Skip to content

Commit

Permalink
Redirect away from user bulk actions when user has no permissions on …
Browse files Browse the repository at this point in the history 
…users
  • Loading branch information
@gasman
gasman committed Oct 19, 2023
1 parent 190af78 commit bc96aed
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 2 deletions.
13 changes: 13 additions & 0 deletions wagtail/users/tests/test_bulk_actions/test_bulk_delete.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from django.contrib.auth import get_user_model
from django.contrib.auth.models import Permission
from django.http import HttpRequest, HttpResponse
from django.test import TestCase
from django.urls import reverse
Expand Down Expand Up @@ -51,6 +52,18 @@ def test_simple(self):
response, "wagtailusers/bulk_actions/confirm_bulk_delete.html"
)

def test_user_permissions_required(self):
# Log in with a user that doesn't have permission to delete users
user = self.create_user(username="editor", password="password")
admin_permission = Permission.objects.get(
content_type__app_label="wagtailadmin", codename="access_admin"
)
user.user_permissions.add(admin_permission)
self.login(username="editor", password="password")

response = self.client.get(self.url)
self.assertRedirects(response, "/admin/")

def test_bulk_delete(self):
response = self.client.post(self.url)

Expand Down
10 changes: 8 additions & 2 deletions wagtail/users/views/bulk_actions/user_bulk_action.py
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
from django.contrib.auth import get_user_model

from wagtail.admin.views.bulk_action import BulkAction
from wagtail.admin.views.generic.permissions import PermissionCheckedMixin
from wagtail.permission_policies import ModelPermissionPolicy
from wagtail.users.views.users import get_users_filter_query

User = get_user_model()

class UserBulkAction(BulkAction):
models = [get_user_model()]

class UserBulkAction(PermissionCheckedMixin, BulkAction):
models = [User]
permission_policy = ModelPermissionPolicy(User)
any_permission_required = ["add", "change", "delete"]

def get_all_objects_in_listing_query(self, parent_id):
listing_objects = self.model.objects.all().values_list("pk", flat=True)
Expand Down

0 comments on commit bc96aed

Please sign in to comment.