diff --git a/wagtail/wagtailcore/permission_policies/collections.py b/wagtail/wagtailcore/permission_policies/collections.py index 3e99b6a73f..7beb9d7a30 100644 --- a/wagtail/wagtailcore/permission_policies/collections.py +++ b/wagtail/wagtailcore/permission_policies/collections.py @@ -26,7 +26,7 @@ class CollectionPermissionLookupMixin(object): If collection is specified, only consider GroupCollectionPermission records that apply to that collection. """ - if not user.is_active: + if not (user.is_active and user.is_authenticated()): return False if user.is_superuser: @@ -162,7 +162,7 @@ class CollectionPermissionPolicy(CollectionPermissionLookupMixin, BaseDjangoAuth Return a queryset of all instances of this model for which the given user has permission to perform any of the given actions """ - if not user.is_active: + if not (user.is_active and user.is_authenticated()): return self.model.objects.none() elif user.is_superuser: return self.model.objects.all() diff --git a/wagtail/wagtailcore/tests/test_collection_permission_policies.py b/wagtail/wagtailcore/tests/test_collection_permission_policies.py index a5231db8a1..a5f43fa07d 100644 --- a/wagtail/wagtailcore/tests/test_collection_permission_policies.py +++ b/wagtail/wagtailcore/tests/test_collection_permission_policies.py @@ -222,6 +222,12 @@ class TestCollectionPermissionPolicy(PermissionPolicyTestCase): ) ) + self.assertFalse( + self.policy.user_has_any_permission_for_instance( + self.anonymous_user, ['change', 'delete'], self.changer_doc + ) + ) + def test_instances_user_has_permission_for(self): self.assertResultSetEqual( self.policy.instances_user_has_permission_for( @@ -636,6 +642,12 @@ class TestCollectionOwnershipPermissionPolicy(PermissionPolicyTestCase): ) ) + self.assertFalse( + self.policy.user_has_any_permission_for_instance( + self.anonymous_user, ['change', 'delete'], self.changer_doc + ) + ) + def test_instances_user_has_permission_for(self): self.assertResultSetEqual( self.policy.instances_user_has_permission_for(