Merge pull request #1589 from ostcar/fix_user_permissions
Fix osPerms to use groups registered and anonymous
This commit is contained in:
commit
10c6d30252
@ -42,27 +42,12 @@ angular.module('OpenSlidesApp.users', [])
|
||||
}
|
||||
return name;
|
||||
},
|
||||
get_full_name: function() {
|
||||
// should be the same as in the python user model.
|
||||
var firstName = _.trim(this.first_name),
|
||||
lastName = _.trim(this.last_name),
|
||||
structure_level = _.trim(this.structure_level),
|
||||
name;
|
||||
|
||||
if (firstName && lastName) {
|
||||
// TODO: check config
|
||||
name = [firstName, lastName].join(' ');
|
||||
} else {
|
||||
name = firstName || lastName || this.username;
|
||||
}
|
||||
if (structure_level) {
|
||||
name = name + " (" + structure_level + ")";
|
||||
}
|
||||
return name;
|
||||
},
|
||||
getPerms: function() {
|
||||
var allPerms = [];
|
||||
_.forEach(this.groups, function(groupId) {
|
||||
var allGroups = this.groups;
|
||||
// Add registered group
|
||||
allGroups.push(2);
|
||||
_.forEach(allGroups, function(groupId) {
|
||||
// Get group from server
|
||||
Group.find(groupId);
|
||||
// But do not work with the returned promise, because in
|
||||
|
@ -5,6 +5,7 @@ from django.utils.translation import ugettext as _
|
||||
from django.utils.translation import ugettext_lazy
|
||||
from rest_framework import status
|
||||
|
||||
from openslides.core.config import config
|
||||
from openslides.utils.rest_api import ModelViewSet, Response, detail_route
|
||||
from openslides.utils.views import APIView, PDFView
|
||||
|
||||
@ -110,10 +111,22 @@ class GroupViewSet(ModelViewSet):
|
||||
permission to see users and in case of create, update or destroy
|
||||
requests the permission to see extra user data and to manage users.
|
||||
"""
|
||||
if (not request.user.has_perm('users.can_see_name') or
|
||||
(self.action in ('create', 'update', 'destroy') and not
|
||||
(request.user.has_perm('users.can_manage') and
|
||||
request.user.has_perm('users.can_see_extra_data')))):
|
||||
# Any logged in user can retrive groups.
|
||||
# Anonymous user can retrive groups when they are activated.
|
||||
if (self.action in ('retrieve', 'list') and
|
||||
(config['general_system_enable_anonymous'] or
|
||||
self.request.user.is_authenticated())):
|
||||
return
|
||||
|
||||
# Users with the permissions 'can_manage' and 'can_see_extra_data' can
|
||||
# edit groups.
|
||||
if (self.action in ('create', 'update', 'destroy', 'partial_update') and
|
||||
request.user.has_perm('users.can_see_name') and
|
||||
request.user.has_perm('users.can_manage') and
|
||||
request.user.has_perm('users.can_see_extra_data')):
|
||||
return
|
||||
|
||||
# Raise permission_denied in any other case.
|
||||
self.permission_denied(request)
|
||||
|
||||
def destroy(self, request, *args, **kwargs):
|
||||
|
@ -2,6 +2,7 @@ from django.core.urlresolvers import reverse
|
||||
from rest_framework import status
|
||||
from rest_framework.test import APIClient
|
||||
|
||||
from openslides.core.config import config
|
||||
from openslides.users.models import Group, User
|
||||
from openslides.utils.test import TestCase
|
||||
|
||||
@ -142,6 +143,41 @@ class UserResetPassword(TestCase):
|
||||
self.assertTrue(User.objects.get(pk=user.pk).check_password('new_password_Yuuh8OoQueePahngohy3'))
|
||||
|
||||
|
||||
class GroupReceive(TestCase):
|
||||
def test_get_groups_as_anonymous_deactivated(self):
|
||||
"""
|
||||
Test to get the groups with an anonymous user, when they are deactivated.
|
||||
"""
|
||||
response = self.client.get('/rest/users/group/')
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_get_groups_as_anonymous_user_activated(self):
|
||||
"""
|
||||
Test to get the groups with an anonymous user, when they are activated.
|
||||
"""
|
||||
config['general_system_enable_anonymous'] = True
|
||||
|
||||
response = self.client.get('/rest/users/group/')
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
def test_logged_in_user_with_no_permission(self):
|
||||
"""
|
||||
Test to get the groups with an logged in user with no permissions.
|
||||
"""
|
||||
user = User(username='test')
|
||||
user.set_password('test')
|
||||
user.save()
|
||||
registered_group = Group.objects.get(pk=2)
|
||||
registered_group.permissions.all().delete()
|
||||
self.client.login(username='test', password='test')
|
||||
|
||||
response = self.client.get('/rest/users/group/')
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
|
||||
class GroupCreate(TestCase):
|
||||
"""
|
||||
Tests creation of groups via REST API.
|
||||
|
Loading…
Reference in New Issue
Block a user