From 1dbe07c04123c21f496cf6ecba9c55371a2c0aaa Mon Sep 17 00:00:00 2001 From: Oskar Hahn Date: Tue, 30 Jun 2015 20:04:14 +0200 Subject: [PATCH] Fix osPerms to use groups registered and anonymous Fixes #1586 --- openslides/users/static/js/users/users.js | 23 +++------------ openslides/users/views.py | 23 +++++++++++---- tests/integration/users/test_viewset.py | 36 +++++++++++++++++++++++ 3 files changed, 58 insertions(+), 24 deletions(-) diff --git a/openslides/users/static/js/users/users.js b/openslides/users/static/js/users/users.js index 4e310a90c..d6340b193 100644 --- a/openslides/users/static/js/users/users.js +++ b/openslides/users/static/js/users/users.js @@ -42,27 +42,12 @@ angular.module('OpenSlidesApp.users', []) } return name; }, - get_full_name: function() { - // should be the same as in the python user model. - var firstName = _.trim(this.first_name), - lastName = _.trim(this.last_name), - structure_level = _.trim(this.structure_level), - name; - - if (firstName && lastName) { - // TODO: check config - name = [firstName, lastName].join(' '); - } else { - name = firstName || lastName || this.username; - } - if (structure_level) { - name = name + " (" + structure_level + ")"; - } - return name; - }, getPerms: function() { var allPerms = []; - _.forEach(this.groups, function(groupId) { + var allGroups = this.groups; + // Add registered group + allGroups.push(2); + _.forEach(allGroups, function(groupId) { // Get group from server Group.find(groupId); // But do not work with the returned promise, because in diff --git a/openslides/users/views.py b/openslides/users/views.py index 2675ed331..c557d46fd 100644 --- a/openslides/users/views.py +++ b/openslides/users/views.py @@ -5,6 +5,7 @@ from django.utils.translation import ugettext as _ from django.utils.translation import ugettext_lazy from rest_framework import status +from openslides.core.config import config from openslides.utils.rest_api import ModelViewSet, Response, detail_route from openslides.utils.views import APIView, PDFView @@ -110,11 +111,23 @@ class GroupViewSet(ModelViewSet): permission to see users and in case of create, update or destroy requests the permission to see extra user data and to manage users. """ - if (not request.user.has_perm('users.can_see_name') or - (self.action in ('create', 'update', 'destroy') and not - (request.user.has_perm('users.can_manage') and - request.user.has_perm('users.can_see_extra_data')))): - self.permission_denied(request) + # Any logged in user can retrive groups. + # Anonymous user can retrive groups when they are activated. + if (self.action in ('retrieve', 'list') and + (config['general_system_enable_anonymous'] or + self.request.user.is_authenticated())): + return + + # Users with the permissions 'can_manage' and 'can_see_extra_data' can + # edit groups. + if (self.action in ('create', 'update', 'destroy', 'partial_update') and + request.user.has_perm('users.can_see_name') and + request.user.has_perm('users.can_manage') and + request.user.has_perm('users.can_see_extra_data')): + return + + # Raise permission_denied in any other case. + self.permission_denied(request) def destroy(self, request, *args, **kwargs): """ diff --git a/tests/integration/users/test_viewset.py b/tests/integration/users/test_viewset.py index 265a8fa63..2650cb702 100644 --- a/tests/integration/users/test_viewset.py +++ b/tests/integration/users/test_viewset.py @@ -2,6 +2,7 @@ from django.core.urlresolvers import reverse from rest_framework import status from rest_framework.test import APIClient +from openslides.core.config import config from openslides.users.models import Group, User from openslides.utils.test import TestCase @@ -142,6 +143,41 @@ class UserResetPassword(TestCase): self.assertTrue(User.objects.get(pk=user.pk).check_password('new_password_Yuuh8OoQueePahngohy3')) +class GroupReceive(TestCase): + def test_get_groups_as_anonymous_deactivated(self): + """ + Test to get the groups with an anonymous user, when they are deactivated. + """ + response = self.client.get('/rest/users/group/') + + self.assertEqual(response.status_code, 403) + + def test_get_groups_as_anonymous_user_activated(self): + """ + Test to get the groups with an anonymous user, when they are activated. + """ + config['general_system_enable_anonymous'] = True + + response = self.client.get('/rest/users/group/') + + self.assertEqual(response.status_code, 200) + + def test_logged_in_user_with_no_permission(self): + """ + Test to get the groups with an logged in user with no permissions. + """ + user = User(username='test') + user.set_password('test') + user.save() + registered_group = Group.objects.get(pk=2) + registered_group.permissions.all().delete() + self.client.login(username='test', password='test') + + response = self.client.get('/rest/users/group/') + + self.assertEqual(response.status_code, 200) + + class GroupCreate(TestCase): """ Tests creation of groups via REST API.