public: don't allow ajax rendering of private cells (#12741)
This commit is contained in:
parent
61c46e7a7d
commit
1b71d7849e
|
@ -76,6 +76,9 @@ def ajax_page_cell(request, page_pk, cell_reference):
|
|||
except ObjectDoesNotExist:
|
||||
raise Http404()
|
||||
|
||||
if not cell.is_visible(request.user):
|
||||
raise PermissionDenied()
|
||||
|
||||
context = RequestContext(request, {
|
||||
'page': page,
|
||||
'request': request,
|
||||
|
|
|
@ -219,3 +219,14 @@ def test_ajax_cell(app):
|
|||
resp = app.get(reverse('combo-public-ajax-page-cell',
|
||||
kwargs={'page_pk': page.id, 'cell_reference': cell.get_reference()}),
|
||||
status=403)
|
||||
|
||||
page.public = True
|
||||
page.save()
|
||||
cell.public = False
|
||||
cell.save()
|
||||
resp = app.get('/', status=200)
|
||||
assert not 'FOOBAR' in resp.body
|
||||
|
||||
resp = app.get(reverse('combo-public-ajax-page-cell',
|
||||
kwargs={'page_pk': page.id, 'cell_reference': cell.get_reference()}),
|
||||
status=403)
|
||||
|
|
Loading…
Reference in New Issue