Merge pull request #1589 from ostcar/fix_user_permissions

Fix osPerms to use groups registered and anonymous
This commit is contained in:
Oskar Hahn 2015-07-01 00:36:33 +02:00
commit 10c6d30252
3 changed files with 58 additions and 24 deletions

View File

@ -42,27 +42,12 @@ angular.module('OpenSlidesApp.users', [])
}
return name;
},
get_full_name: function() {
// should be the same as in the python user model.
var firstName = _.trim(this.first_name),
lastName = _.trim(this.last_name),
structure_level = _.trim(this.structure_level),
name;
if (firstName && lastName) {
// TODO: check config
name = [firstName, lastName].join(' ');
} else {
name = firstName || lastName || this.username;
}
if (structure_level) {
name = name + " (" + structure_level + ")";
}
return name;
},
getPerms: function() {
var allPerms = [];
_.forEach(this.groups, function(groupId) {
var allGroups = this.groups;
// Add registered group
allGroups.push(2);
_.forEach(allGroups, function(groupId) {
// Get group from server
Group.find(groupId);
// But do not work with the returned promise, because in

View File

@ -5,6 +5,7 @@ from django.utils.translation import ugettext as _
from django.utils.translation import ugettext_lazy
from rest_framework import status
from openslides.core.config import config
from openslides.utils.rest_api import ModelViewSet, Response, detail_route
from openslides.utils.views import APIView, PDFView
@ -110,11 +111,23 @@ class GroupViewSet(ModelViewSet):
permission to see users and in case of create, update or destroy
requests the permission to see extra user data and to manage users.
"""
if (not request.user.has_perm('users.can_see_name') or
(self.action in ('create', 'update', 'destroy') and not
(request.user.has_perm('users.can_manage') and
request.user.has_perm('users.can_see_extra_data')))):
self.permission_denied(request)
# Any logged in user can retrive groups.
# Anonymous user can retrive groups when they are activated.
if (self.action in ('retrieve', 'list') and
(config['general_system_enable_anonymous'] or
self.request.user.is_authenticated())):
return
# Users with the permissions 'can_manage' and 'can_see_extra_data' can
# edit groups.
if (self.action in ('create', 'update', 'destroy', 'partial_update') and
request.user.has_perm('users.can_see_name') and
request.user.has_perm('users.can_manage') and
request.user.has_perm('users.can_see_extra_data')):
return
# Raise permission_denied in any other case.
self.permission_denied(request)
def destroy(self, request, *args, **kwargs):
"""

View File

@ -2,6 +2,7 @@ from django.core.urlresolvers import reverse
from rest_framework import status
from rest_framework.test import APIClient
from openslides.core.config import config
from openslides.users.models import Group, User
from openslides.utils.test import TestCase
@ -142,6 +143,41 @@ class UserResetPassword(TestCase):
self.assertTrue(User.objects.get(pk=user.pk).check_password('new_password_Yuuh8OoQueePahngohy3'))
class GroupReceive(TestCase):
def test_get_groups_as_anonymous_deactivated(self):
"""
Test to get the groups with an anonymous user, when they are deactivated.
"""
response = self.client.get('/rest/users/group/')
self.assertEqual(response.status_code, 403)
def test_get_groups_as_anonymous_user_activated(self):
"""
Test to get the groups with an anonymous user, when they are activated.
"""
config['general_system_enable_anonymous'] = True
response = self.client.get('/rest/users/group/')
self.assertEqual(response.status_code, 200)
def test_logged_in_user_with_no_permission(self):
"""
Test to get the groups with an logged in user with no permissions.
"""
user = User(username='test')
user.set_password('test')
user.save()
registered_group = Group.objects.get(pk=2)
registered_group.permissions.all().delete()
self.client.login(username='test', password='test')
response = self.client.get('/rest/users/group/')
self.assertEqual(response.status_code, 200)
class GroupCreate(TestCase):
"""
Tests creation of groups via REST API.