_id == request.user.pk:
+ return True
+ for perm in restricted_pages[page.pk]:
+ if not perm.group_id:
+ continue
+ if request.user.pk in perm.group.user_set.values_list('id', flat=True):
+ return True
+ return False
for page in pages:
- is_restricted = page.pk in restriced_pages
+ is_restricted = page.pk in restricted_pages
if request.user.is_authenticated():
# a global permission was given to the request's user
@@ -61,6 +78,8 @@ def has_global_perm():
# authenticated user, no restriction and public for all
elif settings.CMS_PUBLIC_FOR == 'all':
page_ids.append(page.pk)
+ elif has_permission(page):
+ page_ids.append(page.pk)
elif has_global_perm():
page_ids.append(page.pk)
elif not is_restricted and settings.CMS_PUBLIC_FOR == 'all':
View
@@ -10,7 +10,7 @@
from cms.test_utils.util.context_managers import SettingsOverride
from cms.test_utils.util.mock import AttributeObject
from django.conf import settings
-from django.contrib.auth.models import AnonymousUser, User, Permission
+from django.contrib.auth.models import AnonymousUser, User, Permission, Group
from django.contrib.contenttypes.models import ContentType
from django.contrib.sites.models import Site
from django.template import Template
@@ -990,27 +990,82 @@ def test_unauthed_no_access(self):
def test_unauthed_no_access_num_queries(self):
site = Site()
site.pk = 1
+ request = self.get_request()
+ page = Page()
+ page.pk = 1
+ page.level = 0
+ page.tree_id = 1
+ pages = [page]
+ with self.assertNumQueries(1):
+ get_visible_pages(request, pages, site)
+
+ def test_page_permissions(self):
with SettingsOverride(CMS_PUBLIC_FOR='staff'):
- request = self.get_request()
+ user = User.objects.create_user('user', 'user@domain.com', 'user')
+ request = self.get_request(user)
+ page = create_page('A', 'nav_playground.html', 'en')
+ PagePermission.objects.create(can_view=True, user=user, page=page)
+ pages = [page]
+ result = get_visible_pages(request, pages)
+ self.assertEqual(result, [1])
+
+ def test_page_permissions_num_queries(self):
+ with SettingsOverride(CMS_PUBLIC_FOR='staff'):
+ user = User.objects.create_user('user', 'user@domain.com', 'user')
+ request = self.get_request(user)
+ page = create_page('A', 'nav_playground.html', 'en')
+ PagePermission.objects.create(can_view=True, user=user, page=page)
+ pages = [page]
+ with self.assertNumQueries(2):
+ """
+ The two queries are:
+ PagePermission query for affected pages
+ GlobalpagePermission query for user
+ """
+ get_visible_pages(request, pages)
+
+ def test_page_permissions_view_groups(self):
+ with SettingsOverride(CMS_PUBLIC_FOR='staff'):
+ user = User.objects.create_user('user', 'user@domain.com', 'user')
+ group = Group.objects.create(name='testgroup')
+ group.user_set.add(user)
+ request = self.get_request(user)
+ page = create_page('A', 'nav_playground.html', 'en')
+ PagePermission.objects.create(can_view=True, group=group, page=page)
+ pages = [page]
+ result = get_visible_pages(request, pages)
+ self.assertEqual(result, [1])
+
+ def test_page_permissions_view_groups_num_queries(self):
+ with SettingsOverride(CMS_PUBLIC_FOR='staff'):
+ user = User.objects.create_user('user', 'user@domain.com', 'user')
+ group = Group.objects.create(name='testgroup')
+ group.user_set.add(user)
+ request = self.get_request(user)
+ page = create_page('A', 'nav_playground.html', 'en')
+ PagePermission.objects.create(can_view=True, group=group, page=page)
+ pages = [page]
+ with self.assertNumQueries(3):
+ """
+ The two queries are:
+ PagePermission query for affected pages
+ GlobalpagePermission query for user
+ Group query via PagePermission
+ """
+ get_visible_pages(request, pages)
+
+ def test_global_permission(self):
+ with SettingsOverride(CMS_PUBLIC_FOR='staff'):
+ user = User.objects.create_user('user', 'user@domain.com', 'user')
+ GlobalPagePermission.objects.create(can_view=True, user=user)
+ request = self.get_request(user)
page = Page()
page.pk = 1
page.level = 0
page.tree_id = 1
pages = [page]
- with self.assertNumQueries(1):
- get_visible_pages(request, pages, site)
-
- def test_global_permission(self):
- user = User.objects.create_user('user', 'user@domain.com', 'user')
- GlobalPagePermission.objects.create(can_view=True, user=user)
- request = self.get_request(user)
- page = Page()
- page.pk = 1
- page.level = 0
- page.tree_id = 1
- pages = [page]
- result = get_visible_pages(request, pages)
- self.assertEqual(result, [1])
+ result = get_visible_pages(request, pages)
+ self.assertEqual(result, [1])
def test_global_permission_num_queries(self):
site = Site()

0 comments on commit b8b54ba

Please sign in to comment.