diff --git a/openslides/agenda/views.py b/openslides/agenda/views.py index 53b367ba6..acb61fc38 100644 --- a/openslides/agenda/views.py +++ b/openslides/agenda/views.py @@ -70,10 +70,11 @@ class ItemViewSet(ListModelMixin, RetrieveModelMixin, UpdateModelMixin, GenericV """ Filters organizational items if the user has no permission to see them. """ - if self.request.user.has_perm('agenda.can_see_hidden_items'): - return super().get_queryset() - else: - return Item.objects.get_only_agenda_items() + queryset = super().get_queryset() + if not self.request.user.has_perm('agenda.can_see_hidden_items'): + pk_list = [item.pk for item in Item.objects.get_only_agenda_items()] + queryset = queryset.filter(pk__in=pk_list) + return queryset @detail_route(methods=['POST', 'DELETE']) def manage_speaker(self, request, pk=None): diff --git a/tests/integration/agenda/test_viewsets.py b/tests/integration/agenda/test_viewsets.py index b66f721de..8b2f752a0 100644 --- a/tests/integration/agenda/test_viewsets.py +++ b/tests/integration/agenda/test_viewsets.py @@ -1,5 +1,6 @@ from django.contrib.auth import get_user_model from django.core.urlresolvers import reverse +from rest_framework import status from rest_framework.test import APIClient from openslides.agenda.models import Item, Speaker @@ -8,6 +9,36 @@ from openslides.core.models import CustomSlide, Projector from openslides.utils.test import TestCase +class RetrieveItem(TestCase): + """ + Tests retrieving items. + """ + def setUp(self): + self.client = APIClient() + config['general_system_enable_anonymous'] = True + self.item = CustomSlide.objects.create(title='test_title_Idais2pheepeiz5uph1c').agenda_item + + def test_normal_by_anonymous_without_perm_to_see_hidden_items(self): + group = get_user_model().groups.field.related_model.objects.get(pk=1) # Group with pk 1 is for anonymous users. + permission_string = 'agenda.can_see_hidden_items' + app_label, codename = permission_string.split('.') + permission = group.permissions.get(content_type__app_label=app_label, codename=codename) + group.permissions.remove(permission) + self.item.type = Item.AGENDA_ITEM + self.item.save() + response = self.client.get(reverse('item-detail', args=[self.item.pk])) + self.assertEqual(response.status_code, status.HTTP_200_OK) + + def test_hidden_by_anonymous_without_perm_to_see_hidden_items(self): + group = get_user_model().groups.field.related_model.objects.get(pk=1) # Group with pk 1 is for anonymous users. + permission_string = 'agenda.can_see_hidden_items' + app_label, codename = permission_string.split('.') + permission = group.permissions.get(content_type__app_label=app_label, codename=codename) + group.permissions.remove(permission) + response = self.client.get(reverse('item-detail', args=[self.item.pk])) + self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) + + class ManageSpeaker(TestCase): """ Tests managing speakers.