@@ -77,11 +77,6 @@ def edit_url(self, setting):
7777class TestGenericSettingCreateView (BaseTestGenericSettingView ):
7878 def setUp (self ):
7979 self .user = self .login ()
80- self .user .user_permissions .add (
81- Permission .objects .get (
82- content_type__app_label = "wagtailadmin" , codename = "access_admin"
83- )
84- )
8580
8681 def test_get_edit (self ):
8782 response = self .get ()
@@ -113,11 +108,62 @@ def test_file_upload_multipart(self):
113108 # Ensure the form supports file uploads
114109 self .assertContains (response , 'enctype="multipart/form-data"' )
115110
116- def test_create_restricted_field_without_permission (self ):
111+ def test_create_restricted_field_without_any_permission (self ):
112+ # User has no permissions over the setting model, only access to the admin
117113 self .user .is_superuser = False
118114 self .user .save ()
115+ self .user .user_permissions .add (
116+ Permission .objects .get (
117+ content_type__app_label = "wagtailadmin" , codename = "access_admin"
118+ ),
119+ )
119120
120121 self .assertFalse (TestPermissionedGenericSetting .objects .exists ())
122+ # GET should redirect away with permission denied
123+ response = self .get (setting = TestPermissionedGenericSetting )
124+ self .assertRedirects (response , status_code = 302 , expected_url = "/admin/" )
125+
126+ # the GET might create a setting object, depending on when the permission check is done,
127+ # so remove any created objects prior to testing the POST
128+ TestPermissionedGenericSetting .objects .all ().delete ()
129+
130+ # POST should redirect away with permission denied
131+ response = self .post (
132+ post_data = {"sensitive_email" : "test@example.com" , "title" : "test" },
133+ setting = TestPermissionedGenericSetting ,
134+ )
135+ self .assertRedirects (response , status_code = 302 , expected_url = "/admin/" )
136+
137+ # The retrieved setting should contain none of the submitted data
138+ setting = TestPermissionedGenericSetting .load ()
139+ self .assertEqual (setting .title , "" )
140+ self .assertEqual (setting .sensitive_email , "" )
141+
142+ def test_create_restricted_field_without_field_permission (self ):
143+ # User has edit permission over the setting model, but not the sensitive_email field
144+ self .user .is_superuser = False
145+ self .user .save ()
146+ self .user .user_permissions .add (
147+ Permission .objects .get (
148+ content_type__app_label = "wagtailadmin" , codename = "access_admin"
149+ ),
150+ Permission .objects .get (
151+ content_type__app_label = "tests" ,
152+ codename = "change_testpermissionedgenericsetting" ,
153+ ),
154+ )
155+
156+ self .assertFalse (TestPermissionedGenericSetting .objects .exists ())
157+ # GET should provide a form with title but not sensitive_email
158+ response = self .get (setting = TestPermissionedGenericSetting )
159+ self .assertEqual (response .status_code , 200 )
160+ self .assertIn ("title" , list (response .context ["form" ].fields ))
161+ self .assertNotIn ("sensitive_email" , list (response .context ["form" ].fields ))
162+
163+ # the GET creates a setting object, so remove any created objects prior to testing the POST
164+ TestPermissionedGenericSetting .objects .all ().delete ()
165+
166+ # POST should allow the title to be set, but not the sensitive_email
121167 response = self .post (
122168 post_data = {"sensitive_email" : "test@example.com" , "title" : "test" },
123169 setting = TestPermissionedGenericSetting ,
@@ -129,11 +175,31 @@ def test_create_restricted_field_without_permission(self):
129175 self .assertEqual (settings .sensitive_email , "" )
130176
131177 def test_create_restricted_field (self ):
178+ # User has edit permission over the setting model, including the sensitive_email field
132179 self .user .is_superuser = False
133180 self .user .save ()
134181 self .user .user_permissions .add (
135- Permission .objects .get (codename = "can_edit_sensitive_email_generic_setting" )
182+ Permission .objects .get (
183+ content_type__app_label = "wagtailadmin" , codename = "access_admin"
184+ ),
185+ Permission .objects .get (
186+ content_type__app_label = "tests" ,
187+ codename = "change_testpermissionedgenericsetting" ,
188+ ),
189+ Permission .objects .get (codename = "can_edit_sensitive_email_generic_setting" ),
136190 )
191+
192+ self .assertFalse (TestPermissionedGenericSetting .objects .exists ())
193+ # GET should provide a form with title and sensitive_email
194+ response = self .get (setting = TestPermissionedGenericSetting )
195+ self .assertEqual (response .status_code , 200 )
196+ self .assertIn ("title" , list (response .context ["form" ].fields ))
197+ self .assertIn ("sensitive_email" , list (response .context ["form" ].fields ))
198+
199+ # the GET creates a setting object, so remove any created objects prior to testing the POST
200+ TestPermissionedGenericSetting .objects .all ().delete ()
201+
202+ # POST should allow both title and sensitive_email to be set
137203 self .assertFalse (TestPermissionedGenericSetting .objects .exists ())
138204 response = self .post (
139205 post_data = {"sensitive_email" : "test@example.com" , "title" : "test" },
@@ -153,11 +219,6 @@ def setUp(self):
153219 self .test_setting .save ()
154220
155221 self .user = self .login ()
156- self .user .user_permissions .add (
157- Permission .objects .get (
158- content_type__app_label = "wagtailadmin" , codename = "access_admin"
159- )
160- )
161222
162223 def test_get_edit (self ):
163224 response = self .get ()
@@ -206,48 +267,115 @@ def test_for_request(self):
206267 )
207268
208269 def test_edit_restricted_field (self ):
270+ # User has edit permission over the setting model, including the sensitive_email field
209271 test_setting = TestPermissionedGenericSetting ()
210272 test_setting .sensitive_email = "test@example.com"
273+ test_setting .title = "Old title"
211274 test_setting .save ()
212275 self .user .is_superuser = False
213276 self .user .save ()
214277
215278 self .user .user_permissions .add (
216- Permission .objects .get (codename = "can_edit_sensitive_email_generic_setting" )
279+ Permission .objects .get (
280+ content_type__app_label = "wagtailadmin" , codename = "access_admin"
281+ ),
282+ Permission .objects .get (
283+ content_type__app_label = "tests" ,
284+ codename = "change_testpermissionedgenericsetting" ,
285+ ),
286+ Permission .objects .get (codename = "can_edit_sensitive_email_generic_setting" ),
217287 )
218288
289+ # GET should provide a form with title and sensitive_email
219290 response = self .get (setting = TestPermissionedGenericSetting )
220291 self .assertEqual (response .status_code , 200 )
292+ self .assertIn ("title" , list (response .context ["form" ].fields ))
221293 self .assertIn ("sensitive_email" , list (response .context ["form" ].fields ))
222294
295+ # POST should allow both title and sensitive_email to be set
223296 response = self .post (
224297 setting = TestPermissionedGenericSetting ,
225- post_data = {"sensitive_email" : "test-updated@example.com" , "title" : "title" },
298+ post_data = {
299+ "sensitive_email" : "test-updated@example.com" ,
300+ "title" : "New title" ,
301+ },
226302 )
227303 self .assertEqual (response .status_code , 302 )
228304
229305 test_setting .refresh_from_db ()
230306 self .assertEqual (test_setting .sensitive_email , "test-updated@example.com" )
307+ self .assertEqual (test_setting .title , "New title" )
231308
232- def test_edit_restricted_field_without_permission (self ):
309+ def test_edit_restricted_field_without_field_permission (self ):
310+ # User has edit permission over the setting model, but not the sensitive_email field
233311 test_setting = TestPermissionedGenericSetting ()
234312 test_setting .sensitive_email = "test@example.com"
313+ test_setting .title = "Old title"
235314 test_setting .save ()
236315 self .user .is_superuser = False
237316 self .user .save ()
317+ self .user .user_permissions .add (
318+ Permission .objects .get (
319+ content_type__app_label = "wagtailadmin" , codename = "access_admin"
320+ ),
321+ Permission .objects .get (
322+ content_type__app_label = "tests" ,
323+ codename = "change_testpermissionedgenericsetting" ,
324+ ),
325+ )
238326
327+ # GET should provide a form with title but not sensitive_email
239328 response = self .get (setting = TestPermissionedGenericSetting )
240329 self .assertEqual (response .status_code , 200 )
330+ self .assertIn ("title" , list (response .context ["form" ].fields ))
241331 self .assertNotIn ("sensitive_email" , list (response .context ["form" ].fields ))
242332
333+ # POST should allow the title to be set, but not the sensitive_email
243334 response = self .post (
244335 setting = TestPermissionedGenericSetting ,
245- post_data = {"sensitive_email" : "test-updated@example.com" , "title" : "title" },
336+ post_data = {
337+ "sensitive_email" : "test-updated@example.com" ,
338+ "title" : "New title" ,
339+ },
246340 )
247341 self .assertEqual (response .status_code , 302 )
248342
249343 test_setting .refresh_from_db ()
250344 self .assertEqual (test_setting .sensitive_email , "test@example.com" )
345+ self .assertEqual (test_setting .title , "New title" )
346+
347+ def test_edit_restricted_field_without_any_permission (self ):
348+ # User has no permissions over the setting model, only access to the admin
349+ test_setting = TestPermissionedGenericSetting ()
350+ test_setting .sensitive_email = "test@example.com"
351+ test_setting .title = "Old title"
352+ test_setting .save ()
353+ self .user .is_superuser = False
354+ self .user .save ()
355+ self .user .user_permissions .add (
356+ Permission .objects .get (
357+ content_type__app_label = "wagtailadmin" , codename = "access_admin"
358+ ),
359+ )
360+
361+ # GET should redirect away with permission denied
362+ response = self .get (setting = TestPermissionedGenericSetting )
363+ self .assertRedirects (response , status_code = 302 , expected_url = "/admin/" )
364+
365+ # POST should redirect away with permission denied
366+ response = self .post (
367+ setting = TestPermissionedGenericSetting ,
368+ post_data = {
369+ "sensitive_email" : "test-updated@example.com" ,
370+ "title" : "new title" ,
371+ },
372+ )
373+ self .assertRedirects (response , status_code = 302 , expected_url = "/admin/" )
374+
375+ # The retrieved setting should be unchanged
376+ test_setting .refresh_from_db ()
377+ self .assertEqual (test_setting .sensitive_email , "test@example.com" )
378+ self .assertEqual (test_setting .title , "Old title" )
251379
252380
253381class TestAdminPermission (WagtailTestUtils , TestCase ):
0 commit comments