Add quick fix to motion update view.
This commit is contained in:
parent
440a38b387
commit
1eeed1fde9
@ -578,7 +578,7 @@ angular.module('OpenSlidesApp.motions.site', ['OpenSlidesApp.motions'])
|
||||
|
||||
// save motion
|
||||
$scope.save = function (motion) {
|
||||
Motion.save(motion).then(
|
||||
Motion.save(motion, { method: 'PATCH' }).then(
|
||||
function(success) {
|
||||
$scope.closeThisDialog();
|
||||
}
|
||||
|
@ -102,11 +102,17 @@ class MotionViewSet(ModelViewSet):
|
||||
if not motion.get_allowed_actions(request.user)['update']:
|
||||
self.permission_denied(request)
|
||||
|
||||
# Check permission to send submitter and supporter data.
|
||||
if (not request.user.has_perm('motions.can_manage') and
|
||||
(request.data.get('submitters_id') or request.data.get('supporters_id'))):
|
||||
# Non-staff users are not allowed to send submitter or supporter data.
|
||||
self.permission_denied(request)
|
||||
# Check permission to send only some data.
|
||||
if not request.user.has_perm('motions.can_manage'):
|
||||
whitelist = (
|
||||
'title',
|
||||
'text',
|
||||
'reason',)
|
||||
keys = list(request.data.keys())
|
||||
for key in keys:
|
||||
if key not in whitelist:
|
||||
# Non-staff users are allowed to send only some data. Ignore other data.
|
||||
del request.data[key]
|
||||
|
||||
# Validate data and update motion.
|
||||
serializer = self.get_serializer(
|
||||
|
@ -197,7 +197,8 @@ class UpdateMotion(TestCase):
|
||||
reverse('motion-detail', args=[self.motion.pk]),
|
||||
json.dumps({'supporters_id': [1]}),
|
||||
content_type='application/json')
|
||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||
self.assertFalse(motion.supporters.exists())
|
||||
|
||||
def test_removal_of_supporters(self):
|
||||
admin = get_user_model().objects.get(username='admin')
|
||||
|
@ -50,12 +50,6 @@ class MotionViewSetUpdate(TestCase):
|
||||
self.view_instance.update(self.request)
|
||||
self.mock_serializer.save.assert_called_with()
|
||||
|
||||
@patch('openslides.motions.views.config')
|
||||
def test_user_without_perms(self, mock_config):
|
||||
self.request.user.has_perm.return_value = False
|
||||
with self.assertRaises(PermissionDenied):
|
||||
self.view_instance.update(self.request)
|
||||
|
||||
|
||||
class MotionViewSetManageVersion(TestCase):
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user