mirrors/wagtail
mirrors/wagtail
0
0
Fork 0
mirror of https://github.com/wagtail/wagtail.git synced 2024-12-01 11:41:20 +01:00
Code Issues Releases Wiki Activity

Update multiple document uploader to use permission policies

Browse Source
This commit is contained in:
Matt Westcott 2016-02-18 16:24:08 +00:00
parent 5a94117024
commit fcb3adb2f0
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
wagtail/wagtaildocs/tests.py
View File

@ -973,3 +973,8 @@ class TestEditOnlyPermissions(TestCase, WagtailTestUtils):
response = self.client.get(reverse('wagtaildocs:delete', args=(self.document.id,)))
self.assertEqual(response.status_code, 200)
self.assertTemplateUsed(response, 'wagtaildocs/documents/confirm_delete.html')
def test_get_add_multiple(self):
response = self.client.get(reverse('wagtaildocs:add_multiple'))
# permission should be denied
self.assertRedirects(response, reverse('wagtailadmin_home'))

12
wagtail/wagtaildocs/views/multiple.py
View File

@ -6,14 +6,18 @@ from django.views.decorators.http import require_POST
from django.views.decorators.vary import vary_on_headers
from wagtail.utils.compat import render_to_string
from wagtail.wagtailadmin.utils import permission_required
from wagtail.wagtailadmin.utils import PermissionPolicyChecker
from wagtail.wagtailsearch.backends import get_search_backends
from ..models import get_document_model
from ..forms import get_document_form, get_document_multi_form
from ..permissions import permission_policy
@permission_required('wagtaildocs.add_document')
permission_checker = PermissionPolicyChecker(permission_policy)
@permission_checker.require('add')
@vary_on_headers('X-Requested-With')
def add(request):
Document = get_document_model()
@ -74,7 +78,7 @@ def edit(request, doc_id, callback=None):
if not request.is_ajax():
return HttpResponseBadRequest("Cannot POST to this view without AJAX")
if not doc.is_editable_by_user(request.user):
if not permission_policy.user_has_permission_for_instance(request.user, 'change', doc):
raise PermissionDenied
form = DocumentMultiForm(request.POST, request.FILES, instance=doc, prefix='doc-' + doc_id)
@ -110,7 +114,7 @@ def delete(request, doc_id):
if not request.is_ajax():
return HttpResponseBadRequest("Cannot POST to this view without AJAX")
if not doc.is_editable_by_user(request.user):
if not permission_policy.user_has_permission_for_instance(request.user, 'delete', doc):
raise PermissionDenied
doc.delete()