Fix osPerms to use groups registered and anonymous

Fixes #1586
2015-06-30 20:04:14 +02:00 · 2015-06-30 20:04:14 +02:00 · 1dbe07c041
parent 0910c3fac2
commit 1dbe07c041
3 changed files with 58 additions and 24 deletions
--- a/openslides/users/static/js/users/users.js
+++ b/openslides/users/static/js/users/users.js
@ -42,27 +42,12 @@ angular.module('OpenSlidesApp.users', [])
                }
                return name;
            },
-            get_full_name: function() {
-                // should be the same as in the python user model.
-                var firstName = _.trim(this.first_name),
-                    lastName = _.trim(this.last_name),
-                    structure_level = _.trim(this.structure_level),
-                    name;
-
-                if (firstName && lastName) {
-                    // TODO: check config
-                    name = [firstName, lastName].join(' ');
-                } else {
-                    name = firstName || lastName || this.username;
-                }
-                if (structure_level) {
-                    name = name + " (" + structure_level + ")";
-                }
-                return name;
-            },
            getPerms: function() {
                var allPerms = [];
-                _.forEach(this.groups, function(groupId) {
+                var allGroups = this.groups;
+                // Add registered group
+                allGroups.push(2);
+                _.forEach(allGroups, function(groupId) {
                    // Get group from server
                    Group.find(groupId);
                    // But do not work with the returned promise, because in
--- a/openslides/users/views.py
+++ b/openslides/users/views.py
@ -5,6 +5,7 @@ from django.utils.translation import ugettext as _
 from django.utils.translation import ugettext_lazy
 from rest_framework import status

+from openslides.core.config import config
 from openslides.utils.rest_api import ModelViewSet, Response, detail_route
 from openslides.utils.views import APIView, PDFView

@ -110,11 +111,23 @@ class GroupViewSet(ModelViewSet):
        permission to see users and in case of create, update or destroy
        requests the permission to see extra user data and to manage users.
        """
-        if (not request.user.has_perm('users.can_see_name') or
-                (self.action in ('create', 'update', 'destroy') and not
-                 (request.user.has_perm('users.can_manage') and
-                  request.user.has_perm('users.can_see_extra_data')))):
-            self.permission_denied(request)
+        # Any logged in user can retrive groups.
+        # Anonymous user can retrive groups when they are activated.
+        if (self.action in ('retrieve', 'list') and
+                (config['general_system_enable_anonymous'] or
+                 self.request.user.is_authenticated())):
+            return
+
+        # Users with the permissions 'can_manage' and 'can_see_extra_data' can
+        # edit groups.
+        if (self.action in ('create', 'update', 'destroy', 'partial_update') and
+                request.user.has_perm('users.can_see_name') and
+                request.user.has_perm('users.can_manage') and
+                request.user.has_perm('users.can_see_extra_data')):
+            return
+
+        # Raise permission_denied in any other case.
+        self.permission_denied(request)

    def destroy(self, request, *args, **kwargs):
        """
--- a/tests/integration/users/test_viewset.py
+++ b/tests/integration/users/test_viewset.py
@ -2,6 +2,7 @@ from django.core.urlresolvers import reverse
 from rest_framework import status
 from rest_framework.test import APIClient

+from openslides.core.config import config
 from openslides.users.models import Group, User
 from openslides.utils.test import TestCase

@ -142,6 +143,41 @@ class UserResetPassword(TestCase):
        self.assertTrue(User.objects.get(pk=user.pk).check_password('new_password_Yuuh8OoQueePahngohy3'))


+class GroupReceive(TestCase):
+    def test_get_groups_as_anonymous_deactivated(self):
+        """
+        Test to get the groups with an anonymous user, when they are deactivated.
+        """
+        response = self.client.get('/rest/users/group/')
+
+        self.assertEqual(response.status_code, 403)
+
+    def test_get_groups_as_anonymous_user_activated(self):
+        """
+        Test to get the groups with an anonymous user, when they are activated.
+        """
+        config['general_system_enable_anonymous'] = True
+
+        response = self.client.get('/rest/users/group/')
+
+        self.assertEqual(response.status_code, 200)
+
+    def test_logged_in_user_with_no_permission(self):
+        """
+        Test to get the groups with an logged in user with no permissions.
+        """
+        user = User(username='test')
+        user.set_password('test')
+        user.save()
+        registered_group = Group.objects.get(pk=2)
+        registered_group.permissions.all().delete()
+        self.client.login(username='test', password='test')
+
+        response = self.client.get('/rest/users/group/')
+
+        self.assertEqual(response.status_code, 200)
+
+
 class GroupCreate(TestCase):
    """
    Tests creation of groups via REST API.