ag-admin/OpenSlides
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add quick fix to motion update view.

Browse Source
This commit is contained in:
Norman Jäckel 2016-01-14 23:44:19 +01:00
parent 440a38b387
commit 1eeed1fde9
4 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
openslides/motions/static/js/motions/site.js
View File

@ -578,7 +578,7 @@ angular.module('OpenSlidesApp.motions.site', ['OpenSlidesApp.motions'])
// save motion // save motion
$scope.save = function (motion) { $scope.save = function (motion) {
Motion.save(motion).then( Motion.save(motion, { method: 'PATCH' }).then(
function(success) { function(success) {
$scope.closeThisDialog(); $scope.closeThisDialog();
} }

16
openslides/motions/views.py
View File

@ -102,11 +102,17 @@ class MotionViewSet(ModelViewSet):
if not motion.get_allowed_actions(request.user)['update']: if not motion.get_allowed_actions(request.user)['update']:
self.permission_denied(request) self.permission_denied(request)
# Check permission to send submitter and supporter data. # Check permission to send only some data.
if (not request.user.has_perm('motions.can_manage') and if not request.user.has_perm('motions.can_manage'):
(request.data.get('submitters_id') or request.data.get('supporters_id'))): whitelist = (
# Non-staff users are not allowed to send submitter or supporter data. 'title',
self.permission_denied(request) 'text',
'reason',)
keys = list(request.data.keys())
for key in keys:
if key not in whitelist:
# Non-staff users are allowed to send only some data. Ignore other data.
del request.data[key]
# Validate data and update motion. # Validate data and update motion.
serializer = self.get_serializer( serializer = self.get_serializer(

3
tests/integration/motions/test_viewset.py
View File

@ -197,7 +197,8 @@ class UpdateMotion(TestCase):
reverse('motion-detail', args=[self.motion.pk]), reverse('motion-detail', args=[self.motion.pk]),
json.dumps({'supporters_id': [1]}), json.dumps({'supporters_id': [1]}),
content_type='application/json') content_type='application/json')
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertFalse(motion.supporters.exists())
def test_removal_of_supporters(self): def test_removal_of_supporters(self):
admin = get_user_model().objects.get(username='admin') admin = get_user_model().objects.get(username='admin')

6
tests/unit/motions/test_views.py
View File

@ -50,12 +50,6 @@ class MotionViewSetUpdate(TestCase):
self.view_instance.update(self.request) self.view_instance.update(self.request)
self.mock_serializer.save.assert_called_with() self.mock_serializer.save.assert_called_with()
@patch('openslides.motions.views.config')
def test_user_without_perms(self, mock_config):
self.request.user.has_perm.return_value = False
with self.assertRaises(PermissionDenied):
self.view_instance.update(self.request)
class MotionViewSetManageVersion(TestCase): class MotionViewSetManageVersion(TestCase):
""" """