8000 Fixed #6196 -- Prevent users from passing a public page as parent in … · django-cms/django-cms@cd12c2f · GitHub
[go: up one dir, main page]
Skip to content

Commit cd12c2f

Browse files
jedieczpython
jedie
authored and
czpython
committed
Fixed #6196 -- Prevent users from passing a public page as parent in create_page api function (#6126)
1 parent 4d720a3 commit cd12c2f

File tree

4 files changed

+11
-2
lines changed

4 files changed

+11
-2
lines changed

CHANGELOG.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
* Introduced logic to copy pages to different sites from the admin.
1515
* Removed "View on Site" button when adding a page
1616
* Welcome page no longer uses multilingual URLs when not required.
17+
* Prevent users from passing a public page as parent in ``create_page`` api function
1718

1819

1920
=== 3.4.5 (2017-10-12) ===

cms/api.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ def create_page(title, template, language, menu_title=None, slug=None,
130130
# validate parent
131131
if parent:
132132
assert isinstance(parent, Page)
133+
assert parent.publisher_is_draft
133134

134135
# validate publication date
135136
if publication_date:

cms/tests/test_api.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,3 +231,10 @@ def test_publish_page(self):
231231
page = page.reload()
232232
self.assertTrue(page.is_published('en'))
233233
self.assertEqual(page.changed_by, user.get_username())
234+
235+
def test_create_page_assert_parent_is_draft(self):
236+
page_attrs = self._get_default_create_page_arguments()
237+
page_attrs['published'] = True
238+
parent_page = create_page(**page_attrs)
239+
parent_page_public = parent_page.get_public_object()
240+
self.assertRaises(AssertionError, create_page, parent=parent_page_public, **page_attrs)

cms/tests/test_apphooks.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -812,7 +812,7 @@ def test_get_apps(self):
812812

813813
page2 = create_page('page2', 'nav_playground.html',
814814
'en', created_by=self.superuser, published=True,
815-
parent=titles[0].page.get_parent_page(),
815+
parent=titles[0].page.get_parent_page().get_draft_object(),
816816
apphook='VariableUrlsApp', reverse_id='page2')
817817
create_title('de', 'de_title', page2, slug='slug')
818818
page2.publish('de')
@@ -854,7 +854,7 @@ def test_get_menus(self):
854854

855855
page2 = create_page('page2', 'nav_playground.html',
856856
'en', created_by=self.superuser, published=True,
857-
parent=titles[0].page.get_parent_page(),
857+
parent=titles[0].page.get_parent_page().get_draft_object(),
858858
in_navigation=True,
859859
apphook='VariableUrlsApp', reverse_id='page2')
860860
create_title('de', 'de_title', page2, slug='slug')

0 commit comments

Comments
 (0)
0