Ensure that locked pages can't be unpublished.

Fixes #1615
wagtail · Nov 24, 2015 · 88e4770 · 88e4770
1 parent f4968de
commit 88e4770
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 6 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -9,6 +9,7 @@ Changelog
  * Added `.alt` attribute to image renditions
  * The default `src`, `width`, `height` and `alt` attributes can now be overridden by attributes passed to the `{% image %}` tag
  * Fix: HTTP cache purge now works again on Python 2 (Mitchel Cabuloy)
+ * Fix: Locked pages can no longer be unpublished (Alex Bridge)
 
 1.2 (12.11.2015)
 ~~~~~~~~~~~~~~~~

diff --git a/CONTRIBUTORS.rst b/CONTRIBUTORS.rst
@@ -80,6 +80,7 @@ Contributors
 * Sergey Nikitin
 * John Draper
 * Rich Brennan
+* Alex Bridge
 
 
 Translators

diff --git a/docs/releases/1.3.rst b/docs/releases/1.3.rst
@@ -24,6 +24,7 @@ Bug fixes
 ~~~~~~~~~
 
  * HTTP cache purge now works again on Python 2 (Mitchel Cabuloy)
+ * Locked pages can no longer be unpublished (Alex Bridge)
 
 
 Upgrade considerations

diff --git a/wagtail/tests/testapp/fixtures/test.json b/wagtail/tests/testapp/fixtures/test.json
@@ -23,7 +23,7 @@
     "model": "wagtailcore.page",
     "fields": {
         "title": "Welcome to the Wagtail test site!",
-        "numchild": 5,
+        "numchild": 6,
         "show_in_menus": false,
         "live": true,
         "depth": 2,
@@ -33,7 +33,6 @@
         "slug": "home"
     }
 },
-
 {
     "pk": 3,
     "model": "wagtailcore.page",
@@ -379,7 +378,22 @@
         "cost": "free"
     }
 },
-
+{
+    "pk": 14,
+    "model": "wagtailcore.page",
+    "fields": {
+        "title": "My locked page",
+        "numchild": 0,
+        "show_in_menus": true,
+        "live": true,
+        "depth": 3,
+        "content_type": ["wagtailcore", "page"],
+        "path": "000100010006",
+        "url_path": "/home/my-locked-page/",
+        "slug": "my-locked-page",
+        "locked": true
+    }
+},
 {
     "pk": 1,
     "model": "wagtailcore.site",

diff --git a/wagtail/wagtailadmin/templates/wagtailadmin/pages/confirm_delete.html b/wagtail/wagtailadmin/templates/wagtailadmin/pages/confirm_delete.html
@@ -1,5 +1,5 @@
 {% extends "wagtailadmin/base.html" %}
-{% load i18n %}
+{% load i18n wagtailadmin_tags %}
 {% block titletag %}{% blocktrans with title=page.title %}Delete {{ title }}{% endblocktrans %}{% endblock %}
 
 {% block content %}
@@ -17,12 +17,13 @@
                 {% endblocktrans %}
             {% endif %}
         </p>
-        {% if page.live %}
+        {% page_permissions page as page_perms %}
+        {% if page_perms.can_unpublish %}
             <p>{% trans "Alternatively you can unpublish the page. This removes the page from public view and you can edit or publish it again later." %}</p>
         {% endif %}
         <form action="{% url 'wagtailadmin_pages:delete' page.id %}" method="POST">
             {% csrf_token %}
-            <input type="submit" value="{% trans 'Delete it' %}" class="serious {% if page.live %}button-secondary{% endif %}"> {% if page.live %}<a href="{% url 'wagtailadmin_pages:unpublish' page.id %}" class="button">{% trans 'Unpublish it' %}</a>{% endif %}
+            <input type="submit" value="{% trans 'Delete it' %}" class="serious {% if page.live %}button-secondary{% endif %}"> {% if page_perms.can_unpublish %}<a href="{% url 'wagtailadmin_pages:unpublish' page.id %}" class="button">{% trans 'Unpublish it' %}</a>{% endif %}
         </form>
     </div>
 {% endblock %}
diff --git a/wagtail/wagtailcore/models.py b/wagtail/wagtailcore/models.py
@@ -1352,6 +1352,8 @@ def can_unpublish(self):
             return False
         if (not self.page.live) or self.page_is_root:
             return False
+        if self.page.locked:
+            return False
 
         return self.user.is_superuser or ('publish' in self.permissions)
 

diff --git a/wagtail/wagtailcore/tests/test_page_permissions.py b/wagtail/wagtailcore/tests/test_page_permissions.py
@@ -303,10 +303,13 @@ def test_editable_pages_for_non_editing_user(self):
     def test_lock_page_for_superuser(self):
         user = get_user_model().objects.get(username='superuser')
         christmas_page = EventPage.objects.get(url_path='/home/events/christmas/')
+        locked_page = Page.objects.get(url_path='/home/my-locked-page/')
 
         perms = UserPagePermissionsProxy(user).for_page(christmas_page)
+        locked_perms = UserPagePermissionsProxy(user).for_page(locked_page)
 
         self.assertTrue(perms.can_lock())
+        self.assertFalse(locked_perms.can_unpublish())  # locked pages can't be unpublished
 
     def test_lock_page_for_moderator(self):
         user = get_user_model().objects.get(username='eventmoderator')