Merge pull request #2846 from normanjaeckel/MotionBlockSecu
Fixed motion create view. Fixed #2506.
This commit is contained in:
commit
458a7cf7c4
@ -1493,7 +1493,9 @@ angular.module('OpenSlidesApp.motions.site', [
|
|||||||
Motion.bindOne($scope.model.parent_id, $scope, 'parent');
|
Motion.bindOne($scope.model.parent_id, $scope, 'parent');
|
||||||
}
|
}
|
||||||
// ... preselect default workflow
|
// ... preselect default workflow
|
||||||
|
if (operator.hasPerms('motions.can_manage')) {
|
||||||
$scope.model.workflow_id = Config.get('motions_workflow').value;
|
$scope.model.workflow_id = Config.get('motions_workflow').value;
|
||||||
|
}
|
||||||
// get all form fields
|
// get all form fields
|
||||||
$scope.formFields = MotionForm.getFormFields(true);
|
$scope.formFields = MotionForm.getFormFields(true);
|
||||||
|
|
||||||
|
@ -83,14 +83,19 @@ class MotionViewSet(ModelViewSet):
|
|||||||
"""
|
"""
|
||||||
Customized view endpoint to create a new motion.
|
Customized view endpoint to create a new motion.
|
||||||
"""
|
"""
|
||||||
# Check permission to send submitter and supporter data.
|
# Check permission to send some data.
|
||||||
if (not request.user.has_perm('motions.can_manage') and
|
if not request.user.has_perm('motions.can_manage'):
|
||||||
(request.data.get('submitters_id') or request.data.get('supporters_id'))):
|
whitelist = (
|
||||||
# Non-staff users are not allowed to send submitter or supporter data.
|
'title',
|
||||||
|
'text',
|
||||||
|
'reason',
|
||||||
|
'comments', # This is checked later.
|
||||||
|
)
|
||||||
|
for key in request.data.keys():
|
||||||
|
if key not in whitelist:
|
||||||
|
# Non-staff users are allowed to send only some data.
|
||||||
self.permission_denied(request)
|
self.permission_denied(request)
|
||||||
|
|
||||||
# TODO: Should non staff users be allowed to set motions to blocks or send categories, ...? #2506
|
|
||||||
|
|
||||||
# Check permission to send comment data.
|
# Check permission to send comment data.
|
||||||
if not request.user.has_perm('motions.can_see_and_manage_comments'):
|
if not request.user.has_perm('motions.can_see_and_manage_comments'):
|
||||||
try:
|
try:
|
||||||
|
@ -1,8 +1,6 @@
|
|||||||
from unittest import TestCase
|
from unittest import TestCase
|
||||||
from unittest.mock import MagicMock, patch
|
from unittest.mock import MagicMock, patch
|
||||||
|
|
||||||
from rest_framework.exceptions import PermissionDenied
|
|
||||||
|
|
||||||
from openslides.motions.views import MotionViewSet
|
from openslides.motions.views import MotionViewSet
|
||||||
|
|
||||||
|
|
||||||
@ -24,12 +22,6 @@ class MotionViewSetCreate(TestCase):
|
|||||||
self.view_instance.create(self.request)
|
self.view_instance.create(self.request)
|
||||||
self.mock_serializer.save.assert_called_with(request_user=self.request.user)
|
self.mock_serializer.save.assert_called_with(request_user=self.request.user)
|
||||||
|
|
||||||
@patch('openslides.motions.views.config')
|
|
||||||
def test_user_without_can_create_perm(self, mock_config):
|
|
||||||
self.request.user.has_perm.return_value = False
|
|
||||||
with self.assertRaises(PermissionDenied):
|
|
||||||
self.view_instance.create(self.request)
|
|
||||||
|
|
||||||
|
|
||||||
class MotionViewSetUpdate(TestCase):
|
class MotionViewSetUpdate(TestCase):
|
||||||
"""
|
"""
|
||||||
|
Loading…
Reference in New Issue
Block a user