public: don't allow ajax rendering of private cells (#12741)

2016-07-25 22:46:31 +02:00 · 2016-07-25 22:46:31 +02:00 · 1b71d7849e
parent 61c46e7a7d
commit 1b71d7849e
2 changed files with 14 additions and 0 deletions
--- a/combo/public/views.py
+++ b/combo/public/views.py
@ -76,6 +76,9 @@ def ajax_page_cell(request, page_pk, cell_reference):
    except ObjectDoesNotExist:
        raise Http404()

+    if not cell.is_visible(request.user):
+        raise PermissionDenied()
+
    context = RequestContext(request, {
        'page': page,
        'request': request,
--- a/tests/test_public.py
+++ b/tests/test_public.py
@ -219,3 +219,14 @@ def test_ajax_cell(app):
    resp = app.get(reverse('combo-public-ajax-page-cell',
        kwargs={'page_pk': page.id, 'cell_reference': cell.get_reference()}),
        status=403)
+
+    page.public = True
+    page.save()
+    cell.public = False
+    cell.save()
+    resp = app.get('/', status=200)
+    assert not 'FOOBAR' in resp.body
+
+    resp = app.get(reverse('combo-public-ajax-page-cell',
+        kwargs={'page_pk': page.id, 'cell_reference': cell.get_reference()}),
+        status=403)