Merge pull request #2846 from normanjaeckel/MotionBlockSecu

Fixed motion create view. Fixed #2506.
This commit is contained in:
Emanuel Schütze 2017-01-14 12:10:51 +01:00 committed by GitHub
commit 458a7cf7c4
3 changed files with 16 additions and 17 deletions

View File

@ -1493,7 +1493,9 @@ angular.module('OpenSlidesApp.motions.site', [
Motion.bindOne($scope.model.parent_id, $scope, 'parent'); Motion.bindOne($scope.model.parent_id, $scope, 'parent');
} }
// ... preselect default workflow // ... preselect default workflow
if (operator.hasPerms('motions.can_manage')) {
$scope.model.workflow_id = Config.get('motions_workflow').value; $scope.model.workflow_id = Config.get('motions_workflow').value;
}
// get all form fields // get all form fields
$scope.formFields = MotionForm.getFormFields(true); $scope.formFields = MotionForm.getFormFields(true);

View File

@ -83,14 +83,19 @@ class MotionViewSet(ModelViewSet):
""" """
Customized view endpoint to create a new motion. Customized view endpoint to create a new motion.
""" """
# Check permission to send submitter and supporter data. # Check permission to send some data.
if (not request.user.has_perm('motions.can_manage') and if not request.user.has_perm('motions.can_manage'):
(request.data.get('submitters_id') or request.data.get('supporters_id'))): whitelist = (
# Non-staff users are not allowed to send submitter or supporter data. 'title',
'text',
'reason',
'comments', # This is checked later.
)
for key in request.data.keys():
if key not in whitelist:
# Non-staff users are allowed to send only some data.
self.permission_denied(request) self.permission_denied(request)
# TODO: Should non staff users be allowed to set motions to blocks or send categories, ...? #2506
# Check permission to send comment data. # Check permission to send comment data.
if not request.user.has_perm('motions.can_see_and_manage_comments'): if not request.user.has_perm('motions.can_see_and_manage_comments'):
try: try:

View File

@ -1,8 +1,6 @@
from unittest import TestCase from unittest import TestCase
from unittest.mock import MagicMock, patch from unittest.mock import MagicMock, patch
from rest_framework.exceptions import PermissionDenied
from openslides.motions.views import MotionViewSet from openslides.motions.views import MotionViewSet
@ -24,12 +22,6 @@ class MotionViewSetCreate(TestCase):
self.view_instance.create(self.request) self.view_instance.create(self.request)
self.mock_serializer.save.assert_called_with(request_user=self.request.user) self.mock_serializer.save.assert_called_with(request_user=self.request.user)
@patch('openslides.motions.views.config')
def test_user_without_can_create_perm(self, mock_config):
self.request.user.has_perm.return_value = False
with self.assertRaises(PermissionDenied):
self.view_instance.create(self.request)
class MotionViewSetUpdate(TestCase): class MotionViewSetUpdate(TestCase):
""" """