From 485c6ece8779e7a7eab50759b1e4212a98fe5baa Mon Sep 17 00:00:00 2001
From: Emanuel Schuetze <emanuel@intevation.de>
Date: Fri, 16 Sep 2016 23:35:37 +0200
Subject: [PATCH] Motion comment permission fixes on server and client.

- Show motion comment fields in form also for users without can_manage but with
  can_see_and_manage_comments permission.
- Ignore comments data if user is not allowed to send comments (in create view).
---
 openslides/motions/static/js/motions/base.js |  5 +++--
 openslides/motions/static/js/motions/site.js |  9 +++++----
 openslides/motions/views.py                  | 11 +++++++----
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/openslides/motions/static/js/motions/base.js b/openslides/motions/static/js/motions/base.js
index 5d7f120d8..01116c5d9 100644
--- a/openslides/motions/static/js/motions/base.js
+++ b/openslides/motions/static/js/motions/base.js
@@ -315,7 +315,8 @@ angular.module('OpenSlidesApp.motions', [
 // Service for generic comment fields
 .factory('MotionComment', [
     'Config',
-    function (Config) {
+    'operator',
+    function (Config, operator) {
         return {
             getFields: function () {
                 // Take input from config field and parse it. It can be some
@@ -396,7 +397,7 @@ angular.module('OpenSlidesApp.motions', [
                             templateOptions: {
                                 label: field.name,
                             },
-                            hideExpression: '!model.more'
+                            hide: !operator.hasPerms("motions.can_see_and_manage_comments")
                         };
                     }
                 );
diff --git a/openslides/motions/static/js/motions/site.js b/openslides/motions/static/js/motions/site.js
index 027b0bf63..e3768cbba 100644
--- a/openslides/motions/static/js/motions/site.js
+++ b/openslides/motions/static/js/motions/site.js
@@ -648,7 +648,9 @@ angular.module('OpenSlidesApp.motions.site', ['OpenSlidesApp.motions', 'OpenSlid
                         placeholder: gettextCatalog.getString('Select a parent item ...')
                     },
                     hide: !operator.hasPerms('agenda.can_manage')
-                },
+                }]
+                .concat(MotionComment.getFormFields())
+                .concat([
                 {
                     key: 'more',
                     type: 'checkbox',
@@ -708,9 +710,8 @@ angular.module('OpenSlidesApp.motions.site', ['OpenSlidesApp.motions', 'OpenSlid
                         placeholder: gettextCatalog.getString('Select or search a supporter ...')
                     },
                     hideExpression: '!model.more'
-                }]
-                .concat(MotionComment.getFormFields())
-                .concat([{
+                },
+                {
                     key: 'workflow_id',
                     type: 'select-single',
                     templateOptions: {
diff --git a/openslides/motions/views.py b/openslides/motions/views.py
index cdb007a77..0d0752cc8 100644
--- a/openslides/motions/views.py
+++ b/openslides/motions/views.py
@@ -106,10 +106,13 @@ class MotionViewSet(ModelViewSet):
             self.permission_denied(request)
 
         # Check permission to send comment data.
-        if (not request.user.has_perm('motions.can_see_and_manage_comments') and
-                request.data.get('comments')):
-            # Some users are not allowed to send comments data.
-            self.permission_denied(request)
+        if not request.user.has_perm('motions.can_see_and_manage_comments'):
+            try:
+                # Ignore comments data if user is not allowed to send comments.
+                del request.data['comments']
+            except KeyError:
+                # No comments here. Just do nothing.
+                pass
 
         # Validate data and create motion.
         serializer = self.get_serializer(data=request.data)