mirror
/
wagtail
kopia lustrzana https://github.com/wagtail/wagtail
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Update multiple document uploader to use permission policies

pull/2254/head
Matt Westcott 2016-02-18 16:24:08 +00:00
rodzic 5a94117024
commit fcb3adb2f0
2 zmienionych plików z 13 dodań i 4 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

5
wagtail/wagtaildocs/tests.py
Wyświetl plik

@ -973,3 +973,8 @@ class TestEditOnlyPermissions(TestCase, WagtailTestUtils):
response = self.client.get(reverse('wagtaildocs:delete', args=(self.document.id,)))
self.assertEqual(response.status_code, 200)
self.assertTemplateUsed(response, 'wagtaildocs/documents/confirm_delete.html')
def test_get_add_multiple(self):
response = self.client.get(reverse('wagtaildocs:add_multiple'))
# permission should be denied
self.assertRedirects(response, reverse('wagtailadmin_home'))

12
wagtail/wagtaildocs/views/multiple.py
Wyświetl plik

@ -6,14 +6,18 @@ from django.views.decorators.http import require_POST
from django.views.decorators.vary import vary_on_headers
from wagtail.utils.compat import render_to_string
from wagtail.wagtailadmin.utils import permission_required
from wagtail.wagtailadmin.utils import PermissionPolicyChecker
from wagtail.wagtailsearch.backends import get_search_backends
from ..models import get_document_model
from ..forms import get_document_form, get_document_multi_form
from ..permissions import permission_policy
@permission_required('wagtaildocs.add_document')
permission_checker = PermissionPolicyChecker(permission_policy)
@permission_checker.require('add')
@vary_on_headers('X-Requested-With')
def add(request):
Document = get_document_model()
@ -74,7 +78,7 @@ def edit(request, doc_id, callback=None):
if not request.is_ajax():
return HttpResponseBadRequest("Cannot POST to this view without AJAX")
if not doc.is_editable_by_user(request.user):
if not permission_policy.user_has_permission_for_instance(request.user, 'change', doc):
raise PermissionDenied
form = DocumentMultiForm(request.POST, request.FILES, instance=doc, prefix='doc-' + doc_id)
@ -110,7 +114,7 @@ def delete(request, doc_id):
if not request.is_ajax():
return HttpResponseBadRequest("Cannot POST to this view without AJAX")
if not doc.is_editable_by_user(request.user):
if not permission_policy.user_has_permission_for_instance(request.user, 'delete', doc):
raise PermissionDenied
doc.delete()