ag-admin/OpenSlides
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #2846 from normanjaeckel/MotionBlockSecu

Browse Source 
Fixed motion create view. Fixed #2506.
This commit is contained in:
Emanuel Schütze 2017-01-14 12:10:51 +01:00 committed by GitHub
commit 458a7cf7c4
3 changed files with 16 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
openslides/motions/static/js/motions/site.js
View File

@ -1493,7 +1493,9 @@ angular.module('OpenSlidesApp.motions.site', [
Motion.bindOne($scope.model.parent_id, $scope, 'parent'); Motion.bindOne($scope.model.parent_id, $scope, 'parent');
} }
// ... preselect default workflow // ... preselect default workflow
$scope.model.workflow_id = Config.get('motions_workflow').value; if (operator.hasPerms('motions.can_manage')) {
$scope.model.workflow_id = Config.get('motions_workflow').value;
}
// get all form fields // get all form fields
$scope.formFields = MotionForm.getFormFields(true); $scope.formFields = MotionForm.getFormFields(true);
@ -1668,7 +1670,7 @@ angular.module('OpenSlidesApp.motions.site', [
// set initial data for csv import // set initial data for csv import
$scope.motions = []; $scope.motions = [];
// set csv // set csv
$scope.csvConfig = { $scope.csvConfig = {
accept: '.csv, .txt', accept: '.csv, .txt',
encodingOptions: ['UTF-8', 'ISO-8859-1'], encodingOptions: ['UTF-8', 'ISO-8859-1'],

19
openslides/motions/views.py
View File

@ -83,13 +83,18 @@ class MotionViewSet(ModelViewSet):
""" """
Customized view endpoint to create a new motion. Customized view endpoint to create a new motion.
""" """
# Check permission to send submitter and supporter data. # Check permission to send some data.
if (not request.user.has_perm('motions.can_manage') and if not request.user.has_perm('motions.can_manage'):
(request.data.get('submitters_id') or request.data.get('supporters_id'))): whitelist = (
# Non-staff users are not allowed to send submitter or supporter data. 'title',
self.permission_denied(request) 'text',
'reason',
# TODO: Should non staff users be allowed to set motions to blocks or send categories, ...? #2506 'comments', # This is checked later.
)
for key in request.data.keys():
if key not in whitelist:
# Non-staff users are allowed to send only some data.
self.permission_denied(request)
# Check permission to send comment data. # Check permission to send comment data.
if not request.user.has_perm('motions.can_see_and_manage_comments'): if not request.user.has_perm('motions.can_see_and_manage_comments'):

8
tests/unit/motions/test_views.py
View File

@ -1,8 +1,6 @@
from unittest import TestCase from unittest import TestCase
from unittest.mock import MagicMock, patch from unittest.mock import MagicMock, patch
from rest_framework.exceptions import PermissionDenied
from openslides.motions.views import MotionViewSet from openslides.motions.views import MotionViewSet
@ -24,12 +22,6 @@ class MotionViewSetCreate(TestCase):
self.view_instance.create(self.request) self.view_instance.create(self.request)
self.mock_serializer.save.assert_called_with(request_user=self.request.user) self.mock_serializer.save.assert_called_with(request_user=self.request.user)
@patch('openslides.motions.views.config')
def test_user_without_can_create_perm(self, mock_config):
self.request.user.has_perm.return_value = False
with self.assertRaises(PermissionDenied):
self.view_instance.create(self.request)
class MotionViewSetUpdate(TestCase): class MotionViewSetUpdate(TestCase):
""" """