Merge pull request #1589 from ostcar/fix_user_permissions

Fix osPerms to use groups registered and anonymous

openslides/users/static/js/users/users.js

@@ -42,27 +42,12 @@ angular.module('OpenSlidesApp.users', [])
                 }
                 return name;
             },
-            get_full_name: function() {
-                // should be the same as in the python user model.
-                var firstName = _.trim(this.first_name),
-                    lastName = _.trim(this.last_name),
-                    structure_level = _.trim(this.structure_level),
-                    name;
-
-                if (firstName && lastName) {
-                    // TODO: check config
-                    name = [firstName, lastName].join(' ');
-                } else {
-                    name = firstName || lastName || this.username;
-                }
-                if (structure_level) {
-                    name = name + " (" + structure_level + ")";
-                }
-                return name;
-            },
             getPerms: function() {
                 var allPerms = [];
-                _.forEach(this.groups, function(groupId) {
+                var allGroups = this.groups;
+                // Add registered group
+                allGroups.push(2);
+                _.forEach(allGroups, function(groupId) {
                     // Get group from server
                     Group.find(groupId);
                     // But do not work with the returned promise, because in

openslides/users/views.py

@@ -5,6 +5,7 @@ from django.utils.translation import ugettext as _
 from django.utils.translation import ugettext_lazy
 from rest_framework import status
 
+from openslides.core.config import config
 from openslides.utils.rest_api import ModelViewSet, Response, detail_route
 from openslides.utils.views import APIView, PDFView
 
@@ -110,11 +111,23 @@ class GroupViewSet(ModelViewSet):
         permission to see users and in case of create, update or destroy
         requests the permission to see extra user data and to manage users.
         """
-        if (not request.user.has_perm('users.can_see_name') or
+        # Any logged in user can retrive groups.
-                (self.action in ('create', 'update', 'destroy') and not
+        # Anonymous user can retrive groups when they are activated.
-                 (request.user.has_perm('users.can_manage') and
+        if (self.action in ('retrieve', 'list') and
-                  request.user.has_perm('users.can_see_extra_data')))):
+                (config['general_system_enable_anonymous'] or
-            self.permission_denied(request)
+                 self.request.user.is_authenticated())):
+            return
+
+        # Users with the permissions 'can_manage' and 'can_see_extra_data' can
+        # edit groups.
+        if (self.action in ('create', 'update', 'destroy', 'partial_update') and
+                request.user.has_perm('users.can_see_name') and
+                request.user.has_perm('users.can_manage') and
+                request.user.has_perm('users.can_see_extra_data')):
+            return
+
+        # Raise permission_denied in any other case.
+        self.permission_denied(request)
 
     def destroy(self, request, *args, **kwargs):
         """

tests/integration/users/test_viewset.py

@@ -2,6 +2,7 @@ from django.core.urlresolvers import reverse
 from rest_framework import status
 from rest_framework.test import APIClient
 
+from openslides.core.config import config
 from openslides.users.models import Group, User
 from openslides.utils.test import TestCase
 
@@ -142,6 +143,41 @@ class UserResetPassword(TestCase):
         self.assertTrue(User.objects.get(pk=user.pk).check_password('new_password_Yuuh8OoQueePahngohy3'))
 
 
+class GroupReceive(TestCase):
+    def test_get_groups_as_anonymous_deactivated(self):
+        """
+        Test to get the groups with an anonymous user, when they are deactivated.
+        """
+        response = self.client.get('/rest/users/group/')
+
+        self.assertEqual(response.status_code, 403)
+
+    def test_get_groups_as_anonymous_user_activated(self):
+        """
+        Test to get the groups with an anonymous user, when they are activated.
+        """
+        config['general_system_enable_anonymous'] = True
+
+        response = self.client.get('/rest/users/group/')
+
+        self.assertEqual(response.status_code, 200)
+
+    def test_logged_in_user_with_no_permission(self):
+        """
+        Test to get the groups with an logged in user with no permissions.
+        """
+        user = User(username='test')
+        user.set_password('test')
+        user.save()
+        registered_group = Group.objects.get(pk=2)
+        registered_group.permissions.all().delete()
+        self.client.login(username='test', password='test')
+
+        response = self.client.get('/rest/users/group/')
+
+        self.assertEqual(response.status_code, 200)
+
+
 class GroupCreate(TestCase):
     """
     Tests creation of groups via REST API.