Fixed create view for non staff users, fixed #1670.

2015-11-18 01:20:49 +01:00 · 2015-11-18 01:20:49 +01:00 · 2063dcff51
commit 2063dcff51
parent 2417549755
2 changed files with 16 additions and 1 deletions
--- a/openslides/motions/views.py
+++ b/openslides/motions/views.py
@ -82,7 +82,7 @@ class MotionViewSet(ModelViewSet):
        """
        # Check permission to send submitter and supporter data.
        if (not request.user.has_perm('motions.can_manage') and
-                (request.data.getlist('submitters') or request.data.getlist('supporters'))):
+                (request.data.get('submitters_id') or request.data.get('supporters_id'))):
            # Non-staff users are not allowed to send submitter or supporter data.
            self.permission_denied(request)

--- a/tests/integration/motions/test_viewset.py
+++ b/tests/integration/motions/test_viewset.py
@ -120,6 +120,21 @@ class CreateMotion(TestCase):
        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
        self.assertEqual(Motion.objects.get().state.workflow_id, 2)

+    def test_non_admin(self):
+        """
+        Test to create a motion by a delegate, non staff user.
+        """
+        self.admin = get_user_model().objects.get(username='admin')
+        self.admin.groups.add(3)
+        self.admin.groups.remove(4)
+
+        response = self.client.post(
+            reverse('motion-list'),
+            {'title': 'test_title_peiJozae0luew9EeL8bo',
+             'text': 'test_text_eHohS8ohr5ahshoah8Oh'})
+
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+

 class UpdateMotion(TestCase):
    """