django · marksweb · Nov 20, 2024 · Nov 21, 2024 · Dec 23, 2024
diff --git a/blog/tests.py b/blog/tests.py
@@ -179,6 +179,154 @@ def test_past_future_ordering(self):
 
 
 class ViewsTestCase(DateTimeMixin, TestCase):
+    """
+    TODO:
+        * anon users can't see unpublished entries at all (list or detail)
+        * logged in users (non-staff) can't see unpublished entries at all
+        * staff users without write permission on BlogEntry can't see unpublished
+        entries at all
+        * staff users with write permission on BlogEntry can't see unpublished
+        entries in the list, but can view the detail page
+    """
+
+    # def test_anonymous_user_cant_see_entries(self):
+    #     """
+    #     A test which creates an unpublished entry and then loads the list view
+    #     followed by detail view as an anonymous user to check that the entry cannot
+    #     be seen.
+    #     """
+    #     e1 = Entry.objects.create(
+    #         pub_date=self.yesterday, is_active=False, headline="inactive", slug="a"
+    #     )
+    #     e2 = Entry.objects.create(
+    #         pub_date=self.yesterday, is_active=True, headline="active", slug="b"
+    #     )
+    #     response = self.client.get(reverse("weblog:index"))
+    #     self.assertNotContains(response, "active")
+    #     response = self.client.get(
+    #         reverse(
+    #             "weblog:entry",
+    #             kwargs={
+    #                 "year": e1.pub_date.year,
+    #                 "month": e1.pub_date.month,
+    #                 "day": e1.pub_date.day,
+    #                 "slug": e1.slug,
+    #             },
+    #         )
+    #     )
+    #     self.assertEqual(response.status_code, 404)
+    #     response = self.client.get(
+    #         reverse(
+    #             "weblog:entry",
+    #             kwargs={
+    #                 "year": e2.pub_date.year,
+    #                 "month": e2.pub_date.month,
+    #                 "day": e2.pub_date.day,
+    #                 "slug": e2.slug,
+    #             },
+    #         )
+    #     )
+    #     self.assertEqual(response.status_code, 404)
+    #
+    # def test_logged_in_user_cant_see_entries(self):
+    #     """
+    #     A test which creates an unpublished entry and then loads the list view
+    #     followed by detail view as a non-staff user to check that the entry cannot be
+    #     seen.
+    #     """
+    #     e = Entry.objects.create(
+    #         pub_date=self.yesterday, is_active=False, headline="inactive", slug="a"
+    #     )
+    #     user = User.objects.create_user("user", "[email protected]", "password")
+    #     self.client.force_login(user)
+    #     response = self.client.get(reverse("weblog:index"))
+    #     self.assertNotContains(response, "active")
+    #     response = self.client.get(
+    #         reverse(
+    #             "weblog:entry",
+    #             kwargs={
+    #                 "year": e.pub_date.year,
+    #                 "month": e.pub_date.month,
+    #                 "day": e.pub_date.day,
+    #                 "slug": e.slug,
+    #             },
+    #         )
+    #     )
+    #     self.assertEqual(response.status_code, 404)
+    #
+    # def test_staff_no_write_permission_cant_see_entries(self):
+    #     """
+    #     A test which creates an unpublished entry and then loads the list view
+    #     followed by detail view as a staff user without blog write permissions to
+    #     check that the entry cannot be seen.
+    #     """
+    #     e1 = Entry.objects.create(
+    #         pub_date=self.yesterday, is_active=False, headline="inactive", slug="a"
+    #     )
+    #     e2 = Entry.objects.create(
+    #         pub_date=self.yesterday, is_active=True, headline="active", slug="b"
+    #     )
+    #     user = User.objects.create_user(
+    #         "staff", "[email protected]", "password", is_staff=True
+    #     )
+    #     self.client.force_login(user)
+    #     response = self.client.get(reverse("weblog:index"))
+    #
+    #     self.assertContains(response, "active")
+    #     response = self.client.get(
+    #         reverse(
+    #             "weblog:entry",
+    #             kwargs={
+    #                 "year": e1.pub_date.year,
+    #                 "month": e1.pub_date.month,
+    #                 "day": e1.pub_date.day,
+    #                 "slug": e1.slug,
+    #             },
+    #         )
+    #     )
+    #     self.assertEqual(response.status_code, 404)
+    #     response = self.client.get(
+    #         reverse(
+    #             "weblog:entry",
+    #             kwargs={
+    #                 "year": e2.pub_date.year,
+    #                 "month": e2.pub_date.month,
+    #                 "day": e2.pub_date.day,
+    #                 "slug": e2.slug,
+    #             },
+    #         )
+    #     )
+    #     self.assertEqual(response.status_code, 404)
+
+    def test_staff_with_write_permission_can_see_unpublished_detail_view(self):
+        """
+        staff users with write permission on BlogEntry can't see unpublished entries
+        in the list, but can view the detail page
+        """
+        e1 = Entry.objects.create(
+            pub_date=self.yesterday, is_active=False, headline="inactive", slug="a"
+        )
+        user = User.objects.create(username="staff", is_staff=True)
+        self.client.force_login(user)
+        self.assertEqual(Entry.objects.all().count(), 1)
+        response = self.client.get(reverse("weblog:index"))
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.get(
+            reverse(
+                "weblog:entry",
+                kwargs={
+                    "year": e1.pub_date.year,
+                    "month": e1.pub_date.month,
+                    "day": e1.pub_date.day,
+                    "slug": e1.slug,
+                },
+            )
+        )
+        request = response.context["request"]
+        self.assertTrue(request.user.is_staff)
+        self.assertEqual(response.status_code, 200)
+
     def test_no_past_upcoming_events(self):
         """
         Make sure there are no past event in the "upcoming events" sidebar (#399)

diff --git a/blog/views.py b/blog/views.py
@@ -17,10 +17,7 @@ def get_allow_future(self):
         return self.request.user.is_staff
 
     def get_queryset(self):
-        if self.request.user.is_staff:
-            return Entry.objects.all()
-        else:
-            return Entry.objects.published()
+        return Entry.objects.published()
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
@@ -49,4 +46,12 @@ class BlogDayArchiveView(BlogViewMixin, DayArchiveView):
 
 
 class BlogDateDetailView(BlogViewMixin, DateDetailView):
-    pass
+
+    def get_queryset(self):
+        """Allows staff users to view unpublished entries"""
+        if self.request.user.is_staff:
+            print("\n\nSTAFF USER\n\n")
+            return Entry.objects.all()
+        else:
+            print("\n\nNORMAL USER\n\n")
+            return Entry.objects.published()