Restore permission check on settings EditView

wagtail · May 30, 2024 · 284f75a · 284f75a
1 parent c08cae1
commit 284f75a
Show file tree

Hide file tree

Showing 3 changed files with 289 additions and 33 deletions.
diff --git a/wagtail/contrib/settings/tests/generic/test_admin.py b/wagtail/contrib/settings/tests/generic/test_admin.py
@@ -77,11 +77,6 @@ def edit_url(self, setting):
 class TestGenericSettingCreateView(BaseTestGenericSettingView):
     def setUp(self):
         self.user = self.login()
-        self.user.user_permissions.add(
-            Permission.objects.get(
-                content_type__app_label="wagtailadmin", codename="access_admin"
-            )
-        )
 
     def test_get_edit(self):
         response = self.get()
@@ -113,11 +108,62 @@ def test_file_upload_multipart(self):
         # Ensure the form supports file uploads
         self.assertContains(response, 'enctype="multipart/form-data"')
 
-    def test_create_restricted_field_without_permission(self):
+    def test_create_restricted_field_without_any_permission(self):
+        # User has no permissions over the setting model, only access to the admin
         self.user.is_superuser = False
         self.user.save()
+        self.user.user_permissions.add(
+            Permission.objects.get(
+                content_type__app_label="wagtailadmin", codename="access_admin"
+            ),
+        )
 
         self.assertFalse(TestPermissionedGenericSetting.objects.exists())
+        # GET should redirect away with permission denied
+        response = self.get(setting=TestPermissionedGenericSetting)
+        self.assertRedirects(response, status_code=302, expected_url="/admin/")
+
+        # the GET might create a setting object, depending on when the permission check is done,
+        # so remove any created objects prior to testing the POST
+        TestPermissionedGenericSetting.objects.all().delete()
+
+        # POST should redirect away with permission denied
+        response = self.post(
+            post_data={"sensitive_email": "test@example.com", "title": "test"},
+            setting=TestPermissionedGenericSetting,
+        )
+        self.assertRedirects(response, status_code=302, expected_url="/admin/")
+
+        # The retrieved setting should contain none of the submitted data
+        setting = TestPermissionedGenericSetting.load()
+        self.assertEqual(setting.title, "")
+        self.assertEqual(setting.sensitive_email, "")
+
+    def test_create_restricted_field_without_field_permission(self):
+        # User has edit permission over the setting model, but not the sensitive_email field
+        self.user.is_superuser = False
+        self.user.save()
+        self.user.user_permissions.add(
+            Permission.objects.get(
+                content_type__app_label="wagtailadmin", codename="access_admin"
+            ),
+            Permission.objects.get(
+                content_type__app_label="tests",
+                codename="change_testpermissionedgenericsetting",
+            ),
+        )
+
+        self.assertFalse(TestPermissionedGenericSetting.objects.exists())
+        # GET should provide a form with title but not sensitive_email
+        response = self.get(setting=TestPermissionedGenericSetting)
+        self.assertEqual(response.status_code, 200)
+        self.assertIn("title", list(response.context["form"].fields))
+        self.assertNotIn("sensitive_email", list(response.context["form"].fields))
+
+        # the GET creates a setting object, so remove any created objects prior to testing the POST
+        TestPermissionedGenericSetting.objects.all().delete()
+
+        # POST should allow the title to be set, but not the sensitive_email
         response = self.post(
             post_data={"sensitive_email": "test@example.com", "title": "test"},
             setting=TestPermissionedGenericSetting,
@@ -129,11 +175,31 @@ def test_create_restricted_field_without_permission(self):
         self.assertEqual(settings.sensitive_email, "")
 
     def test_create_restricted_field(self):
+        # User has edit permission over the setting model, including the sensitive_email field
         self.user.is_superuser = False
         self.user.save()
         self.user.user_permissions.add(
-            Permission.objects.get(codename="can_edit_sensitive_email_generic_setting")
+            Permission.objects.get(
+                content_type__app_label="wagtailadmin", codename="access_admin"
+            ),
+            Permission.objects.get(
+                content_type__app_label="tests",
+                codename="change_testpermissionedgenericsetting",
+            ),
+            Permission.objects.get(codename="can_edit_sensitive_email_generic_setting"),
         )
+
+        self.assertFalse(TestPermissionedGenericSetting.objects.exists())
+        # GET should provide a form with title and sensitive_email
+        response = self.get(setting=TestPermissionedGenericSetting)
+        self.assertEqual(response.status_code, 200)
+        self.assertIn("title", list(response.context["form"].fields))
+        self.assertIn("sensitive_email", list(response.context["form"].fields))
+
+        # the GET creates a setting object, so remove any created objects prior to testing the POST
+        TestPermissionedGenericSetting.objects.all().delete()
+
+        # POST should allow both title and sensitive_email to be set
         self.assertFalse(TestPermissionedGenericSetting.objects.exists())
         response = self.post(
             post_data={"sensitive_email": "test@example.com", "title": "test"},
@@ -153,11 +219,6 @@ def setUp(self):
         self.test_setting.save()
 
         self.user = self.login()
-        self.user.user_permissions.add(
-            Permission.objects.get(
-                content_type__app_label="wagtailadmin", codename="access_admin"
-            )
-        )
 
     def test_get_edit(self):
         response = self.get()
@@ -206,48 +267,115 @@ def test_for_request(self):
         )
 
     def test_edit_restricted_field(self):
+        # User has edit permission over the setting model, including the sensitive_email field
         test_setting = TestPermissionedGenericSetting()
         test_setting.sensitive_email = "test@example.com"
+        test_setting.title = "Old title"
         test_setting.save()
         self.user.is_superuser = False
         self.user.save()
 
         self.user.user_permissions.add(
-            Permission.objects.get(codename="can_edit_sensitive_email_generic_setting")
+            Permission.objects.get(
+                content_type__app_label="wagtailadmin", codename="access_admin"
+            ),
+            Permission.objects.get(
+                content_type__app_label="tests",
+                codename="change_testpermissionedgenericsetting",
+            ),
+            Permission.objects.get(codename="can_edit_sensitive_email_generic_setting"),
         )
 
+        # GET should provide a form with title and sensitive_email
         response = self.get(setting=TestPermissionedGenericSetting)
         self.assertEqual(response.status_code, 200)
+        self.assertIn("title", list(response.context["form"].fields))
         self.assertIn("sensitive_email", list(response.context["form"].fields))
 
+        # POST should allow both title and sensitive_email to be set
         response = self.post(
             setting=TestPermissionedGenericSetting,
-            post_data={"sensitive_email": "test-updated@example.com", "title": "title"},
+            post_data={
+                "sensitive_email": "test-updated@example.com",
+                "title": "New title",
+            },
         )
         self.assertEqual(response.status_code, 302)
 
         test_setting.refresh_from_db()
         self.assertEqual(test_setting.sensitive_email, "test-updated@example.com")
+        self.assertEqual(test_setting.title, "New title")
 
-    def test_edit_restricted_field_without_permission(self):
+    def test_edit_restricted_field_without_field_permission(self):
+        # User has edit permission over the setting model, but not the sensitive_email field
         test_setting = TestPermissionedGenericSetting()
         test_setting.sensitive_email = "test@example.com"
+        test_setting.title = "Old title"
         test_setting.save()
         self.user.is_superuser = False
         self.user.save()
+        self.user.user_permissions.add(
+            Permission.objects.get(
+                content_type__app_label="wagtailadmin", codename="access_admin"
+            ),
+            Permission.objects.get(
+                content_type__app_label="tests",
+                codename="change_testpermissionedgenericsetting",
+            ),
+        )
 
+        # GET should provide a form with title but not sensitive_email
         response = self.get(setting=TestPermissionedGenericSetting)
         self.assertEqual(response.status_code, 200)
+        self.assertIn("title", list(response.context["form"].fields))
         self.assertNotIn("sensitive_email", list(response.context["form"].fields))
 
+        # POST should allow the title to be set, but not the sensitive_email
         response = self.post(
             setting=TestPermissionedGenericSetting,
-            post_data={"sensitive_email": "test-updated@example.com", "title": "title"},
+            post_data={
+                "sensitive_email": "test-updated@example.com",
+                "title": "New title",
+            },
         )
         self.assertEqual(response.status_code, 302)
 
         test_setting.refresh_from_db()
         self.assertEqual(test_setting.sensitive_email, "test@example.com")
+        self.assertEqual(test_setting.title, "New title")
+
+    def test_edit_restricted_field_without_any_permission(self):
+        # User has no permissions over the setting model, only access to the admin
+        test_setting = TestPermissionedGenericSetting()
+        test_setting.sensitive_email = "test@example.com"
+        test_setting.title = "Old title"
+        test_setting.save()
+        self.user.is_superuser = False
+        self.user.save()
+        self.user.user_permissions.add(
+            Permission.objects.get(
+                content_type__app_label="wagtailadmin", codename="access_admin"
+            ),
+        )
+
+        # GET should redirect away with permission denied
+        response = self.get(setting=TestPermissionedGenericSetting)
+        self.assertRedirects(response, status_code=302, expected_url="/admin/")
+
+        # POST should redirect away with permission denied
+        response = self.post(
+            setting=TestPermissionedGenericSetting,
+            post_data={
+                "sensitive_email": "test-updated@example.com",
+                "title": "new title",
+            },
+        )
+        self.assertRedirects(response, status_code=302, expected_url="/admin/")
+
+        # The retrieved setting should be unchanged
+        test_setting.refresh_from_db()
+        self.assertEqual(test_setting.sensitive_email, "test@example.com")
+        self.assertEqual(test_setting.title, "Old title")
 
 
 class TestAdminPermission(WagtailTestUtils, TestCase):