Merge pull request #1589 from ostcar/fix_user_permissions
Fix osPerms to use groups registered and anonymous
This commit is contained in:
commit
10c6d30252
@ -42,27 +42,12 @@ angular.module('OpenSlidesApp.users', [])
|
|||||||
}
|
}
|
||||||
return name;
|
return name;
|
||||||
},
|
},
|
||||||
get_full_name: function() {
|
|
||||||
// should be the same as in the python user model.
|
|
||||||
var firstName = _.trim(this.first_name),
|
|
||||||
lastName = _.trim(this.last_name),
|
|
||||||
structure_level = _.trim(this.structure_level),
|
|
||||||
name;
|
|
||||||
|
|
||||||
if (firstName && lastName) {
|
|
||||||
// TODO: check config
|
|
||||||
name = [firstName, lastName].join(' ');
|
|
||||||
} else {
|
|
||||||
name = firstName || lastName || this.username;
|
|
||||||
}
|
|
||||||
if (structure_level) {
|
|
||||||
name = name + " (" + structure_level + ")";
|
|
||||||
}
|
|
||||||
return name;
|
|
||||||
},
|
|
||||||
getPerms: function() {
|
getPerms: function() {
|
||||||
var allPerms = [];
|
var allPerms = [];
|
||||||
_.forEach(this.groups, function(groupId) {
|
var allGroups = this.groups;
|
||||||
|
// Add registered group
|
||||||
|
allGroups.push(2);
|
||||||
|
_.forEach(allGroups, function(groupId) {
|
||||||
// Get group from server
|
// Get group from server
|
||||||
Group.find(groupId);
|
Group.find(groupId);
|
||||||
// But do not work with the returned promise, because in
|
// But do not work with the returned promise, because in
|
||||||
|
@ -5,6 +5,7 @@ from django.utils.translation import ugettext as _
|
|||||||
from django.utils.translation import ugettext_lazy
|
from django.utils.translation import ugettext_lazy
|
||||||
from rest_framework import status
|
from rest_framework import status
|
||||||
|
|
||||||
|
from openslides.core.config import config
|
||||||
from openslides.utils.rest_api import ModelViewSet, Response, detail_route
|
from openslides.utils.rest_api import ModelViewSet, Response, detail_route
|
||||||
from openslides.utils.views import APIView, PDFView
|
from openslides.utils.views import APIView, PDFView
|
||||||
|
|
||||||
@ -110,10 +111,22 @@ class GroupViewSet(ModelViewSet):
|
|||||||
permission to see users and in case of create, update or destroy
|
permission to see users and in case of create, update or destroy
|
||||||
requests the permission to see extra user data and to manage users.
|
requests the permission to see extra user data and to manage users.
|
||||||
"""
|
"""
|
||||||
if (not request.user.has_perm('users.can_see_name') or
|
# Any logged in user can retrive groups.
|
||||||
(self.action in ('create', 'update', 'destroy') and not
|
# Anonymous user can retrive groups when they are activated.
|
||||||
(request.user.has_perm('users.can_manage') and
|
if (self.action in ('retrieve', 'list') and
|
||||||
request.user.has_perm('users.can_see_extra_data')))):
|
(config['general_system_enable_anonymous'] or
|
||||||
|
self.request.user.is_authenticated())):
|
||||||
|
return
|
||||||
|
|
||||||
|
# Users with the permissions 'can_manage' and 'can_see_extra_data' can
|
||||||
|
# edit groups.
|
||||||
|
if (self.action in ('create', 'update', 'destroy', 'partial_update') and
|
||||||
|
request.user.has_perm('users.can_see_name') and
|
||||||
|
request.user.has_perm('users.can_manage') and
|
||||||
|
request.user.has_perm('users.can_see_extra_data')):
|
||||||
|
return
|
||||||
|
|
||||||
|
# Raise permission_denied in any other case.
|
||||||
self.permission_denied(request)
|
self.permission_denied(request)
|
||||||
|
|
||||||
def destroy(self, request, *args, **kwargs):
|
def destroy(self, request, *args, **kwargs):
|
||||||
|
@ -2,6 +2,7 @@ from django.core.urlresolvers import reverse
|
|||||||
from rest_framework import status
|
from rest_framework import status
|
||||||
from rest_framework.test import APIClient
|
from rest_framework.test import APIClient
|
||||||
|
|
||||||
|
from openslides.core.config import config
|
||||||
from openslides.users.models import Group, User
|
from openslides.users.models import Group, User
|
||||||
from openslides.utils.test import TestCase
|
from openslides.utils.test import TestCase
|
||||||
|
|
||||||
@ -142,6 +143,41 @@ class UserResetPassword(TestCase):
|
|||||||
self.assertTrue(User.objects.get(pk=user.pk).check_password('new_password_Yuuh8OoQueePahngohy3'))
|
self.assertTrue(User.objects.get(pk=user.pk).check_password('new_password_Yuuh8OoQueePahngohy3'))
|
||||||
|
|
||||||
|
|
||||||
|
class GroupReceive(TestCase):
|
||||||
|
def test_get_groups_as_anonymous_deactivated(self):
|
||||||
|
"""
|
||||||
|
Test to get the groups with an anonymous user, when they are deactivated.
|
||||||
|
"""
|
||||||
|
response = self.client.get('/rest/users/group/')
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, 403)
|
||||||
|
|
||||||
|
def test_get_groups_as_anonymous_user_activated(self):
|
||||||
|
"""
|
||||||
|
Test to get the groups with an anonymous user, when they are activated.
|
||||||
|
"""
|
||||||
|
config['general_system_enable_anonymous'] = True
|
||||||
|
|
||||||
|
response = self.client.get('/rest/users/group/')
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
def test_logged_in_user_with_no_permission(self):
|
||||||
|
"""
|
||||||
|
Test to get the groups with an logged in user with no permissions.
|
||||||
|
"""
|
||||||
|
user = User(username='test')
|
||||||
|
user.set_password('test')
|
||||||
|
user.save()
|
||||||
|
registered_group = Group.objects.get(pk=2)
|
||||||
|
registered_group.permissions.all().delete()
|
||||||
|
self.client.login(username='test', password='test')
|
||||||
|
|
||||||
|
response = self.client.get('/rest/users/group/')
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, 200)
|
||||||
|
|
||||||
|
|
||||||
class GroupCreate(TestCase):
|
class GroupCreate(TestCase):
|
||||||
"""
|
"""
|
||||||
Tests creation of groups via REST API.
|
Tests creation of groups via REST API.
|
||||||
|
Loading…
Reference in New Issue
Block a user