From 7284e75e34e6230fdc136fa557a3b4eeb138a308 Mon Sep 17 00:00:00 2001
From: Fabian Braun <fsbraun@gmx.de>
Date: Mon, 11 Nov 2024 18:17:57 +0100
Subject: [PATCH] fix: Disable toolbar items without sufficient permissions

---
 djangocms_blog/cms_appconfig.py | 17 -----------------
 djangocms_blog/cms_apps.py      | 13 ++-----------
 djangocms_blog/cms_toolbars.py  |  6 +++++-
 djangocms_blog/settings.py      |  9 +++------
 djangocms_blog/urls.py          | 33 +++++++++++++++++++++++++++++---
 djangocms_blog/urls_base.py     | 34 ---------------------------------
 djangocms_blog/urls_hub.py      |  5 -----
 7 files changed, 40 insertions(+), 77 deletions(-)
 delete mode 100644 djangocms_blog/urls_base.py
 delete mode 100644 djangocms_blog/urls_hub.py

diff --git a/djangocms_blog/cms_appconfig.py b/djangocms_blog/cms_appconfig.py
index f9d9c42c..86def7e8 100644
--- a/djangocms_blog/cms_appconfig.py
+++ b/djangocms_blog/cms_appconfig.py
@@ -15,7 +15,6 @@
     "use_placeholder": get_setting("USE_PLACEHOLDER"),
     "use_abstract": get_setting("USE_ABSTRACT"),
     "use_related": int(get_setting("USE_RELATED")),
-    "urlconf": get_setting("URLCONF") if isinstance(get_setting("URLCONF"), str) else get_setting("URLCONF")[0][0],
     "set_author": get_setting("AUTHOR_DEFAULT"),
     "paginate_by": get_setting("PAGINATION"),
     "template_prefix": "",
@@ -143,15 +142,6 @@ class Meta:
             (2, _("Yes, from this site")),
         ),
     )
-    #: Adjust urlconf (default: :ref:`USE_RELATED <USE_RELATED>`)
-    urlconf = models.CharField(
-        max_length=200,
-        verbose_name=_("URL config"),
-        default=config_defaults["urlconf"],
-        choices=(
-            [(get_setting("URLCONF"), "---")] if isinstance(get_setting("URLCONF"), str) else get_setting("URLCONF")
-        ),
-    )
     #: Set author by default (default: :ref:`AUTHOR_DEFAULT <AUTHOR_DEFAULT>`)
     set_author = models.BooleanField(
         verbose_name=_("Set author by default"),
@@ -280,13 +270,6 @@ class Meta:
         help_text=_("Emits a desktop notification -if enabled- when editing a published post"),
     )
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        """Remove urlconf from form if no apphook-based url config is enabled"""
-        if isinstance(get_setting("URLCONF"), str):
-            self.fields["urlconf"].widget = forms.HiddenInput()
-            self.fields["urlconf"].label = ""  # Admin otherwise displays label for hidden field
-
     def get_app_title(self):
         return getattr(self, "app_title", _("untitled"))
 
diff --git a/djangocms_blog/cms_apps.py b/djangocms_blog/cms_apps.py
index b27934d9..57b7a13d 100644
--- a/djangocms_blog/cms_apps.py
+++ b/djangocms_blog/cms_apps.py
@@ -14,9 +14,9 @@
 @apphook_pool.register
 class BlogApp(CMSApp):
     name = _("Blog")
-    _urls = [get_setting("URLCONF") if isinstance(get_setting("URLCONF"), str) else get_setting("URLCONF")[0][0]]
     app_name = "djangocms_blog"
     app_config = BlogConfig
+    _urls = [get_setting("URLCONF")]
     _menus = [BlogCategoryMenu]
     auto_setup = {
         "enabled": get_setting("AUTO_SETUP"),
@@ -31,16 +31,7 @@ class BlogApp(CMSApp):
     }
 
     def get_urls(self, page=None, language=None, **kwargs):
-        urlconf = get_setting("URLCONF")
-        if page is None or not page.application_namespace or isinstance(urlconf, str):
-            return [urlconf]  # Single urlconf
-        return [
-            getattr(
-                self.app_config.objects.filter(namespace=page.application_namespace).first(),
-                "urlconf",
-                get_setting("URLCONF")[0][0],
-            )
-        ]  # Default if no urlconf is configured
+        return [get_setting("URLCONF")]
 
     @property
     def urls(self):
diff --git a/djangocms_blog/cms_toolbars.py b/djangocms_blog/cms_toolbars.py
index c35beeb6..26f9d8ec 100644
--- a/djangocms_blog/cms_toolbars.py
+++ b/djangocms_blog/cms_toolbars.py
@@ -110,6 +110,7 @@ def populate(self):
                 admin_menu.add_modal_item(
                     _("%(object_name)s properties") % dict(object_name=object_name.capitalize()),
                     admin_reverse("djangocms_blog_post_change", args=(current_content.post.pk,)),
+                    disabled=not self.request.user.has_perm("djangocms_blog.change_post"),
                 )
                 admin_menu.add_break()
             # Entry list menu entry
@@ -118,6 +119,7 @@ def populate(self):
                 admin_menu.add_sideframe_item(
                     _("All entries"),
                     url=url,
+                    disabled=not self.request.user.has_perm("djangocms_blog.change_post"),
                 )
             # Create menu entry
             url = admin_reverse("djangocms_blog_post_add")
@@ -126,10 +128,12 @@ def populate(self):
             admin_menu.add_modal_item(
                 _("New %(object_name)s") % dict(object_name=object_name),
                 url=url,
+                disabled=not self.request.user.has_perm("djangocms_blog.add_post"),
             )
             if current_config:
                 url = admin_reverse("djangocms_blog_blogconfig_change", args=(current_config.pk,))
-                admin_menu.add_modal_item(_("Edit Configuration"), url=url)
+                disabled = not self.request.user.has_perm("djangocms_blog.change_blogconfig")
+                admin_menu.add_modal_item(_("Edit Configuration"), url=url, disabled=disabled)
         self.add_preview_button()
         self.add_view_published_button()  # Takes the user the published post version
 
diff --git a/djangocms_blog/settings.py b/djangocms_blog/settings.py
index bd180f45..6d855591 100644
--- a/djangocms_blog/settings.py
+++ b/djangocms_blog/settings.py
@@ -98,17 +98,14 @@
 it's a dictionary with ``size``, ``crop`` and ``upscale`` keys.
 """
 
-BLOG_URLCONF = (
-    ("djangocms_blog.urls", _("Blog: Blog list at root url of blog")),
-    ("djangocms_blog.urls_hub", _("Content hub: Category list at root url of blog")),
-)
+BLOG_URLCONF = "djangocms_blog.urls"
 """
 .. _URLCONF:
 
-List of alternative URL configurations which can be set per app hook.
+Standard Apphook URLConf.
 """
 
-BLOG_PAGINATION = 10
+BLOG_PAGINATION = 20
 """
 .. _PAGINATION:
 
diff --git a/djangocms_blog/urls.py b/djangocms_blog/urls.py
index b6ed1c36..313fe098 100644
--- a/djangocms_blog/urls.py
+++ b/djangocms_blog/urls.py
@@ -1,5 +1,32 @@
-from .urls_base import get_urls
+from django.urls import path
+
+from .feeds import FBInstantArticles, LatestEntriesFeed, TagFeed
+from .settings import get_setting
+from .views import (
+    AuthorEntriesView,
+    CategoryEntriesView,
+    CategoryListView,
+    PostArchiveView,
+    PostDetailView,
+    PostListView,
+    TaggedListView,
+)
 
-# module-level app_name attribute as per django 1.9+
 app_name = "djangocms_blog"
-urlpatterns = get_urls(post_list_path="", category_path="category/", category_list_path="category/")
+urlpatterns = [
+    path("", PostListView.as_view(), name="posts-latest"),
+    path("category/", CategoryListView.as_view(), name="categories-all"),
+    path("category/<str:category>/", CategoryEntriesView.as_view(), name="posts-category"),
+    path("feed/", LatestEntriesFeed(), name="posts-latest-feed"),
+    path("feed/fb/", FBInstantArticles(), name="posts-latest-feed-fb"),
+    path("<int:year>/", PostArchiveView.as_view(), name="posts-archive"),
+    path("<int:year>/<int:month>/", PostArchiveView.as_view(), name="posts-archive"),
+    path("author/<str:username>/", AuthorEntriesView.as_view(), name="posts-author"),
+    path("tag/<slug:tag>/", TaggedListView.as_view(), name="posts-tagged"),
+    path("tag/<slug:tag>/feed/", TagFeed(), name="posts-tagged-feed"),
+]
+permalink_urls = get_setting("PERMALINK_URLS")
+for urlconf in permalink_urls.values():
+    urlpatterns.append(
+        path(urlconf, PostDetailView.as_view(), name="post-detail"),
+    )
diff --git a/djangocms_blog/urls_base.py b/djangocms_blog/urls_base.py
deleted file mode 100644
index 70e63963..00000000
--- a/djangocms_blog/urls_base.py
+++ /dev/null
@@ -1,34 +0,0 @@
-from django.urls import path
-
-from .feeds import FBInstantArticles, LatestEntriesFeed, TagFeed
-from .settings import get_setting
-from .views import (
-    AuthorEntriesView,
-    CategoryEntriesView,
-    CategoryListView,
-    PostArchiveView,
-    PostDetailView,
-    PostListView,
-    TaggedListView,
-)
-
-
-def get_urls(post_list_path, category_path, category_list_path):
-    urls = [
-        path(post_list_path, PostListView.as_view(), name="posts-latest"),
-        path(category_path, CategoryListView.as_view(), name="categories-all"),
-        path(category_list_path + "<str:category>/", CategoryEntriesView.as_view(), name="posts-category"),
-        path("feed/", LatestEntriesFeed(), name="posts-latest-feed"),
-        path("feed/fb/", FBInstantArticles(), name="posts-latest-feed-fb"),
-        path("<int:year>/", PostArchiveView.as_view(), name="posts-archive"),
-        path("<int:year>/<int:month>/", PostArchiveView.as_view(), name="posts-archive"),
-        path("author/<str:username>/", AuthorEntriesView.as_view(), name="posts-author"),
-        path("tag/<slug:tag>/", TaggedListView.as_view(), name="posts-tagged"),
-        path("tag/<slug:tag>/feed/", TagFeed(), name="posts-tagged-feed"),
-    ]
-    permalink_urls = get_setting("PERMALINK_URLS")
-    for urlconf in permalink_urls.values():
-        urls.append(
-            path(urlconf, PostDetailView.as_view(), name="post-detail"),
-        )
-    return urls
diff --git a/djangocms_blog/urls_hub.py b/djangocms_blog/urls_hub.py
deleted file mode 100644
index 1d3a9cf0..00000000
--- a/djangocms_blog/urls_hub.py
+++ /dev/null
@@ -1,5 +0,0 @@
-from .urls_base import get_urls
-
-# module-level app_name attribute as per django 1.9+
-app_name = "djangocms_blog"
-urlpatterns = get_urls(post_list_path="posts/", category_path="", category_list_path="category/")