From f0c9f587924d9b7abe22e847bd99ae9b34d5b937 Mon Sep 17 00:00:00 2001
From: Alexey Pelykh <alexey.pelykh@gmail.com>
Date: Mon, 16 Dec 2024 15:52:28 +0100
Subject: [PATCH] wip

---
 website_page_redirect/models/ir_http.py       |   8 +
 website_page_redirect/tests/test_ir_http.py   | 194 ++++++++++++++++--
 .../views/website_layout.xml                  |   4 +-
 3 files changed, 189 insertions(+), 17 deletions(-)

diff --git a/website_page_redirect/models/ir_http.py b/website_page_redirect/models/ir_http.py
index af3d9226b0..9d7e22009a 100644
--- a/website_page_redirect/models/ir_http.py
+++ b/website_page_redirect/models/ir_http.py
@@ -18,6 +18,13 @@ def _serve_page(cls):
         if not response and getattr(response, "status_code", 0) != 200:
             return response
 
+        if (
+            http.request.db
+            and http.request.session.uid
+            and http.request.env.user.has_group("website.group_website_designer")
+        ):
+            return response
+
         page = (
             http.request.env["website.page"]
             .sudo()
@@ -33,6 +40,7 @@ def _serve_page(cls):
 
         if not page.is_redirect or page.redirect_method != "http":
             return response
+
         return http.request.redirect(
             page.redirect_url,
             code=int(page.redirect_http_code) if page.redirect_http_code else 301,
diff --git a/website_page_redirect/tests/test_ir_http.py b/website_page_redirect/tests/test_ir_http.py
index f2760767cb..c9c6bb4dbb 100644
--- a/website_page_redirect/tests/test_ir_http.py
+++ b/website_page_redirect/tests/test_ir_http.py
@@ -1,6 +1,7 @@
 # Copyright 2024 CorporateHub (https://corporatehub.eu)
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
-from odoo.tests import HttpCase
+from odoo import http
+from odoo.tests import HOST, HttpCase, Opener, get_db_name, new_test_user
 
 
 class TestIrHttp(HttpCase):
@@ -9,13 +10,25 @@ def setUpClass(cls):
         super().setUpClass()
 
         cls.website = cls.env["website"].sudo().get_current_website()
+        cls.website_designer = new_test_user(
+            cls.env,
+            "website_designer",
+            groups="base.group_user,website.group_website_designer",
+        )
+
+    def setUp(self):
+        super().setUp()
+        self.session = http.root.session_store.new()
+        self.session.update(http.get_default_session(), db=get_db_name())
+        self.opener = Opener(self.env.cr)
+        self.opener.cookies.set("session_id", self.session.sid, domain=HOST, path="/")
 
     def test_404(self):
-        response = self.url_open(
+        redirect_response = self.url_open(
             "/non-existing-page",
             allow_redirects=False,
         )
-        self.assertEqual(response.status_code, 404)
+        self.assertEqual(redirect_response.status_code, 404)
 
     def test_http_redirect(self):
         http_redirect_page = self.env["website.page"].create(
@@ -33,17 +46,50 @@ def test_http_redirect(self):
             }
         )
 
-        response = self.url_open(
+        redirect_response = self.url_open(
             http_redirect_page.url,
             allow_redirects=False,
         )
 
-        self.assertEqual(response.status_code, 301)
+        self.assertEqual(redirect_response.status_code, 301)
         self.assertEqual(
             "https://corporatehub.eu",
-            response.headers["Location"],
+            redirect_response.headers["Location"],
+        )
+
+    def test_no_http_redirect_for_website_designer(self):
+        http_redirect_page = self.env["website.page"].create(
+            {
+                "website_id": self.website.id,
+                "name": "http-redirect",
+                "url": "/http-redirect",
+                "type": "qweb",
+                "arch": "<t t-call='website.layout'>http-redirect</t>",
+                "is_published": True,
+                "is_redirect": True,
+                "redirect_method": "http",
+                "redirect_http_code": "301",
+                "redirect_url": "https://corporatehub.eu",
+            }
         )
 
+        login_response = self.url_open(
+            "/web/login",
+            data={
+                "login": self.website_designer.login,
+                "password": self.website_designer.login,
+                "csrf_token": http.Request.csrf_token(self),
+            },
+        )
+        login_response.raise_for_status()
+
+        redirect_response = self.url_open(
+            http_redirect_page.url,
+            allow_redirects=False,
+        )
+
+        self.assertEqual(redirect_response.status_code, 200)
+
     def test_meta_redirect(self):
         http_redirect_page = self.env["website.page"].create(
             {
@@ -60,16 +106,54 @@ def test_meta_redirect(self):
             }
         )
 
-        response = self.url_open(http_redirect_page.url)
+        redirect_response = self.url_open(http_redirect_page.url)
 
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(redirect_response.status_code, 200)
         self.assertIn(
             (
                 "<meta"
                 ' http-equiv="refresh"'
                 ' content="5;url=https://corporatehub.eu"/>'
             ),
-            response.content.decode("utf-8"),
+            redirect_response.content.decode("utf-8"),
+        )
+
+    def test_no_meta_redirect_for_website_designer(self):
+        http_redirect_page = self.env["website.page"].create(
+            {
+                "website_id": self.website.id,
+                "name": "meta-redirect",
+                "url": "/meta-redirect",
+                "type": "qweb",
+                "arch": "<t t-call='website.layout'>meta-redirect</t>",
+                "is_published": True,
+                "is_redirect": True,
+                "redirect_method": "meta",
+                "redirect_delay": 5,
+                "redirect_url": "https://corporatehub.eu",
+            }
+        )
+
+        login_response = self.url_open(
+            "/web/login",
+            data={
+                "login": self.website_designer.login,
+                "password": self.website_designer.login,
+                "csrf_token": http.Request.csrf_token(self),
+            },
+        )
+        login_response.raise_for_status()
+
+        redirect_response = self.url_open(http_redirect_page.url)
+
+        self.assertEqual(redirect_response.status_code, 200)
+        self.assertNotIn(
+            (
+                "<meta"
+                ' http-equiv="refresh"'
+                ' content="5;url=https://corporatehub.eu"/>'
+            ),
+            redirect_response.content.decode("utf-8"),
         )
 
     def test_js_href_redirect(self):
@@ -88,9 +172,9 @@ def test_js_href_redirect(self):
             }
         )
 
-        response = self.url_open(http_redirect_page.url)
+        redirect_response = self.url_open(http_redirect_page.url)
 
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(redirect_response.status_code, 200)
         self.assertIn(
             (
                 "setTimeout(\n"
@@ -99,7 +183,47 @@ def test_js_href_redirect(self):
                 "    5000,\n"
                 ");"
             ),
-            response.content.decode("utf-8"),
+            redirect_response.content.decode("utf-8"),
+        )
+
+    def test_no_js_href_redirect_for_website_designer(self):
+        http_redirect_page = self.env["website.page"].create(
+            {
+                "website_id": self.website.id,
+                "name": "js-href-redirect",
+                "url": "/js-href-redirect",
+                "type": "qweb",
+                "arch": "<t t-call='website.layout'>js-href-redirect</t>",
+                "is_published": True,
+                "is_redirect": True,
+                "redirect_method": "js-href",
+                "redirect_delay": 5,
+                "redirect_url": "https://corporatehub.eu",
+            }
+        )
+
+        login_response = self.url_open(
+            "/web/login",
+            data={
+                "login": self.website_designer.login,
+                "password": self.website_designer.login,
+                "csrf_token": http.Request.csrf_token(self),
+            },
+        )
+        login_response.raise_for_status()
+
+        redirect_response = self.url_open(http_redirect_page.url)
+
+        self.assertEqual(redirect_response.status_code, 200)
+        self.assertNotIn(
+            (
+                "setTimeout(\n"
+                "    function() {"
+                " window.location.href = 'https://corporatehub.eu'; },\n"
+                "    5000,\n"
+                ");"
+            ),
+            redirect_response.content.decode("utf-8"),
         )
 
     def test_js_replace_redirect(self):
@@ -118,9 +242,9 @@ def test_js_replace_redirect(self):
             }
         )
 
-        response = self.url_open(http_redirect_page.url)
+        redirect_response = self.url_open(http_redirect_page.url)
 
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(redirect_response.status_code, 200)
         self.assertIn(
             (
                 "setTimeout(\n"
@@ -129,5 +253,45 @@ def test_js_replace_redirect(self):
                 "    5000,\n"
                 ");"
             ),
-            response.content.decode("utf-8"),
+            redirect_response.content.decode("utf-8"),
+        )
+
+    def test_no_js_replace_redirect_for_website_designer(self):
+        http_redirect_page = self.env["website.page"].create(
+            {
+                "website_id": self.website.id,
+                "name": "js-replace-redirect",
+                "url": "/js-replace-redirect",
+                "type": "qweb",
+                "arch": "<t t-call='website.layout'>js-replace-redirect</t>",
+                "is_published": True,
+                "is_redirect": True,
+                "redirect_method": "js-replace",
+                "redirect_delay": 5,
+                "redirect_url": "https://corporatehub.eu",
+            }
+        )
+
+        login_response = self.url_open(
+            "/web/login",
+            data={
+                "login": self.website_designer.login,
+                "password": self.website_designer.login,
+                "csrf_token": http.Request.csrf_token(self),
+            },
+        )
+        login_response.raise_for_status()
+
+        redirect_response = self.url_open(http_redirect_page.url)
+
+        self.assertEqual(redirect_response.status_code, 200)
+        self.assertNotIn(
+            (
+                "setTimeout(\n"
+                "    function() {"
+                " window.location.replace('https://corporatehub.eu'); },\n"
+                "    5000,\n"
+                ");"
+            ),
+            redirect_response.content.decode("utf-8"),
         )
diff --git a/website_page_redirect/views/website_layout.xml b/website_page_redirect/views/website_layout.xml
index 2c559405d8..5286b36202 100644
--- a/website_page_redirect/views/website_layout.xml
+++ b/website_page_redirect/views/website_layout.xml
@@ -8,7 +8,7 @@
     <template id="website__layout" inherit_id="website.layout">
         <xpath expr="//head/meta[last()]" position="after">
             <t
-                t-if="main_object and 'is_redirect' in main_object and main_object.is_redirect and main_object.redirect_method == 'meta'"
+                t-if="main_object and not request.env.user.has_group('website.group_website_designer') and 'is_redirect' in main_object and main_object.is_redirect and main_object.redirect_method == 'meta'"
             >
                 <meta
                     http-equiv="refresh"
@@ -18,7 +18,7 @@
         </xpath>
         <xpath expr="//head/*[last()]" position="after">
             <t
-                t-if="main_object and 'is_redirect' in main_object and main_object.is_redirect and main_object.redirect_method in ('js-href', 'js-replace')"
+                t-if="main_object and not request.env.user.has_group('website.group_website_designer') and 'is_redirect' in main_object and main_object.is_redirect and main_object.redirect_method in ('js-href', 'js-replace')"
                 t-out="main_object.redirect_js_code"
             />
         </xpath>