From 6b269125d42c040669d5f2797f4faed886309791 Mon Sep 17 00:00:00 2001 From: Yohan Boniface Date: Wed, 13 Sep 2023 12:00:20 +0200 Subject: [PATCH] Make sure only owner see the delete map button --- umap/static/umap/js/umap.js | 26 ++++++++++----- umap/tests/integration/test_owned_map.py | 42 ++++++++++++++++++++---- 2 files changed, 52 insertions(+), 16 deletions(-) diff --git a/umap/static/umap/js/umap.js b/umap/static/umap/js/umap.js index 5ae8dcba..59be04ae 100644 --- a/umap/static/umap/js/umap.js +++ b/umap/static/umap/js/umap.js @@ -1713,20 +1713,28 @@ L.U.Map.include({ _advancedActions: function (container) { const advancedActions = L.DomUtil.createFieldset(container, L._('Advanced actions')) const advancedButtons = L.DomUtil.create('div', 'button-bar half', advancedActions) - const del = L.DomUtil.create('a', 'button umap-delete', advancedButtons) - del.href = '#' - del.textContent = L._('Delete') - L.DomEvent.on(del, 'click', L.DomEvent.stop).on(del, 'click', this.del, this) + if (this.permissions.isOwner()) { + const del = L.DomUtil.create('a', 'button umap-delete', advancedButtons) + del.href = '#' + del.title = L._('Delete map') + del.textContent = L._('Delete') + L.DomEvent.on(del, 'click', L.DomEvent.stop).on(del, 'click', this.del, this) + const empty = L.DomUtil.create('a', 'button umap-empty', advancedButtons) + empty.href = '#' + empty.textContent = L._('Empty') + empty.title = L._('Delete all layers') + L.DomEvent.on(empty, 'click', L.DomEvent.stop).on( + empty, + 'click', + this.empty, + this + ) + } const clone = L.DomUtil.create('a', 'button umap-clone', advancedButtons) clone.href = '#' clone.textContent = L._('Clone') clone.title = L._('Clone this map') L.DomEvent.on(clone, 'click', L.DomEvent.stop).on(clone, 'click', this.clone, this) - const empty = L.DomUtil.create('a', 'button umap-empty', advancedButtons) - empty.href = '#' - empty.textContent = L._('Empty') - empty.title = L._('Delete all layers') - L.DomEvent.on(empty, 'click', L.DomEvent.stop).on(empty, 'click', this.empty, this) const download = L.DomUtil.create('a', 'button umap-download', advancedButtons) download.href = '#' download.textContent = L._('Download') diff --git a/umap/tests/integration/test_owned_map.py b/umap/tests/integration/test_owned_map.py index 3795d21a..5938c6eb 100644 --- a/umap/tests/integration/test_owned_map.py +++ b/umap/tests/integration/test_owned_map.py @@ -9,15 +9,15 @@ pytestmark = pytest.mark.django_db @pytest.fixture -def login(context, user, settings, live_server): - def do_login(username): +def login(context, settings, live_server): + def do_login(user): # TODO use storage state to do login only once per session # https://playwright.dev/python/docs/auth settings.ENABLE_ACCOUNT_LOGIN = True page = context.new_page() page.goto(f"{live_server.url}/en/") page.locator(".login").click() - page.get_by_placeholder("Username").fill(username) + page.get_by_placeholder("Username").fill(user.username) page.get_by_placeholder("Password").fill("123123") page.locator('#login_form input[type="submit"]').click() sleep(1) # Time for ajax login POST to proceed @@ -27,7 +27,7 @@ def login(context, user, settings, live_server): def test_map_update_with_owner(map, live_server, login): - page = login(map.owner.username) + page = login(map.owner) page.goto(f"{live_server.url}{map.get_absolute_url()}") map_el = page.locator("#map") expect(map_el).to_be_visible() @@ -74,7 +74,7 @@ def test_map_update_with_anonymous_but_editable_datalayer( def test_owner_permissions_form(map, datalayer, live_server, login): - page = login(map.owner.username) + page = login(map.owner) page.goto(f"{live_server.url}{map.get_absolute_url()}?edit") edit_permissions = page.get_by_title("Update permissions and editors") expect(edit_permissions).to_be_visible() @@ -93,7 +93,7 @@ def test_owner_permissions_form(map, datalayer, live_server, login): def test_map_update_with_editor(map, live_server, login, user): map.editors.add(user) map.save() - page = login(user.username) + page = login(user) page.goto(f"{live_server.url}{map.get_absolute_url()}") map_el = page.locator("#map") expect(map_el).to_be_visible() @@ -115,7 +115,7 @@ def test_map_update_with_editor(map, live_server, login, user): def test_permissions_form_with_editor(map, datalayer, live_server, login, user): map.editors.add(user) map.save() - page = login(user.username) + page = login(user) page.goto(f"{live_server.url}{map.get_absolute_url()}?edit") edit_permissions = page.get_by_title("Update permissions and editors") expect(edit_permissions).to_be_visible() @@ -129,3 +129,31 @@ def test_permissions_form_with_editor(map, datalayer, live_server, login, user): expect(editors_field).to_be_visible() datalayer_label = page.get_by_text('Who can edit "Donau"') expect(datalayer_label).to_be_visible() + + +def test_owner_has_delete_map_button(map, live_server, login): + page = login(map.owner) + page.goto(f"{live_server.url}{map.get_absolute_url()}?edit") + settings = page.get_by_title("Edit map settings") + expect(settings).to_be_visible() + settings.click() + advanced = page.get_by_text("Advanced actions") + expect(advanced).to_be_visible() + advanced.click() + delete = page.get_by_role("link", name="Delete") + expect(delete).to_be_visible() + + +def test_editor_do_not_have_delete_map_button(map, live_server, login, user): + map.editors.add(user) + map.save() + page = login(user) + page.goto(f"{live_server.url}{map.get_absolute_url()}?edit") + settings = page.get_by_title("Edit map settings") + expect(settings).to_be_visible() + settings.click() + advanced = page.get_by_text("Advanced actions") + expect(advanced).to_be_visible() + advanced.click() + delete = page.get_by_role("link", name="Delete") + expect(delete).to_be_hidden()