Do not allow copies of pages that exceed their models' max_count

Update PagePermissionTester.can_move_to() to call on the page class's 'can_create_at()' method, and respond accordingly Add a SingletonPageViaMaxCount to the test.json fixture for use in page permission tests Add some tests for PagePermissionTester.can_copy_to() Create a SingletonPageViaMaxCount in setUp() instead of adding to the fixture
2024-11-29 17:36:49 +01:00 · 2019-03-04 16:09:44 +00:00 · 2019-03-04 16:09:44 +00:00 · 77a8e3b7c0
commit 77a8e3b7c0
parent fc21729a24
5 changed files with 84 additions and 5 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -30,6 +30,7 @@ Changelog
 * Fix: Admin HTML header now includes correct language code (Matt Westcott)
 * Fix: Unclear error message when saving image after focal point edit (Hugo van den Berg)
 * Fix: `send_mail` now correctly uses the `html_message` kwarg for HTML messages (Tiago Requeijo)
+ * Fix: Page copying no longer allowed if page model has reached its `max_count` (Andy Babic)


 2.4 (19.12.2018)
--- a/docs/releases/2.5.rst
+++ b/docs/releases/2.5.rst
@ -44,8 +44,9 @@ Bug fixes
 * Page Copy will now also copy ParentalManyToMany field relations (LB (Ben Johnston))
 * Admin HTML header now includes correct language code (Matt Westcott)
 * Unclear error message when saving image after focal point edit (Hugo van den Berg)
- * Fix: Increase max length on ``Embed.thumbnail_url`` to 255 characters (Kevin Howbrook)
- * Fix: ``send_mail`` now correctly uses the ``html_message`` kwarg for HTML messages (Tiago Requeijo)
+ * Increase max length on ``Embed.thumbnail_url`` to 255 characters (Kevin Howbrook)
+ * ``send_mail`` now correctly uses the ``html_message`` kwarg for HTML messages (Tiago Requeijo)
+ * Page copying no longer allowed if page model has reached its ``max_count`` (Andy Babic)


 Upgrade considerations
--- a/wagtail/core/models.py
+++ b/wagtail/core/models.py
@ -1841,9 +1841,15 @@ class PagePermissionTester:
        if recursive and (self.page == destination or destination.is_descendant_of(self.page)):
            return False

-        # shortcut the trivial 'everything' / 'nothing' permissions
+        # reject inactive users early
        if not self.user.is_active:
            return False
+
+        # reject early if pages of this type cannot be created at the destination
+        if not self.page.specific_class.can_create_at(destination):
+            return False
+
+        # skip permission checking for super users
        if self.user.is_superuser:
            return True

--- a/wagtail/core/tests/test_page_permissions.py
+++ b/wagtail/core/tests/test_page_permissions.py
@ -3,7 +3,8 @@ from django.contrib.auth.models import Group
 from django.test import TestCase

 from wagtail.core.models import GroupPagePermission, Page, UserPagePermissionsProxy
-from wagtail.tests.testapp.models import BusinessSubIndex, EventIndex, EventPage
+from wagtail.tests.testapp.models import (
+    BusinessSubIndex, EventIndex, EventPage, SingletonPageViaMaxCount)


 class TestPagePermission(TestCase):
@ -464,3 +465,74 @@ class TestPagePermission(TestCase):
        perms = UserPagePermissionsProxy(user).for_page(christmas_page)

        self.assertFalse(perms.can_lock())
+
+
+class TestPagePermissionTesterCanCopyTo(TestCase):
+    """Tests PagePermissionTester.can_copy_to()"""
+
+    fixtures = ['test.json']
+
+    def setUp(self):
+        # These same pages will be used for testing the result for each user
+        self.board_meetings_page = BusinessSubIndex.objects.get(url_path='/home/events/businessy-events/board-meetings/')
+        self.event_page = EventPage.objects.get(url_path='/home/events/christmas/')
+
+        # We'll also create a SingletonPageViaMaxCount to use
+        homepage = Page.objects.get(url_path='/home/')
+        self.singleton_page = SingletonPageViaMaxCount(title='there can be only one')
+        homepage.add_child(instance=self.singleton_page)
+
+    def test_inactive_user_cannot_copy_any_pages(self):
+        user = get_user_model().objects.get(username='inactiveuser')
+
+        # Create PagePermissionTester objects for this user, for each page
+        board_meetings_page_perms = self.board_meetings_page.permissions_for_user(user)
+        event_page_perms = self.event_page.permissions_for_user(user)
+        singleton_page_perms = self.singleton_page.permissions_for_user(user)
+
+        # This user should not be able to copy any pages
+        self.assertFalse(event_page_perms.can_copy_to(self.event_page.get_parent()))
+        self.assertFalse(board_meetings_page_perms.can_copy_to(self.board_meetings_page.get_parent()))
+        self.assertFalse(singleton_page_perms.can_copy_to(self.singleton_page.get_parent()))
+
+    def test_no_permissions_admin_cannot_copy_any_pages(self):
+        user = get_user_model().objects.get(username='admin_only_user')
+
+        # Create PagePermissionTester objects for this user, for each page
+        board_meetings_page_perms = self.board_meetings_page.permissions_for_user(user)
+        event_page_perms = self.event_page.permissions_for_user(user)
+        singleton_page_perms = self.singleton_page.permissions_for_user(user)
+
+        # This user should not be able to copy any pages
+        self.assertFalse(event_page_perms.can_copy_to(self.event_page.get_parent()))
+        self.assertFalse(board_meetings_page_perms.can_copy_to(self.board_meetings_page.get_parent()))
+        self.assertFalse(singleton_page_perms.can_copy_to(self.singleton_page.get_parent()))
+
+    def test_event_moderator_cannot_copy_a_singleton_page(self):
+        user = get_user_model().objects.get(username='eventmoderator')
+
+        # Create PagePermissionTester objects for this user, for each page
+        board_meetings_page_perms = self.board_meetings_page.permissions_for_user(user)
+        event_page_perms = self.event_page.permissions_for_user(user)
+        singleton_page_perms = self.singleton_page.permissions_for_user(user)
+
+        # We'd expect an event moderator to be able to copy an event page
+        self.assertTrue(event_page_perms.can_copy_to(self.event_page.get_parent()))
+        # This works because copying doesn't necessarily have to mean publishing
+        self.assertTrue(board_meetings_page_perms.can_copy_to(self.board_meetings_page.get_parent()))
+        # SingletonPageViaMaxCount.can_create_at() prevents copying, regardless of a user's permissions
+        self.assertFalse(singleton_page_perms.can_copy_to(self.singleton_page.get_parent()))
+
+    def test_not_even_a_superuser_can_copy_a_singleton_page(self):
+        user = get_user_model().objects.get(username='superuser')
+
+        # Create PagePermissionTester object for this user, for each page
+        board_meetings_page_perms = self.board_meetings_page.permissions_for_user(user)
+        event_page_perms = self.event_page.permissions_for_user(user)
+        singleton_page_perms = self.singleton_page.permissions_for_user(user)
+
+        # A superuser has full permissions, so these are self explainatory
+        self.assertTrue(event_page_perms.can_copy_to(self.event_page.get_parent()))
+        self.assertTrue(board_meetings_page_perms.can_copy_to(self.board_meetings_page.get_parent()))
+        # However, SingletonPageViaMaxCount.can_create_at() prevents copying, regardless of a user's permissions
+        self.assertFalse(singleton_page_perms.can_copy_to(self.singleton_page.get_parent()))
--- a/wagtail/tests/testapp/fixtures/test.json
+++ b/wagtail/tests/testapp/fixtures/test.json
@ -611,7 +611,6 @@
    }
 },

-
 {
    "pk": 1,
    "model": "wagtailcore.site",