Merge pull request #2846 from normanjaeckel/MotionBlockSecu

Fixed motion create view. Fixed #2506.
2017-01-14 12:10:51 +01:00 · 2017-01-14 12:10:51 +01:00 · 458a7cf7c4
parent 8c4b38f018 a918361ec5
commit 458a7cf7c4
3 changed files with 16 additions and 17 deletions
--- a/openslides/motions/static/js/motions/site.js
+++ b/openslides/motions/static/js/motions/site.js
@ -1493,7 +1493,9 @@ angular.module('OpenSlidesApp.motions.site', [
            Motion.bindOne($scope.model.parent_id, $scope, 'parent');
        }
        // ... preselect default workflow
-        $scope.model.workflow_id = Config.get('motions_workflow').value;
+        if (operator.hasPerms('motions.can_manage')) {
+            $scope.model.workflow_id = Config.get('motions_workflow').value;
+        }
        // get all form fields
        $scope.formFields = MotionForm.getFormFields(true);

@ -1668,7 +1670,7 @@ angular.module('OpenSlidesApp.motions.site', [
        // set initial data for csv import
        $scope.motions = [];

-        // set csv 
+        // set csv
        $scope.csvConfig = {
            accept: '.csv, .txt',
            encodingOptions: ['UTF-8', 'ISO-8859-1'],
--- a/openslides/motions/views.py
+++ b/openslides/motions/views.py
@ -83,13 +83,18 @@ class MotionViewSet(ModelViewSet):
        """
        Customized view endpoint to create a new motion.
        """
-        # Check permission to send submitter and supporter data.
-        if (not request.user.has_perm('motions.can_manage') and
-                (request.data.get('submitters_id') or request.data.get('supporters_id'))):
-            # Non-staff users are not allowed to send submitter or supporter data.
-            self.permission_denied(request)
-
-        # TODO: Should non staff users be allowed to set motions to blocks or send categories, ...? #2506
+        # Check permission to send some data.
+        if not request.user.has_perm('motions.can_manage'):
+            whitelist = (
+                'title',
+                'text',
+                'reason',
+                'comments',  # This is checked later.
+            )
+            for key in request.data.keys():
+                if key not in whitelist:
+                    # Non-staff users are allowed to send only some data.
+                    self.permission_denied(request)

        # Check permission to send comment data.
        if not request.user.has_perm('motions.can_see_and_manage_comments'):
--- a/tests/unit/motions/test_views.py
+++ b/tests/unit/motions/test_views.py
@ -1,8 +1,6 @@
 from unittest import TestCase
 from unittest.mock import MagicMock, patch

-from rest_framework.exceptions import PermissionDenied
-
 from openslides.motions.views import MotionViewSet


@ -24,12 +22,6 @@ class MotionViewSetCreate(TestCase):
        self.view_instance.create(self.request)
        self.mock_serializer.save.assert_called_with(request_user=self.request.user)

-    @patch('openslides.motions.views.config')
-    def test_user_without_can_create_perm(self, mock_config):
-        self.request.user.has_perm.return_value = False
-        with self.assertRaises(PermissionDenied):
-            self.view_instance.create(self.request)
-

 class MotionViewSetUpdate(TestCase):
    """