From 2063dcff51fb797d02dc868de7d64996327a9fc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Norman=20J=C3=A4ckel?= Date: Wed, 18 Nov 2015 01:20:49 +0100 Subject: [PATCH] Fixed create view for non staff users, fixed #1670. --- openslides/motions/views.py | 2 +- tests/integration/motions/test_viewset.py | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/openslides/motions/views.py b/openslides/motions/views.py index 2dc66d248..ce721486a 100644 --- a/openslides/motions/views.py +++ b/openslides/motions/views.py @@ -82,7 +82,7 @@ class MotionViewSet(ModelViewSet): """ # Check permission to send submitter and supporter data. if (not request.user.has_perm('motions.can_manage') and - (request.data.getlist('submitters') or request.data.getlist('supporters'))): + (request.data.get('submitters_id') or request.data.get('supporters_id'))): # Non-staff users are not allowed to send submitter or supporter data. self.permission_denied(request) diff --git a/tests/integration/motions/test_viewset.py b/tests/integration/motions/test_viewset.py index f8eebaf46..b7f664974 100644 --- a/tests/integration/motions/test_viewset.py +++ b/tests/integration/motions/test_viewset.py @@ -120,6 +120,21 @@ class CreateMotion(TestCase): self.assertEqual(response.status_code, status.HTTP_201_CREATED) self.assertEqual(Motion.objects.get().state.workflow_id, 2) + def test_non_admin(self): + """ + Test to create a motion by a delegate, non staff user. + """ + self.admin = get_user_model().objects.get(username='admin') + self.admin.groups.add(3) + self.admin.groups.remove(4) + + response = self.client.post( + reverse('motion-list'), + {'title': 'test_title_peiJozae0luew9EeL8bo', + 'text': 'test_text_eHohS8ohr5ahshoah8Oh'}) + + self.assertEqual(response.status_code, status.HTTP_201_CREATED) + class UpdateMotion(TestCase): """