From 1eeed1fde92bb7a427c40c4180d3c1f365b91710 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Norman=20J=C3=A4ckel?= <openslides@normanjaeckel.de>
Date: Thu, 14 Jan 2016 23:44:19 +0100
Subject: [PATCH] Add quick fix to motion update view.

---
 openslides/motions/static/js/motions/site.js |  2 +-
 openslides/motions/views.py                  | 16 +++++++++++-----
 tests/integration/motions/test_viewset.py    |  3 ++-
 tests/unit/motions/test_views.py             |  6 ------
 4 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/openslides/motions/static/js/motions/site.js b/openslides/motions/static/js/motions/site.js
index 5e9a3b06b..f1a1ca34c 100644
--- a/openslides/motions/static/js/motions/site.js
+++ b/openslides/motions/static/js/motions/site.js
@@ -578,7 +578,7 @@ angular.module('OpenSlidesApp.motions.site', ['OpenSlidesApp.motions'])
 
         // save motion
         $scope.save = function (motion) {
-            Motion.save(motion).then(
+            Motion.save(motion, { method: 'PATCH' }).then(
                 function(success) {
                     $scope.closeThisDialog();
                 }
diff --git a/openslides/motions/views.py b/openslides/motions/views.py
index a44afaa46..f7ce59bc6 100644
--- a/openslides/motions/views.py
+++ b/openslides/motions/views.py
@@ -102,11 +102,17 @@ class MotionViewSet(ModelViewSet):
         if not motion.get_allowed_actions(request.user)['update']:
             self.permission_denied(request)
 
-        # Check permission to send submitter and supporter data.
-        if (not request.user.has_perm('motions.can_manage') and
-                (request.data.get('submitters_id') or request.data.get('supporters_id'))):
-            # Non-staff users are not allowed to send submitter or supporter data.
-            self.permission_denied(request)
+        # Check permission to send only some data.
+        if not request.user.has_perm('motions.can_manage'):
+            whitelist = (
+                'title',
+                'text',
+                'reason',)
+            keys = list(request.data.keys())
+            for key in keys:
+                if key not in whitelist:
+                    # Non-staff users are allowed to send only some data. Ignore other data.
+                    del request.data[key]
 
         # Validate data and update motion.
         serializer = self.get_serializer(
diff --git a/tests/integration/motions/test_viewset.py b/tests/integration/motions/test_viewset.py
index b7f664974..5136d5385 100644
--- a/tests/integration/motions/test_viewset.py
+++ b/tests/integration/motions/test_viewset.py
@@ -197,7 +197,8 @@ class UpdateMotion(TestCase):
             reverse('motion-detail', args=[self.motion.pk]),
             json.dumps({'supporters_id': [1]}),
             content_type='application/json')
-        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertFalse(motion.supporters.exists())
 
     def test_removal_of_supporters(self):
         admin = get_user_model().objects.get(username='admin')
diff --git a/tests/unit/motions/test_views.py b/tests/unit/motions/test_views.py
index f3cbe49be..08966e426 100644
--- a/tests/unit/motions/test_views.py
+++ b/tests/unit/motions/test_views.py
@@ -50,12 +50,6 @@ class MotionViewSetUpdate(TestCase):
         self.view_instance.update(self.request)
         self.mock_serializer.save.assert_called_with()
 
-    @patch('openslides.motions.views.config')
-    def test_user_without_perms(self, mock_config):
-        self.request.user.has_perm.return_value = False
-        with self.assertRaises(PermissionDenied):
-            self.view_instance.update(self.request)
-
 
 class MotionViewSetManageVersion(TestCase):
     """