Merge pull request #2872 from normanjaeckel/AgendaComment

Fixed security issue #2850: Comments were shown for unprivileged users.

CHANGELOG

@@ -11,6 +11,7 @@ Version 2.1 (unreleased)
 Agenda:
 - Added button to remove all speakers from a list of speakers.
 - Added option to create or edit agenda items as subitems of others.
+- Fixed security issue: Comments were shown for unprivileged users.
 
 Core:
 - Added support for multiple projectors.

openslides/agenda/access_permissions.py

@@ -30,7 +30,14 @@ class ItemAccessPermissions(BaseAccessPermissions):
         if (has_perm(user, 'agenda.can_see') and
             (not full_data['is_hidden'] or
              has_perm(user, 'agenda.can_see_hidden_items'))):
+            if has_perm(user, 'agenda.can_manage'):
                 data = full_data
+            else:
+                # Strip out item comments for unprivileged users.
+                data = {}
+                for key in full_data.keys():
+                    if key != 'comment':
+                        data[key] = full_data[key]
         else:
             data = None
         return data

tests/integration/agenda/test_viewset.py

@@ -42,6 +42,14 @@ class RetrieveItem(TestCase):
         response = self.client.get(reverse('item-detail', args=[self.item.pk]))
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
+    def test_normal_by_anonymous_cant_see_agenda_comments(self):
+        self.item.type = Item.AGENDA_ITEM
+        self.item.comment = 'comment_gbiejd67gkbmsogh8374jf$kd'
+        self.item.save()
+        response = self.client.get(reverse('item-detail', args=[self.item.pk]))
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertTrue(response.data.get('comment') is None)
+
 
 class TestDBQueries(TestCase):
     """