Merge pull request #1589 from ostcar/fix_user_permissions

Fix osPerms to use groups registered and anonymous
This commit is contained in:
Oskar Hahn 2015-07-01 00:36:33 +02:00
commit 10c6d30252
3 changed files with 58 additions and 24 deletions

View File

@ -42,27 +42,12 @@ angular.module('OpenSlidesApp.users', [])
} }
return name; return name;
}, },
get_full_name: function() {
// should be the same as in the python user model.
var firstName = _.trim(this.first_name),
lastName = _.trim(this.last_name),
structure_level = _.trim(this.structure_level),
name;
if (firstName && lastName) {
// TODO: check config
name = [firstName, lastName].join(' ');
} else {
name = firstName || lastName || this.username;
}
if (structure_level) {
name = name + " (" + structure_level + ")";
}
return name;
},
getPerms: function() { getPerms: function() {
var allPerms = []; var allPerms = [];
_.forEach(this.groups, function(groupId) { var allGroups = this.groups;
// Add registered group
allGroups.push(2);
_.forEach(allGroups, function(groupId) {
// Get group from server // Get group from server
Group.find(groupId); Group.find(groupId);
// But do not work with the returned promise, because in // But do not work with the returned promise, because in

View File

@ -5,6 +5,7 @@ from django.utils.translation import ugettext as _
from django.utils.translation import ugettext_lazy from django.utils.translation import ugettext_lazy
from rest_framework import status from rest_framework import status
from openslides.core.config import config
from openslides.utils.rest_api import ModelViewSet, Response, detail_route from openslides.utils.rest_api import ModelViewSet, Response, detail_route
from openslides.utils.views import APIView, PDFView from openslides.utils.views import APIView, PDFView
@ -110,10 +111,22 @@ class GroupViewSet(ModelViewSet):
permission to see users and in case of create, update or destroy permission to see users and in case of create, update or destroy
requests the permission to see extra user data and to manage users. requests the permission to see extra user data and to manage users.
""" """
if (not request.user.has_perm('users.can_see_name') or # Any logged in user can retrive groups.
(self.action in ('create', 'update', 'destroy') and not # Anonymous user can retrive groups when they are activated.
(request.user.has_perm('users.can_manage') and if (self.action in ('retrieve', 'list') and
request.user.has_perm('users.can_see_extra_data')))): (config['general_system_enable_anonymous'] or
self.request.user.is_authenticated())):
return
# Users with the permissions 'can_manage' and 'can_see_extra_data' can
# edit groups.
if (self.action in ('create', 'update', 'destroy', 'partial_update') and
request.user.has_perm('users.can_see_name') and
request.user.has_perm('users.can_manage') and
request.user.has_perm('users.can_see_extra_data')):
return
# Raise permission_denied in any other case.
self.permission_denied(request) self.permission_denied(request)
def destroy(self, request, *args, **kwargs): def destroy(self, request, *args, **kwargs):

View File

@ -2,6 +2,7 @@ from django.core.urlresolvers import reverse
from rest_framework import status from rest_framework import status
from rest_framework.test import APIClient from rest_framework.test import APIClient
from openslides.core.config import config
from openslides.users.models import Group, User from openslides.users.models import Group, User
from openslides.utils.test import TestCase from openslides.utils.test import TestCase
@ -142,6 +143,41 @@ class UserResetPassword(TestCase):
self.assertTrue(User.objects.get(pk=user.pk).check_password('new_password_Yuuh8OoQueePahngohy3')) self.assertTrue(User.objects.get(pk=user.pk).check_password('new_password_Yuuh8OoQueePahngohy3'))
class GroupReceive(TestCase):
def test_get_groups_as_anonymous_deactivated(self):
"""
Test to get the groups with an anonymous user, when they are deactivated.
"""
response = self.client.get('/rest/users/group/')
self.assertEqual(response.status_code, 403)
def test_get_groups_as_anonymous_user_activated(self):
"""
Test to get the groups with an anonymous user, when they are activated.
"""
config['general_system_enable_anonymous'] = True
response = self.client.get('/rest/users/group/')
self.assertEqual(response.status_code, 200)
def test_logged_in_user_with_no_permission(self):
"""
Test to get the groups with an logged in user with no permissions.
"""
user = User(username='test')
user.set_password('test')
user.save()
registered_group = Group.objects.get(pk=2)
registered_group.permissions.all().delete()
self.client.login(username='test', password='test')
response = self.client.get('/rest/users/group/')
self.assertEqual(response.status_code, 200)
class GroupCreate(TestCase): class GroupCreate(TestCase):
""" """
Tests creation of groups via REST API. Tests creation of groups via REST API.