chore: enforce wagtail permissions (#205)

Signed-off-by: maxwellgithinji <maxwellgithinji@gmail.com>
savannahghi · Apr 17, 2023 · 90ad428 · 90ad428
1 parent cc8839a
commit 90ad428
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 80 deletions.
diff --git a/mycarehub/content/signals.py b/mycarehub/content/signals.py
@@ -1,13 +1,23 @@
 from django.conf import settings
+from django.contrib.auth.models import Group, Permission
 from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import ObjectDoesNotExist
 from django.db.models import F
 from django.db.models.signals import post_delete, post_save
 from django.dispatch import receiver
-from wagtail.models import Page, Site
+from wagtail.documents.models import Document
+from wagtail.images.models import Image
+from wagtail.models import Collection, GroupCollectionPermission, GroupPagePermission, Page, Site
+from wagtailmedia.models import Media
 
 from mycarehub.common.models import Program
-from mycarehub.content.models import ContentBookmark, ContentItem, ContentLike
+from mycarehub.content.models import (
+    Author,
+    ContentBookmark,
+    ContentItem,
+    ContentItemCategory,
+    ContentLike,
+)
 from mycarehub.home.models import HomePage
 
 from .models import ContentItemIndexPage
@@ -62,6 +72,78 @@ def create_program_content_index_page(sender, instance, created, **kwargs):
     content_item_index.save()
 
 
+# receiver that runs after creation of content item index page
+@receiver(post_save, sender=ContentItemIndexPage)
+def create_program_content_editor_permissions(sender, instance, created, **kwargs):
+    group = Group.objects.create(name=f"{instance.program.name} Editor")
+
+    can_access_wagtail_admin = Permission.objects.get(
+        content_type=ContentType.objects.get(app_label="wagtailadmin", model="admin"),
+        codename="access_admin",
+    )
+    group.permissions.add(can_access_wagtail_admin)
+
+    allowed_author_permissions = ["add_author", "change_author"]
+    for permission in allowed_author_permissions:
+        permission_object = Permission.objects.get(
+            content_type=ContentType.objects.get_for_model(Author), codename=permission
+        )
+        group.permissions.add(permission_object)
+
+    allowed_content_category_permissions = [
+        "add_contentitemcategory",
+        "change_contentitemcategory",
+    ]
+    for permission in allowed_content_category_permissions:
+        permission_object = Permission.objects.get(
+            content_type=ContentType.objects.get_for_model(ContentItemCategory),
+            codename=permission,
+        )
+        group.permissions.add(permission_object)
+
+    allowed_page_permissions = ["add", "edit", "publish"]
+    for permission in allowed_page_permissions:
+        GroupPagePermission.objects.create(group=group, page=instance, permission_type=permission)
+
+    root_collection = Collection.get_first_root_node()
+    allowed_image_permissions = ["add_image", "choose_image", "change_image", "delete_image"]
+    for permission in allowed_image_permissions:
+        GroupCollectionPermission.objects.create(
+            group=group,
+            collection=root_collection,
+            permission=Permission.objects.get(
+                content_type=ContentType.objects.get_for_model(Image), codename=permission
+            ),
+        )
+
+    allowed_document_permissions = [
+        "add_document",
+        "choose_document",
+        "change_document",
+        "delete_document",
+    ]
+
+    for permission in allowed_document_permissions:
+        GroupCollectionPermission.objects.create(
+            group=group,
+            collection=root_collection,
+            permission=Permission.objects.get(
+                content_type=ContentType.objects.get_for_model(Document), codename=permission
+            ),
+        )
+
+    allowed_media_permissions = ["add_media", "delete_media", "change_media"]
+
+    for permission in allowed_media_permissions:
+        GroupCollectionPermission.objects.create(
+            group=group,
+            collection=root_collection,
+            permission=Permission.objects.get(
+                content_type=ContentType.objects.get_for_model(Media), codename=permission
+            ),
+        )
+
+
 @receiver(post_delete, sender=ContentLike)
 def reduce_like_count(sender, instance, *args, **kwargs):
     ContentItem.objects.filter(id=instance.content_item.id).update(like_count=F("like_count") - 1)

diff --git a/mycarehub/content/tests/test_wagtail_hooks.py b/mycarehub/content/tests/test_wagtail_hooks.py
@@ -2,17 +2,14 @@
 from django.core.exceptions import ValidationError
 from django.utils import timezone
 from model_bakery import baker
-from wagtail.admin.menu import MenuItem
 from wagtail.models import Page, Site
 
-from mycarehub.content.models import Author, ContentItem, ContentItemIndexPage, CustomMedia
+from mycarehub.content.models import Author, ContentItem, CustomMedia
 from mycarehub.content.wagtail_hooks import (
     before_publish_page,
     chooser_show_organisation_pages_only,
     construct_homepage_summary_items,
-    explorer_show_organisation_pages_only,
     get_global_admin_js,
-    hide_explorer_menu_item_from_non_superuser,
     set_organisation_after_page_create,
     set_organisation_after_snippet_create,
     show_organisation_documents_only,
@@ -131,47 +128,6 @@ def test_set_content_item_program_after_page_create(
     set_organisation_after_page_create(request=request_with_user, page=content_item)
 
 
-def test_explorer_show_organisation_pages_only(request_with_user, homepage, content_item_index):
-    # get a hero image
-    hero = baker.make("content.CustomImage", _create_files=True)
-
-    # set up a content item
-    author = baker.make(Author)
-    content_item = ContentItem(
-        title="An article",
-        slug="article-1",
-        intro="intro",
-        body="body",
-        item_type="ARTICLE",
-        date=timezone.now().date(),
-        author=author,
-        hero_image=hero,
-        organisation=request_with_user.user.organisation,
-    )
-    content_item_index.add_child(instance=content_item)
-    content_item_index.save_revision().publish()
-
-    content_item_index_two = ContentItemIndexPage(
-        title="Content Item Index Two",
-        slug="articlez",
-        intro="content",
-        organisation=request_with_user.user.organisation,
-    )
-
-    homepage.add_child(instance=content_item_index_two)
-    homepage.save_revision().publish()
-
-    pages = Page.objects.all()
-
-    explorer_show_organisation_pages_only(
-        parent_page=Page.get_first_root_node(), pages=pages, request=request_with_user
-    )
-
-    explorer_show_organisation_pages_only(
-        parent_page=content_item_index, pages=ContentItem.objects.all(), request=request_with_user
-    )
-
-
 def test_chooser_show_organisation_pages_only(
     request_with_user, content_item_with_tag_and_category, content_item_index
 ):
@@ -213,18 +169,6 @@ def test_show_organisation_media_only(request_with_user):
     show_organisation_media_only(media=CustomMedia.objects.all(), request=request_with_user)
 
 
-def test_hide_explorer_menu_item_from_non_superuser(request_with_user, admin_user):
-    hide_explorer_menu_item_from_non_superuser(
-        request=request_with_user, menu_items=[MenuItem("settings", "sample/")]
-    )
-
-    request_with_user.user = admin_user
-
-    hide_explorer_menu_item_from_non_superuser(
-        request=request_with_user, menu_items=[MenuItem("settings", "sample/")]
-    )
-
-
 def test_show_organisation_documents_only(request_with_user):
     documents = show_organisation_documents_only([], request_with_user)
 

diff --git a/mycarehub/content/wagtail_hooks.py b/mycarehub/content/wagtail_hooks.py
@@ -6,7 +6,7 @@
 from wagtail.models import Page
 from wagtail.snippets.models import register_snippet
 
-from .models import Author, ContentItem, ContentItemCategory, ContentItemIndexPage
+from .models import Author, ContentItem, ContentItemCategory
 from .views import AuthorSnippetViewSet, ContentItemCategorySnippetViewSet, author_chooser_viewset
 
 
@@ -70,20 +70,6 @@ def set_organisation_after_page_create(request, page):
     page.save()
 
 
-@hooks.register("construct_explorer_page_queryset")
-def explorer_show_organisation_pages_only(parent_page, pages, request):
-    if parent_page.is_root():
-        pages = pages.exact_type(ContentItemIndexPage)
-
-        index_pages = ContentItemIndexPage.objects.filter(organisation=request.user.organisation)
-        for page in index_pages:
-            pages = pages | Page.objects.page(page)
-
-        return pages
-
-    return pages
-
-
 @hooks.register("construct_page_chooser_queryset")
 def chooser_show_organisation_pages_only(pages, request):
     for page in pages:
@@ -122,12 +108,6 @@ def register_author_chooser_viewset():
     return author_chooser_viewset
 
 
-@hooks.register("construct_main_menu")
-def hide_explorer_menu_item_from_non_superuser(request, menu_items):
-    if not request.user.is_superuser:
-        menu_items[:] = [item for item in menu_items if item.name not in ["settings", "reports"]]
-
-
 @hooks.register("construct_homepage_summary_items")
 def construct_homepage_summary_items(request, summary_items):
     summary_items.clear()