Ensure that moderators without explicit edit permission on pages are granted access to the ping endpoint

2024-08-16 09:36:15 +01:00 · 2024-08-16 09:36:15 +01:00 · f53be91b90
commit f53be91b90
--- a/wagtail/admin/tests/test_editing_sessions.py
+++ b/wagtail/admin/tests/test_editing_sessions.py
@ -969,6 +969,45 @@ class TestPingView(WagtailTestUtils, TestCase):
        )
        self.assertEqual(response.status_code, 200)

+    def test_moderator_without_explicit_edit_permission_on_page(self):
+        # submit page for moderation
+        workflow = self.page.get_workflow()
+        workflow.start(self.page, self.other_user)
+
+        # Revoke all page permissions from the Moderators group, so that the workflow is
+        # the only thing granting them access to the page
+        moderators = Group.objects.get(name="Moderators")
+        moderators.page_permissions.all().delete()
+
+        # make user a moderator
+        self.user.is_superuser = False
+        self.user.save()
+        self.user.groups.add(moderators)
+
+        # access to the ping endpoint should be granted
+        response = self.client.post(
+            reverse(
+                "wagtailadmin_editing_sessions:ping",
+                args=("wagtailcore", "page", self.page.id, self.session.id),
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_locked_page(self):
+        self.page.locked = True
+        self.page.locked_by = self.other_user
+        self.page.locked_at = TIMESTAMP_PAST
+        self.page.save()
+
+        # access to the ping endpoint should be granted
+        response = self.client.post(
+            reverse(
+                "wagtailadmin_editing_sessions:ping",
+                args=("wagtailcore", "page", self.page.id, self.session.id),
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+
    @freeze_time(TIMESTAMP_NOW)
    def test_ping_snippet_model(self):
        snippet = Advert.objects.create(text="Test snippet")
--- a/wagtail/admin/views/editing_sessions.py
+++ b/wagtail/admin/views/editing_sessions.py
@ -12,7 +12,6 @@ from wagtail.admin.models import EditingSession
 from wagtail.admin.ui.editing_sessions import EditingSessionsList
 from wagtail.admin.utils import get_user_display_name
 from wagtail.models import Page, Revision, RevisionMixin
-from wagtail.permissions import page_permission_policy


@require_POST
@ -28,17 +27,19 @@ def ping(request, app_label, model_name, object_id, session_id):

    obj = get_object_or_404(model, pk=unquoted_object_id)
    if isinstance(obj, Page):
-        permission_policy = page_permission_policy
+        can_edit = obj.permissions_for_user(request.user).can_edit()
    else:
        try:
            permission_policy = model.snippet_viewset.permission_policy
        except AttributeError:
            # model is neither a Page nor a snippet
            raise Http404
+        else:
+            can_edit = permission_policy.user_has_permission_for_instance(
+                request.user, "change", obj
+            )

-    if not permission_policy.user_has_permission_for_instance(
-        request.user, "change", obj
-    ):
+    if not can_edit:
        raise Http404

    try: