From e1c581eb3f8b356bbc9688188732510b7edf0c7c Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Wed, 12 Aug 2020 15:16:30 +0200 Subject: [PATCH] misc: fix shown_because_admin has no role and cell.restricted_to_unlogged is True (#45846) --- combo/data/models.py | 4 +- combo/public/templatetags/combo.py | 11 +--- tests/test_cells.py | 87 +++++++++++++++++++++++++++++- tox.ini | 1 + 4 files changed, 91 insertions(+), 12 deletions(-) diff --git a/combo/data/models.py b/combo/data/models.py index 85eb1d89..ef76769a 100644 --- a/combo/data/models.py +++ b/combo/data/models.py @@ -71,14 +71,14 @@ class PostException(Exception): pass -def element_is_visible(element, user=None): +def element_is_visible(element, user=None, ignore_superuser=False): if element.public: if getattr(element, 'restricted_to_unlogged', None) is True: return (user is None or user.is_anonymous) return True if user is None or user.is_anonymous: return False - if user.is_superuser: + if user.is_superuser and not ignore_superuser: return True page_groups = element.groups.all() if not page_groups: diff --git a/combo/public/templatetags/combo.py b/combo/public/templatetags/combo.py index 408dc97d..8581e136 100644 --- a/combo/public/templatetags/combo.py +++ b/combo/public/templatetags/combo.py @@ -44,7 +44,7 @@ from django.utils.html import format_html from django.utils.safestring import mark_safe from django.utils.timezone import is_naive, make_aware -from combo.data.models import Page, Placeholder +from combo.data.models import Page, Placeholder, element_is_visible from combo.public.menu import get_menu_context from combo.utils import NothingInCacheException, flatten_context from combo.utils.date import make_date, make_datetime @@ -277,14 +277,7 @@ def time(value, arg=None): @register.filter def shown_because_admin(cell, request): - if not (request.user and request.user.is_superuser): - return False - if cell.public: - return False - cell_groups = cell.groups.all() - if not cell_groups: - return False - return not(set(cell_groups).intersection(request.user.groups.all())) + return not element_is_visible(cell, user=request.user, ignore_superuser=True) @register.filter(name='has_role') diff --git a/tests/test_cells.py b/tests/test_cells.py index 89b5a4a5..90c7e9cc 100644 --- a/tests/test_cells.py +++ b/tests/test_cells.py @@ -16,7 +16,7 @@ from django.forms.widgets import Media from django.test import override_settings from django.test.client import RequestFactory from django.test.utils import CaptureQueriesContext -from django.contrib.auth.models import User +from django.contrib.auth.models import User, Group from django.urls import reverse from django.utils.encoding import force_text, force_bytes from django.utils.timezone import now @@ -1226,3 +1226,88 @@ def test_cell_assets(settings, app, admin_user): resp = app.get('/manage/assets/') assert link_cell.get_slug_for_asset() == 'test_cell_assets' assert u'Picture — %s (test)' % link_cell.get_label_for_asset() in resp.text + + +@pytest.fixture +def group(db): + return Group.objects.create(name='Group') + + +@pytest.fixture +def cell_visibility_setup(db, group): + pg = Page.objects.create(title='Test', slug='test', template_name='standard') + + order = 0 + + def make_cell(**kwargs): + nonlocal order + try: + return TextCell.objects.create(page=pg, placeholder='content', order=order, **kwargs) + finally: + order += 1 + + make_cell(text='

Always visible

') + make_cell(text='

Visible to unlogged only

', restricted_to_unlogged=True) + make_cell(text='

Visible to logged only

', public=False) + make_cell(text='

Visible only to member of group

', public=False).groups.add(group) + make_cell(text='

Visible only to non-member of group

', public=False, + restricted_to_unlogged=True).groups.add(group) + + +def test_cells_visibility_anonymous(app, cell_visibility_setup): + response = app.get('/test/') + + assert 'Always visible' in response + assert 'Visible to unlogged only' in response + assert 'Visible to logged only' not in response + assert 'Visible only to member of group' not in response + assert 'Visible only to non-member of group' not in response + assert response.pyquery('.shown-because-admin').text() == '' + + +def test_cells_visibility_user(app, cell_visibility_setup): + User.objects.create(username='user') + response = app.get('/test/', user='user') + + assert 'Always visible' in response + assert 'Visible to unlogged only' not in response + assert 'Visible to logged only' in response + assert 'Visible only to member of group' not in response + assert 'Visible only to non-member of group' in response + assert response.pyquery('.shown-because-admin').text() == '' + + +def test_cells_visibility_user_with_role(app, cell_visibility_setup, group): + User.objects.create(username='user').groups.add(group) + response = app.get('/test/', user='user') + + assert 'Always visible' in response + assert 'Visible to unlogged only' not in response + assert 'Visible to logged only' in response + assert 'Visible only to member of group' in response + assert 'Visible only to non-member of group' not in response + assert response.pyquery('.shown-because-admin').text() == '' + + +def test_cells_visibility_superuser(app, cell_visibility_setup): + User.objects.create(username='superuser', is_superuser=True) + response = app.get('/test/', user='superuser') + + assert 'Always visible' in response + assert 'Visible to unlogged only' not in response + assert 'Visible to logged only' in response + assert 'Visible only to member of group' in response + assert 'Visible only to non-member of group' in response + assert response.pyquery('.shown-because-admin').text() == 'Visible only to member of group' + + +def test_cells_visibility_superuser_with_role(app, cell_visibility_setup, group): + User.objects.create(username='superuser', is_superuser=True).groups.add(group) + response = app.get('/test/', user='superuser') + + assert 'Always visible' in response + assert 'Visible to unlogged only' not in response + assert 'Visible to logged only' in response + assert 'Visible only to member of group' in response + assert 'Visible only to non-member of group' in response + assert response.pyquery('.shown-because-admin').text() == 'Visible only to non-member of group' diff --git a/tox.ini b/tox.ini index 60c9c5e7..dd7e28eb 100644 --- a/tox.ini +++ b/tox.ini @@ -31,6 +31,7 @@ deps = vobject django-ratelimit<3 git+http://git.entrouvert.org/debian/django-ckeditor.git + pyquery commands = ./getlasso3.sh python manage.py compilemessages -- 2.28.0