ag-admin/OpenSlides
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed creating motion for users with comments permissions.

Browse Source
This commit is contained in:
Norman Jäckel 2017-03-28 18:41:08 +02:00
parent ba4a408f5e
commit 4cad6943f6
2 changed files with 35 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
openslides/motions/views.py
View File

@ -99,6 +99,9 @@ class MotionViewSet(ModelViewSet):
# Check permission to send some data. # Check permission to send some data.
if not has_perm(request.user, 'motions.can_manage'): if not has_perm(request.user, 'motions.can_manage'):
# Remove fields that the user is not allowed to send.
# The list() is required because we want to use del inside the loop.
keys = list(request.data.keys())
whitelist = [ whitelist = [
'title', 'title',
'text', 'text',
@ -114,10 +117,9 @@ class MotionViewSet(ModelViewSet):
]) ])
request.data['category_id'] = parent_motion.get_full_data().get('category_id') request.data['category_id'] = parent_motion.get_full_data().get('category_id')
request.data['motion_block_id'] = parent_motion.get_full_data().get('motion_block_id') request.data['motion_block_id'] = parent_motion.get_full_data().get('motion_block_id')
for key in request.data.keys(): for key in keys:
if key not in whitelist: if key not in whitelist:
# Non-staff users are allowed to send only some data. del request.data[key]
self.permission_denied(request)
# Check permission to send comment data. # Check permission to send comment data.
if not has_perm(request.user, 'motions.can_see_and_manage_comments'): if not has_perm(request.user, 'motions.can_see_and_manage_comments'):

34
tests/integration/motions/test_viewset.py
View File

@ -1,6 +1,7 @@
import json import json
from django.contrib.auth import get_user_model from django.contrib.auth import get_user_model
from django.contrib.auth.models import Permission
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from rest_framework import status from rest_framework import status
from rest_framework.test import APIClient from rest_framework.test import APIClient
@ -8,7 +9,6 @@ from rest_framework.test import APIClient
from openslides.core.config import config from openslides.core.config import config
from openslides.core.models import Tag from openslides.core.models import Tag
from openslides.motions.models import Category, Motion, MotionBlock, State from openslides.motions.models import Category, Motion, MotionBlock, State
from openslides.users.models import User
from openslides.utils.test import TestCase, use_cache from openslides.utils.test import TestCase, use_cache
@ -41,7 +41,7 @@ class TestMotionDBQueries(TestCase):
* 1 request to get the tags, * 1 request to get the tags,
* 2 requests to get the submitters and supporters and * 2 requests to get the submitters and supporters and
""" """
self.client.force_login(User.objects.get(pk=1)) self.client.force_login(get_user_model().objects.get(pk=1))
with self.assertNumQueries(14): with self.assertNumQueries(14):
self.client.get(reverse('motion-list')) self.client.get(reverse('motion-list'))
@ -84,7 +84,7 @@ class TestCategoryDBQueries(TestCase):
* 4 requests to get the session an the request user with its permissions and * 4 requests to get the session an the request user with its permissions and
* 2 requests to get the list of all categories. * 2 requests to get the list of all categories.
""" """
self.client.force_login(User.objects.get(pk=1)) self.client.force_login(get_user_model().objects.get(pk=1))
with self.assertNumQueries(6): with self.assertNumQueries(6):
self.client.get(reverse('category-list')) self.client.get(reverse('category-list'))
@ -118,7 +118,7 @@ class TestWorkflowDBQueries(TestCase):
* 1 request to get all states and * 1 request to get all states and
* 1 request to get the next states of all states. * 1 request to get the next states of all states.
""" """
self.client.force_login(User.objects.get(pk=1)) self.client.force_login(get_user_model().objects.get(pk=1))
with self.assertNumQueries(8): with self.assertNumQueries(8):
self.client.get(reverse('workflow-list')) self.client.get(reverse('workflow-list'))
@ -274,6 +274,32 @@ class CreateMotion(TestCase):
self.assertEqual(response.status_code, status.HTTP_201_CREATED) self.assertEqual(response.status_code, status.HTTP_201_CREATED)
def test_non_admin_with_comment_data(self):
"""
Test to create a motion by a non staff user that has permission to
manage motion comments and sends some additional fields.
"""
self.admin = get_user_model().objects.get(username='admin')
self.admin.groups.add(2)
self.admin.groups.remove(3)
group_delegate = self.admin.groups.get()
group_delegate.permissions.add(Permission.objects.get(
content_type__app_label='motions',
codename='can_see_and_manage_comments',
))
response = self.client.post(
reverse('motion-list'),
{'title': 'test_title_peiJozae0luew9EeL8bo',
'text': 'test_text_eHohS8ohr5ahshoah8Oh',
'comments': ['comment_for_field_one__xiek1Euhae9xah2wuuraaaa'],
'comment_field_one': 'comment_for_field_one__xiek1Euhae9xah2wuuraaaa'},
format='json',
)
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertEqual(Motion.objects.get().comments, ['comment_for_field_one__xiek1Euhae9xah2wuuraaaa'])
def test_amendment_motion(self): def test_amendment_motion(self):
""" """
Test to create a motion with a parent motion as staff user. Test to create a motion with a parent motion as staff user.