Use project contact form handler and superuser-only snippet access

2026-05-10 11:00:18 +02:00
parent c6965c422b
commit 2e81970427
8 changed files with 112 additions and 127 deletions
--- a/contact_form/init.py
+++ b/contact_form/init.py
@@ -4,4 +4,3 @@ Ocyan loads contact form handlers via module labels like `contact_form.views`.
 By shipping this package in the project repository we can extend behavior
 without forking the upstream plugin.
 """
-
--- a/contact_form/views.py
+++ b/contact_form/views.py
@@ -12,9 +12,10 @@ from django.utils.translation import gettext as _
 from django.views.decorators.http import require_http_methods
 from django.views.generic import TemplateView

-from oscar.core.utils import redirect_to_referrer
 from wagtail.models import Locale, Site

+from oscar.core.utils import redirect_to_referrer
+
 from ocyan.core.fender import config
 from ocyan.plugin.contact_form.forms import ContactForm
 from ocyan.plugin.contact_form.utils import get_from_email, get_to_email
@@ -30,6 +31,7 @@ def _client_ip(request) -> str | None:
        return forwarded_for.split(",")[0].strip() or None
    return request.META.get("REMOTE_ADDR")

+
 def _active_locale(request) -> Locale:
    language_code = (getattr(request, "LANGUAGE_CODE", "") or "").split("-")[0]
    if language_code:
@@ -51,7 +53,11 @@ def post_contact_form(request):
        message_obj = ContactMessage.objects.create(
            site=site,
            locale=locale,
-            user=request.user if getattr(request.user, "is_authenticated", False) else None,
+            user=(
+                request.user
+                if getattr(request.user, "is_authenticated", False)
+                else None
+            ),
            ip_address=_client_ip(request),
            path=request.path or "",
            name=str(cleaned.get("name", "")),
@@ -59,7 +65,11 @@ def post_contact_form(request):
            phone_number=str(cleaned.get("phonenumber") or ""),
            message=str(cleaned.get("message", "")),
        )
-        logger.info("Saved ContactMessage id=%s email=%s", message_obj.id, message_obj.email)
+        logger.info(
+            "Saved ContactMessage id=%s email=%s",
+            message_obj.id,
+            message_obj.email,
+        )

        context = {
            "website_url": request.build_absolute_uri(),
--- a/mandelstudio/migrations/0005_grant_contactmessage_permissions.py
+++ b/mandelstudio/migrations/0005_grant_contactmessage_permissions.py
@@ -1,40 +0,0 @@
-from django.db import migrations
-
-
-def grant_contactmessage_permissions(apps, schema_editor):
-    Group = apps.get_model("auth", "Group")
-    Permission = apps.get_model("auth", "Permission")
-    ContentType = apps.get_model("contenttypes", "ContentType")
-
-    try:
-        group = Group.objects.get(name="Editors")
-    except Group.DoesNotExist:
-        return
-
-    content_type = ContentType.objects.get(app_label="mandelstudio", model="contactmessage")
-    perms = Permission.objects.filter(
-        content_type=content_type,
-        codename__in=[
-            "add_contactmessage",
-            "change_contactmessage",
-            "delete_contactmessage",
-            "view_contactmessage",
-        ],
-    )
-    group.permissions.add(*perms)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("mandelstudio", "0004_contact_messages"),
-        ("contenttypes", "0002_remove_content_type_name"),
-        ("auth", "0012_alter_user_first_name_max_length"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            grant_contactmessage_permissions,
-            reverse_code=migrations.RunPython.noop,
-        ),
-    ]
-
--- a/mandelstudio/migrations/0006_grant_contactmessage_permissions_to_staff.py
+++ b/mandelstudio/migrations/0006_grant_contactmessage_permissions_to_staff.py
@@ -1,43 +0,0 @@
-from django.db import migrations
-
-
-def grant_contactmessage_permissions_to_staff(apps, schema_editor):
-    Permission = apps.get_model("auth", "Permission")
-    ContentType = apps.get_model("contenttypes", "ContentType")
-
-    # Default Django user model in this project.
-    User = apps.get_model("auth", "User")
-
-    content_type = ContentType.objects.get(app_label="mandelstudio", model="contactmessage")
-    perms = list(
-        Permission.objects.filter(
-            content_type=content_type,
-            codename__in=[
-                "add_contactmessage",
-                "change_contactmessage",
-                "delete_contactmessage",
-                "view_contactmessage",
-            ],
-        )
-    )
-    if not perms:
-        return
-
-    for user in User.objects.filter(is_staff=True, is_active=True).iterator():
-        user.user_permissions.add(*perms)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("mandelstudio", "0005_grant_contactmessage_permissions"),
-        ("contenttypes", "0002_remove_content_type_name"),
-        ("auth", "0012_alter_user_first_name_max_length"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            grant_contactmessage_permissions_to_staff,
-            reverse_code=migrations.RunPython.noop,
-        ),
-    ]
-
--- a/mandelstudio/migrations/0007_remove_contactmessage_permissions_from_editors.py
+++ b/mandelstudio/migrations/0007_remove_contactmessage_permissions_from_editors.py
@@ -1,40 +0,0 @@
-from django.db import migrations
-
-
-def remove_contactmessage_permissions_from_editors(apps, schema_editor):
-    Group = apps.get_model("auth", "Group")
-    Permission = apps.get_model("auth", "Permission")
-    ContentType = apps.get_model("contenttypes", "ContentType")
-
-    try:
-        group = Group.objects.get(name="Editors")
-    except Group.DoesNotExist:
-        return
-
-    content_type = ContentType.objects.get(app_label="mandelstudio", model="contactmessage")
-    perms = Permission.objects.filter(
-        content_type=content_type,
-        codename__in=[
-            "add_contactmessage",
-            "change_contactmessage",
-            "delete_contactmessage",
-            "view_contactmessage",
-        ],
-    )
-    group.permissions.remove(*perms)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("mandelstudio", "0006_grant_contactmessage_permissions_to_staff"),
-        ("contenttypes", "0002_remove_content_type_name"),
-        ("auth", "0012_alter_user_first_name_max_length"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            remove_contactmessage_permissions_from_editors,
-            reverse_code=migrations.RunPython.noop,
-        ),
-    ]
-
--- a/mandelstudio/tests/test_contact_form_routing.py
+++ b/mandelstudio/tests/test_contact_form_routing.py
@@ -0,0 +1,37 @@
+from django.contrib.auth import get_user_model
+from django.test import SimpleTestCase, TestCase
+from django.urls import resolve
+
+from ocyan.plugin.contact_form.entrypoint import SHOP_BASE_URL
+
+from contact_form.views import post_contact_form
+from mandelstudio.models import ContactMessage
+from mandelstudio.wagtail_hooks import SuperuserOnlyPermissionPolicy
+
+
+class ContactFormRoutingTests(SimpleTestCase):
+    def test_shop_contact_form_uses_project_handler(self):
+        match = resolve(f"/{SHOP_BASE_URL}/contact-form/")
+
+        self.assertIs(match.func, post_contact_form)
+
+
+class ContactMessagePermissionPolicyTests(TestCase):
+    def test_only_superusers_have_contact_message_permissions(self):
+        user_model = get_user_model()
+        superuser = user_model.objects.create_superuser(
+            "contact-superuser",
+            "superuser@example.com",
+            "password",
+        )
+        staff_user = user_model.objects.create_user(
+            "contact-staff",
+            "staff@example.com",
+            "password",
+            is_staff=True,
+        )
+        policy = SuperuserOnlyPermissionPolicy(ContactMessage)
+
+        self.assertTrue(policy.user_has_permission(superuser, "view"))
+        self.assertFalse(policy.user_has_permission(staff_user, "view"))
+        self.assertFalse(policy.user_has_any_permission(staff_user, {"view", "change"}))
--- a/mandelstudio/urls.py
+++ b/mandelstudio/urls.py
@@ -1,9 +1,14 @@
+from django.conf.urls.i18n import i18n_patterns
 from django.urls import path
 from django.views.decorators.cache import cache_page

+from ocyan.core.fender import config
 from ocyan.main.urls import urlpatterns as ocyan_urlpatterns
+from ocyan.plugin.contact_form.entrypoint import SHOP_BASE_URL
 from ocyan.plugin.wagtail_oscar_integration.constants import CACHE_DURATION

+from contact_form.views import post_contact_form
+
 from .i18n_views import set_language_normalized
 from .sitemaps import robots_txt, sitemap_index, sitemap_section

@@ -22,4 +27,20 @@ urlpatterns = [
    ),
 ]

+contact_form_urlpatterns = [
+    path(
+        f"{SHOP_BASE_URL}/contact-form/",
+        post_contact_form,
+        name="project-contact-form-handler",
+    ),
+]
+
+if config.i18n_enabled:
+    urlpatterns += i18n_patterns(
+        *contact_form_urlpatterns,
+        prefix_default_language=False,
+    )
+else:
+    urlpatterns += contact_form_urlpatterns
+
 urlpatterns += ocyan_urlpatterns
--- a/mandelstudio/wagtail_hooks.py
+++ b/mandelstudio/wagtail_hooks.py
@@ -1,3 +1,6 @@
+from django.contrib.auth import get_user_model
+
+from wagtail.permissions import ModelPermissionPolicy
 from wagtail.snippets.models import register_snippet
 from wagtail.snippets.views.snippets import SnippetViewSet

@@ -5,6 +8,40 @@ from mandelblog_content_guard.hooks import *  # noqa: F401,F403
 from mandelstudio.models import ContactMessage


+class SuperuserOnlyPermissionPolicy(ModelPermissionPolicy):
+    def user_has_permission(self, user, action):
+        return user.is_active and user.is_superuser
+
+    def user_has_any_permission(self, user, actions):
+        return user.is_active and user.is_superuser
+
+    def user_has_permission_for_instance(self, user, action, instance):
+        return self.user_has_permission(user, action)
+
+    def user_has_any_permission_for_instance(self, user, actions, instance):
+        return self.user_has_any_permission(user, actions)
+
+    def instances_user_has_any_permission_for(self, user, actions):
+        if self.user_has_any_permission(user, actions):
+            return self.model._default_manager.all()
+        return self.model._default_manager.none()
+
+    def instances_user_has_permission_for(self, user, action):
+        return self.instances_user_has_any_permission_for(user, [action])
+
+    def users_with_any_permission(self, actions):
+        return get_user_model().objects.filter(is_active=True, is_superuser=True)
+
+    def users_with_permission(self, action):
+        return self.users_with_any_permission([action])
+
+    def users_with_any_permission_for_instance(self, actions, instance):
+        return self.users_with_any_permission(actions)
+
+    def users_with_permission_for_instance(self, action, instance):
+        return self.users_with_any_permission_for_instance([action], instance)
+
+
@register_snippet
 class ContactMessageViewSet(SnippetViewSet):
    model = ContactMessage
@@ -19,3 +56,7 @@ class ContactMessageViewSet(SnippetViewSet):
    list_filter = ("locale", "site")
    search_fields = ("name", "email", "message", "phone_number")
    ordering = ("-created_at",)
+
+    @property
+    def permission_policy(self):
+        return SuperuserOnlyPermissionPolicy(self.model)