added test and check for permission on copy plugins.

treyhunner · Jun 29, 2011 · 34b8cbf · 34b8cbf
1 parent 45f3121
commit 34b8cbf
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 10 deletions.
diff --git a/cms/admin/pageadmin.py b/cms/admin/pageadmin.py
@@ -1162,6 +1162,11 @@ def copy_plugins(self, request):
             return HttpResponseBadRequest(_("Language must be different than the copied language!"))
         plugins = list(placeholder.cmsplugin_set.filter(language=copy_from).order_by('tree_id', '-rght'))
 
+        # check permissions before copy the plugins:
+        for plugin in plugins:
+            if not has_plugin_permission(request.user, plugin.plugin_type, "add"):
+                return HttpResponseForbidden("You do not have permission to add plugins")
+
         copy_plugins.copy_plugins_to(plugins, placeholder, language)
 
         if page and "reversion" in settings.INSTALLED_APPS:

diff --git a/cms/tests/admin.py b/cms/tests/admin.py
@@ -761,6 +761,15 @@ def _give_cms_permissions(self, user, save=True):
         gpp.sites = Site.objects.all()
         if save:
             user.save()
+
+    def _create_page_and_plugin(self):
+        # The admin creates the page and the plugin
+        admin = self._get_admin()
+        site = Site.objects.get(pk=1)
+        page = create_page('Test Page', "nav_playground.html", "en",
+                           site=site, created_by=admin)
+        plugin = add_plugin(self._placeholder, 'TextPlugin', 'en')
+        return (page, plugin)
 
     def test_plugin_add_requires_permissions(self):
         """User tries to add a plugin but has no permissions. He can add the plugin after he got the permissions"""
@@ -780,16 +789,6 @@ def test_plugin_add_requires_permissions(self):
         response = client.post(url, data)
         self.assertEqual(response.status_code, HttpResponse.status_code)
 
-
-    def _create_page_and_plugin(self):
-        # The admin creates the page and the plugin
-        admin = self._get_admin()
-        site = Site.objects.get(pk=1)
-        page = create_page('Test Page', "nav_playground.html", "en",
-                           site=site, created_by=admin)
-        plugin = add_plugin(self._placeholder, 'TextPlugin', 'en')
-        return (page, plugin)
-
     def test_plugin_edit_requires_permissions(self):
         """User tries to edit a plugin but has no permissions. He can edit the plugin after he got the permissions"""
         _, plugin = self._create_page_and_plugin()
@@ -833,4 +832,22 @@ def test_plugin_move_requires_permissions(self):
         # After he got the permissions, he can edit the plugin
         self._give_permission(normal_guy, Text, 'change')
         response = client.post(url, data)
+        self.assertEqual(response.status_code, HttpResponse.status_code)
+
+    def test_plugins_copy_requires_permissions(self):
+        """User tries to copy plugin but has no permissions. He can copy plugins after he got the permissions"""
+        _, plugin = self._create_page_and_plugin()
+        _, normal_guy = self._get_guys()
+        client = Client()
+        client.login(username='test', password='test')
+        url = reverse('admin:cms_page_copy_plugins')
+        data = dict(plugin_id=plugin.id,
+                    placeholder=self._placeholder.pk,
+                    language='fr',
+                    copy_from='en')
+        response = client.post(url, data)
+        self.assertEqual(response.status_code, HttpResponseForbidden.status_code)
+        # After he got the permissions, he can edit the plugin
+        self._give_permission(normal_guy, Text, 'add')
+        response = client.post(url, data)
         self.assertEqual(response.status_code, HttpResponse.status_code)