diff --git a/openslides/motions/static/js/motions/site.js b/openslides/motions/static/js/motions/site.js index 5e9a3b06b..f1a1ca34c 100644 --- a/openslides/motions/static/js/motions/site.js +++ b/openslides/motions/static/js/motions/site.js @@ -578,7 +578,7 @@ angular.module('OpenSlidesApp.motions.site', ['OpenSlidesApp.motions']) // save motion $scope.save = function (motion) { - Motion.save(motion).then( + Motion.save(motion, { method: 'PATCH' }).then( function(success) { $scope.closeThisDialog(); } diff --git a/openslides/motions/views.py b/openslides/motions/views.py index a44afaa46..f7ce59bc6 100644 --- a/openslides/motions/views.py +++ b/openslides/motions/views.py @@ -102,11 +102,17 @@ class MotionViewSet(ModelViewSet): if not motion.get_allowed_actions(request.user)['update']: self.permission_denied(request) - # Check permission to send submitter and supporter data. - if (not request.user.has_perm('motions.can_manage') and - (request.data.get('submitters_id') or request.data.get('supporters_id'))): - # Non-staff users are not allowed to send submitter or supporter data. - self.permission_denied(request) + # Check permission to send only some data. + if not request.user.has_perm('motions.can_manage'): + whitelist = ( + 'title', + 'text', + 'reason',) + keys = list(request.data.keys()) + for key in keys: + if key not in whitelist: + # Non-staff users are allowed to send only some data. Ignore other data. + del request.data[key] # Validate data and update motion. serializer = self.get_serializer( diff --git a/tests/integration/motions/test_viewset.py b/tests/integration/motions/test_viewset.py index b7f664974..5136d5385 100644 --- a/tests/integration/motions/test_viewset.py +++ b/tests/integration/motions/test_viewset.py @@ -197,7 +197,8 @@ class UpdateMotion(TestCase): reverse('motion-detail', args=[self.motion.pk]), json.dumps({'supporters_id': [1]}), content_type='application/json') - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(response.status_code, status.HTTP_200_OK) + self.assertFalse(motion.supporters.exists()) def test_removal_of_supporters(self): admin = get_user_model().objects.get(username='admin') diff --git a/tests/unit/motions/test_views.py b/tests/unit/motions/test_views.py index f3cbe49be..08966e426 100644 --- a/tests/unit/motions/test_views.py +++ b/tests/unit/motions/test_views.py @@ -50,12 +50,6 @@ class MotionViewSetUpdate(TestCase): self.view_instance.update(self.request) self.mock_serializer.save.assert_called_with() - @patch('openslides.motions.views.config') - def test_user_without_perms(self, mock_config): - self.request.user.has_perm.return_value = False - with self.assertRaises(PermissionDenied): - self.view_instance.update(self.request) - class MotionViewSetManageVersion(TestCase): """