Merge pull request #2846 from normanjaeckel/MotionBlockSecu
Fixed motion create view. Fixed #2506.
This commit is contained in:
commit
458a7cf7c4
@ -1493,7 +1493,9 @@ angular.module('OpenSlidesApp.motions.site', [
|
||||
Motion.bindOne($scope.model.parent_id, $scope, 'parent');
|
||||
}
|
||||
// ... preselect default workflow
|
||||
$scope.model.workflow_id = Config.get('motions_workflow').value;
|
||||
if (operator.hasPerms('motions.can_manage')) {
|
||||
$scope.model.workflow_id = Config.get('motions_workflow').value;
|
||||
}
|
||||
// get all form fields
|
||||
$scope.formFields = MotionForm.getFormFields(true);
|
||||
|
||||
@ -1668,7 +1670,7 @@ angular.module('OpenSlidesApp.motions.site', [
|
||||
// set initial data for csv import
|
||||
$scope.motions = [];
|
||||
|
||||
// set csv
|
||||
// set csv
|
||||
$scope.csvConfig = {
|
||||
accept: '.csv, .txt',
|
||||
encodingOptions: ['UTF-8', 'ISO-8859-1'],
|
||||
|
@ -83,13 +83,18 @@ class MotionViewSet(ModelViewSet):
|
||||
"""
|
||||
Customized view endpoint to create a new motion.
|
||||
"""
|
||||
# Check permission to send submitter and supporter data.
|
||||
if (not request.user.has_perm('motions.can_manage') and
|
||||
(request.data.get('submitters_id') or request.data.get('supporters_id'))):
|
||||
# Non-staff users are not allowed to send submitter or supporter data.
|
||||
self.permission_denied(request)
|
||||
|
||||
# TODO: Should non staff users be allowed to set motions to blocks or send categories, ...? #2506
|
||||
# Check permission to send some data.
|
||||
if not request.user.has_perm('motions.can_manage'):
|
||||
whitelist = (
|
||||
'title',
|
||||
'text',
|
||||
'reason',
|
||||
'comments', # This is checked later.
|
||||
)
|
||||
for key in request.data.keys():
|
||||
if key not in whitelist:
|
||||
# Non-staff users are allowed to send only some data.
|
||||
self.permission_denied(request)
|
||||
|
||||
# Check permission to send comment data.
|
||||
if not request.user.has_perm('motions.can_see_and_manage_comments'):
|
||||
|
@ -1,8 +1,6 @@
|
||||
from unittest import TestCase
|
||||
from unittest.mock import MagicMock, patch
|
||||
|
||||
from rest_framework.exceptions import PermissionDenied
|
||||
|
||||
from openslides.motions.views import MotionViewSet
|
||||
|
||||
|
||||
@ -24,12 +22,6 @@ class MotionViewSetCreate(TestCase):
|
||||
self.view_instance.create(self.request)
|
||||
self.mock_serializer.save.assert_called_with(request_user=self.request.user)
|
||||
|
||||
@patch('openslides.motions.views.config')
|
||||
def test_user_without_can_create_perm(self, mock_config):
|
||||
self.request.user.has_perm.return_value = False
|
||||
with self.assertRaises(PermissionDenied):
|
||||
self.view_instance.create(self.request)
|
||||
|
||||
|
||||
class MotionViewSetUpdate(TestCase):
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user