Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PagePermissionTester.can_reorder_children checks is_creatable #3465

Open
dnsl48 opened this issue Mar 19, 2017 · 1 comment · May be fixed by #11944
Open

PagePermissionTester.can_reorder_children checks is_creatable #3465

dnsl48 opened this issue Mar 19, 2017 · 1 comment · May be fixed by #11944
Labels
component:Permissions type:Bug
Milestone
real-soon-now

Comments

@dnsl48
Copy link
Contributor

dnsl48 commented Mar 19, 2017

Summary

The current wagtailcore.models.PagePermissionTester.can_reorder_children implementation just returns self.can_publish_subpage(), which has a side-effect of checking the page has creatable children. In case it has children with is_creatable=False, we cannot reorder them, even though we have permissions to edit them (i.e. only creation of new ones should be restricted).

Method can_reorder_children should probably be reimplemented in a different way, checking only editing permissions for children.

Steps to reproduce

  1. Create a parent page model
  2. Create a child page model
  3. Make is_creatable field of the child to be a descriptor returning false in case there are more then two instances. For example (pseudo code):
class NoMoreThanTwoDescriptor(object):
    def __get__(self, obj, cls):
        return cls.objects.count() < 2

class ChildPage(Page):
   is_creatable = NoMoreThanTwoDescriptor()

class IndexPage(Page):
    subpage_types = [ChildPage]
  1. Go to the admin panel and create the IndexPage and 2 children.
  2. Ordering of the children will not be available in the admin panel

Technical details

  • Wagtail version: 1.9
@gasman gasman added this to the real-soon-now milestone Mar 20, 2017
@gasman
Copy link
Collaborator

gasman commented Mar 20, 2017

Thanks @dnsl48!

can_publish_subpage is misnamed, really - it should probably be called something like can_publish_new_subpage - and I think that's what caught me out here. I think we want can_reorder_children to equal "can publish subpages" in the literal sense, since it's making an immediate change (albeit a minor one) to the live site, which is usually something that only users with publish permission can do:

def can_reorder_children(self):
    """
    Keep reorder permissions the same as publishing, since it immediately affects published pages
    (and the use-cases for a non-admin needing to do it are fairly obscure...)
    """
    if not self.user.is_active:
        return False
    return self.user.is_superuser or ('publish' in self.permissions)

(We'll need to add a test to cover this additional case, of course.)

@laymonage laymonage linked a pull request May 10, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:Permissions type:Bug
Projects
None yet
Milestone
real-soon-now
3 participants
@gasman @laymonage @dnsl48