Fixed use of PATCH and PUT. Fixed #1871.

openslides/assignments/views.py

@@ -235,7 +235,7 @@ class AssignmentPollViewSet(UpdateModelMixin, DestroyModelMixin, GenericViewSet)
     """
     API endpoint for assignment polls.
 
-    There are the following views: update and destroy.
+    There are the following views: update, partial_update and destroy.
     """
     queryset = AssignmentPoll.objects.all()
     serializer_class = AssignmentAllPollSerializer

openslides/core/views.py

@@ -199,9 +199,7 @@ class ProjectorViewSet(ModelViewSet):
     """
     API endpoint for the projector slide info.
 
-    There are the following views: metadata, list, retrieve,
-    activate_elements, prune_elements, update_elements,
-    deactivate_elements, clear_elements and control_view.
+    There are the following views: See strings in check_view_permissions().
     """
     access_permissions = ProjectorAccessPermissions()
     queryset = Projector.objects.all()
@@ -575,7 +573,7 @@ class TagViewSet(ModelViewSet):
             # Every authenticated user can see the metadata.
             # Anonymous users can do so if they are enabled.
             result = self.request.user.is_authenticated() or anonymous_is_enabled()
-        elif self.action in ('create', 'update', 'destroy'):
+        elif self.action in ('create', 'partial_update', 'update', 'destroy'):
             result = has_perm(self.request.user, 'core.can_manage_tags')
         else:
             result = False
@@ -616,7 +614,8 @@ class ConfigViewSet(ViewSet):
     """
     API endpoint for the config.
 
-    There are the following views: metadata, list, retrieve and update.
+    There are the following views: metadata, list, retrieve, update and
+    partial_update.
     """
     access_permissions = ConfigAccessPermissions()
     metadata_class = ConfigMetadata
@@ -632,7 +631,7 @@ class ConfigViewSet(ViewSet):
             # retrieve the config. Anonymous users can do so if they are
             # enabled.
             result = self.request.user.is_authenticated() or anonymous_is_enabled()
-        elif self.action == 'update':
+        elif self.action in ('partial_update', 'update'):
             result = has_perm(self.request.user, 'core.can_manage_config')
         else:
             result = False
@@ -742,7 +741,8 @@ class ProjectorMessageViewSet(ModelViewSet):
     """
     API endpoint for messages.
 
-    There are the following views: list, retrieve, create, update and destroy.
+    There are the following views: list, retrieve, create, update,
+    partial_update and destroy.
     """
     access_permissions = ProjectorMessageAccessPermissions()
     queryset = ProjectorMessage.objects.all()
@@ -753,7 +753,7 @@ class ProjectorMessageViewSet(ModelViewSet):
         """
         if self.action in ('list', 'retrieve'):
             result = self.get_access_permissions().check_permissions(self.request.user)
-        elif self.action in ('create', 'update', 'destroy'):
+        elif self.action in ('create', 'partial_update', 'update', 'destroy'):
             result = has_perm(self.request.user, 'core.can_manage_projector')
         else:
             result = False
@@ -764,7 +764,8 @@ class CountdownViewSet(ModelViewSet):
     """
     API endpoint for Countdown.
 
-    There are the following views: list, retrieve, create, update and destroy.
+    There are the following views: list, retrieve, create, update,
+    partial_update and destroy.
     """
     access_permissions = CountdownAccessPermissions()
     queryset = Countdown.objects.all()
@@ -775,7 +776,7 @@ class CountdownViewSet(ModelViewSet):
         """
         if self.action in ('list', 'retrieve'):
             result = self.get_access_permissions().check_permissions(self.request.user)
-        elif self.action in ('create', 'update', 'destroy'):
+        elif self.action in ('create', 'partial_update', 'update', 'destroy'):
             result = has_perm(self.request.user, 'core.can_manage_projector')
         else:
             result = False

openslides/motions/static/js/motions/site.js

@@ -1324,7 +1324,7 @@ angular.module('OpenSlidesApp.motions.site', [
             // inject the changed change recommendation (copy) object back into DS store
             MotionChangeRecommendation.inject(change);
             // save changed change recommendation object on server
-            MotionChangeRecommendation.save(change, { method: 'PATCH' }).then(
+            MotionChangeRecommendation.save(change).then(
                 function(success) {
                     $scope.closeThisDialog();
                 },
@@ -1531,7 +1531,7 @@ angular.module('OpenSlidesApp.motions.site', [
             // inject the changed motion (copy) object back into DS store
             Motion.inject(motion);
             // save change motion object on server
-            Motion.save(motion, { method: 'PATCH' }).then(
+            Motion.save(motion).then(
                 function(success) {
                     // type: Value 1 means a non hidden agenda item, value 2 means a hidden agenda item,
                     // see openslides.agenda.models.Item.ITEM_TYPE.

openslides/motions/views.py

@@ -12,6 +12,7 @@ from rest_framework import status
 from ..core.config import config
 from ..utils.auth import has_perm
 from ..utils.autoupdate import inform_changed_data
+from ..utils.collection import CollectionElement
 from ..utils.rest_api import (
     DestroyModelMixin,
     GenericViewSet,
@@ -85,13 +86,16 @@ class MotionViewSet(ModelViewSet):
         """
         Customized view endpoint to create a new motion.
         """
-        # Check if parent motion exists
-        parent_motion = None
-        if 'parent_id' in request.data:
+        # Check if parent motion exists.
+        if request.data.get('parent_id') is not None:
             try:
-                parent_motion = Motion.objects.get(pk=request.data['parent_id'])
+                parent_motion = CollectionElement.from_values(
+                    Motion.get_collection_string(),
+                    request.data['parent_id'])
             except Motion.DoesNotExist:
                 raise ValidationError({'detail': _('The parent motion does not exist.')})
+        else:
+            parent_motion = None
 
         # Check permission to send some data.
         if not has_perm(request.user, 'motions.can_manage'):
@@ -101,16 +105,15 @@ class MotionViewSet(ModelViewSet):
                 'reason',
                 'comments',  # This is checked later.
             ]
-            if parent_motion:  # For creating amendments.
+            if parent_motion is not None:
+                # For creating amendments.
                 whitelist.extend([
                     'parent_id',
                     'category_id',      # This will be set to the matching
                     'motion_block_id',  # values from parent_motion.
                 ])
-                request.data['category_id'] = (
-                    parent_motion.category.id if parent_motion.category else None)
-                request.data['motion_block_id'] = (
-                    parent_motion.motion_block.id if parent_motion.motion_block else None)
+                request.data['category_id'] = parent_motion.get_full_data().get('category_id')
+                request.data['motion_block_id'] = parent_motion.get_full_data().get('motion_block_id')
             for key in request.data.keys():
                 if key not in whitelist:
                     # Non-staff users are allowed to send only some data.
@@ -155,14 +158,17 @@ class MotionViewSet(ModelViewSet):
 
         # Check permission to send only some data.
         if not has_perm(request.user, 'motions.can_manage'):
+            # Remove fields that the user is not allowed to change.
+            # The list() is required because we want to use del inside the loop.
+            keys = list(request.data.keys())
             whitelist = (
                 'title',
                 'text',
-                'reason',)
-            keys = list(request.data.keys())
+                'reason',
+                'comments',  # This is checked later.
+            )
             for key in keys:
                 if key not in whitelist:
-                    # Non-staff users are allowed to send only some data. Ignore other data.
                     del request.data[key]
         if not has_perm(request.user, 'motions.can_see_and_manage_comments'):
             try:
@@ -364,7 +370,7 @@ class MotionPollViewSet(UpdateModelMixin, DestroyModelMixin, GenericViewSet):
     """
     API endpoint for motion polls.
 
-    There are the following views: update and destroy.
+    There are the following views: update, partial_update and destroy.
     """
     queryset = MotionPoll.objects.all()
     serializer_class = MotionPollSerializer
@@ -414,7 +420,8 @@ class MotionChangeRecommendationViewSet(ModelViewSet):
         elif self.action == 'metadata':
             result = has_perm(self.request.user, 'motions.can_see')
         elif self.action in ('create', 'destroy', 'partial_update', 'update'):
-            result = has_perm(self.request.user, 'motions.can_manage')
+            result = (has_perm(self.request.user, 'motions.can_see') and
+                      has_perm(self.request.user, 'motions.can_manage'))
         else:
             result = False
         return result
@@ -615,6 +622,8 @@ class WorkflowViewSet(ModelViewSet):
         return result
 
 
+# Special API views
+
 class MotionDocxTemplateView(APIView):
     """
     Returns the template for motions docx export

tests/unit/motions/test_views.py

@@ -10,6 +10,7 @@ class MotionViewSetCreate(TestCase):
     """
     def setUp(self):
         self.request = MagicMock()
+        self.request.data.get.return_value = None
         self.view_instance = MotionViewSet()
         self.view_instance.request = self.request
         self.view_instance.format_kwarg = MagicMock()