Skip to content

Commit

Permalink
Handle special case when user @Move content that cannot delete.
Browse files Browse the repository at this point in the history
  • Loading branch information
@sneridagh
sneridagh committed Mar 31, 2017
1 parent f362df0 commit 3c1e938
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 3 deletions.
12 changes: 9 additions & 3 deletions src/plone/restapi/services/copymove/copymove.py
View file
Expand Up @@ -7,6 +7,8 @@
from zope.component import getMultiAdapter
from zope.interface import alsoProvides
from zope.security import checkPermission
from zExceptions import Forbidden
from zExceptions import Unauthorized

import plone

Expand Down Expand Up @@ -44,10 +46,9 @@ def reply(self):
if not checkPermission('cmf.AddPortalContent', self.context):
pm = getToolByName(self.context, 'portal_membership')
if bool(pm.isAnonymousUser()):
self.request.response.setStatus(401)
raise Unauthorized('Anonymous cannot perform this operation.')
else:
self.request.response.setStatus(403)
return
raise Forbidden('Cannot add content to the destination')

data = json_body(self.request)

Expand All @@ -67,6 +68,9 @@ def reply(self):
parents_ids = {}
for item in source:
obj = self.get_object(item)
if self.is_moving:
if not checkPermission('zope2.DeleteObjects', obj):
raise Forbidden('Cannot delete source')
if obj is not None:
parent = aq_parent(obj)
if parent in parents_ids:
Expand Down Expand Up @@ -95,6 +99,7 @@ def clipboard(self, parent, ids):
class Copy(BaseCopyMove):
"""Copies existing content objects.
"""
is_moving = False

def clipboard(self, parent, ids):
return parent.manage_copyObjects(ids=ids)
Expand All @@ -103,6 +108,7 @@ def clipboard(self, parent, ids):
class Move(BaseCopyMove):
"""Moves existing content objects.
"""
is_moving = True

def clipboard(self, parent, ids):
return parent.manage_cutObjects(ids=ids)
37 changes: 37 additions & 0 deletions src/plone/restapi/tests/test_copymove.py
View file
Expand Up @@ -175,3 +175,40 @@ def test_copy_single_object_no_auth_raises_401(self):
)

self.assertEquals(response.status_code, 401)

def test_move_single_object_no_permissions_raises_403(self):
self.api_session.auth = ('memberuser', 'secret')
response = self.api_session.post(
'/@move',
json={
"source": self.doc1.absolute_url()
}
)

self.assertEquals(response.status_code, 403)

def test_move_single_object_no_auth_raises_401(self):
self.api_session.auth = ('nonexistent', 'secret')
response = self.api_session.post(
'/@move',
json={
"source": self.doc1.absolute_url()
}
)

self.assertEquals(response.status_code, 401)

def test_move_single_object_no_permission_delete_source_raises_403(self):
api.user.grant_roles(
username='memberuser', obj=self.folder1, roles=['Manager', ])
transaction.commit()

self.api_session.auth = ('memberuser', 'secret')
response = self.api_session.post(
'/folder1/@move',
json={
"source": self.doc1.absolute_url()
}
)

self.assertEquals(response.status_code, 403)

0 comments on commit 3c1e938

Please sign in to comment.