diff --git a/blog/tests.py b/blog/tests.py index fcb493c17..14ea5f099 100644 --- a/blog/tests.py +++ b/blog/tests.py @@ -179,6 +179,154 @@ def test_past_future_ordering(self): class ViewsTestCase(DateTimeMixin, TestCase): + """ + TODO: + * anon users can't see unpublished entries at all (list or detail) + * logged in users (non-staff) can't see unpublished entries at all + * staff users without write permission on BlogEntry can't see unpublished + entries at all + * staff users with write permission on BlogEntry can't see unpublished + entries in the list, but can view the detail page + """ + + # def test_anonymous_user_cant_see_entries(self): + # """ + # A test which creates an unpublished entry and then loads the list view + # followed by detail view as an anonymous user to check that the entry cannot + # be seen. + # """ + # e1 = Entry.objects.create( + # pub_date=self.yesterday, is_active=False, headline="inactive", slug="a" + # ) + # e2 = Entry.objects.create( + # pub_date=self.yesterday, is_active=True, headline="active", slug="b" + # ) + # response = self.client.get(reverse("weblog:index")) + # self.assertNotContains(response, "active") + # response = self.client.get( + # reverse( + # "weblog:entry", + # kwargs={ + # "year": e1.pub_date.year, + # "month": e1.pub_date.month, + # "day": e1.pub_date.day, + # "slug": e1.slug, + # }, + # ) + # ) + # self.assertEqual(response.status_code, 404) + # response = self.client.get( + # reverse( + # "weblog:entry", + # kwargs={ + # "year": e2.pub_date.year, + # "month": e2.pub_date.month, + # "day": e2.pub_date.day, + # "slug": e2.slug, + # }, + # ) + # ) + # self.assertEqual(response.status_code, 404) + # + # def test_logged_in_user_cant_see_entries(self): + # """ + # A test which creates an unpublished entry and then loads the list view + # followed by detail view as a non-staff user to check that the entry cannot be + # seen. + # """ + # e = Entry.objects.create( + # pub_date=self.yesterday, is_active=False, headline="inactive", slug="a" + # ) + # user = User.objects.create_user("user", "user@example.com", "password") + # self.client.force_login(user) + # response = self.client.get(reverse("weblog:index")) + # self.assertNotContains(response, "active") + # response = self.client.get( + # reverse( + # "weblog:entry", + # kwargs={ + # "year": e.pub_date.year, + # "month": e.pub_date.month, + # "day": e.pub_date.day, + # "slug": e.slug, + # }, + # ) + # ) + # self.assertEqual(response.status_code, 404) + # + # def test_staff_no_write_permission_cant_see_entries(self): + # """ + # A test which creates an unpublished entry and then loads the list view + # followed by detail view as a staff user without blog write permissions to + # check that the entry cannot be seen. + # """ + # e1 = Entry.objects.create( + # pub_date=self.yesterday, is_active=False, headline="inactive", slug="a" + # ) + # e2 = Entry.objects.create( + # pub_date=self.yesterday, is_active=True, headline="active", slug="b" + # ) + # user = User.objects.create_user( + # "staff", "staff@example.com", "password", is_staff=True + # ) + # self.client.force_login(user) + # response = self.client.get(reverse("weblog:index")) + # + # self.assertContains(response, "active") + # response = self.client.get( + # reverse( + # "weblog:entry", + # kwargs={ + # "year": e1.pub_date.year, + # "month": e1.pub_date.month, + # "day": e1.pub_date.day, + # "slug": e1.slug, + # }, + # ) + # ) + # self.assertEqual(response.status_code, 404) + # response = self.client.get( + # reverse( + # "weblog:entry", + # kwargs={ + # "year": e2.pub_date.year, + # "month": e2.pub_date.month, + # "day": e2.pub_date.day, + # "slug": e2.slug, + # }, + # ) + # ) + # self.assertEqual(response.status_code, 404) + + def test_staff_with_write_permission_can_see_unpublished_detail_view(self): + """ + staff users with write permission on BlogEntry can't see unpublished entries + in the list, but can view the detail page + """ + e1 = Entry.objects.create( + pub_date=self.yesterday, is_active=False, headline="inactive", slug="a" + ) + user = User.objects.create(username="staff", is_staff=True) + self.client.force_login(user) + self.assertEqual(Entry.objects.all().count(), 1) + response = self.client.get(reverse("weblog:index")) + self.assertEqual(response.status_code, 404) + + response = self.client.get( + reverse( + "weblog:entry", + kwargs={ + "year": e1.pub_date.year, + "month": e1.pub_date.month, + "day": e1.pub_date.day, + "slug": e1.slug, + }, + ) + ) + request = response.context["request"] + self.assertTrue(request.user.is_staff) + self.assertEqual(response.status_code, 200) + def test_no_past_upcoming_events(self): """ Make sure there are no past event in the "upcoming events" sidebar (#399) diff --git a/blog/views.py b/blog/views.py index b27236af0..747583607 100644 --- a/blog/views.py +++ b/blog/views.py @@ -17,10 +17,7 @@ def get_allow_future(self): return self.request.user.is_staff def get_queryset(self): - if self.request.user.is_staff: - return Entry.objects.all() - else: - return Entry.objects.published() + return Entry.objects.published() def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) @@ -49,4 +46,12 @@ class BlogDayArchiveView(BlogViewMixin, DayArchiveView): class BlogDateDetailView(BlogViewMixin, DateDetailView): - pass + + def get_queryset(self): + """Allows staff users to view unpublished entries""" + if self.request.user.is_staff: + print("\n\nSTAFF USER\n\n") + return Entry.objects.all() + else: + print("\n\nNORMAL USER\n\n") + return Entry.objects.published()