Merge pull request #4518 from normanjaeckel/NewPermInternalMotions

Added new permission to see motions in internal state (so called auth…

CHANGELOG.rst

@@ -35,13 +35,14 @@ Motions:
    follow recommendation, manage submitters and supporters, change motion
    category, motion block and origin and manage motion polls [#3913].
  - Added new permission to create amendments [#4128].
+ - Added new flag to motion state to control access for different users. Added
+   new permission to see motions in some internal state [#4235, #4518].
  - Allowed submitters to set state of new motions in complex and customized
    workflow [#4236].
  - Added multi select action to manage submitters, tags, states and
    recommendations [#4037, #4132].
  - Added timestampes for motions [#4134].
  - New config option to set reason as required field [#4232]
- - Added new flag to motion state to control access for different users [#4235].
 
 User:
  - Added new admin group which grants all permissions. Users of existing group

client/src/app/site/motions/modules/motion-workflow/components/workflow-detail/workflow-detail.component.ts

@@ -118,8 +118,8 @@ export class WorkflowDetailComponent extends BaseViewComponent implements OnInit
      */
     public accessLevels = [
         { level: 0, label: '0: All users' },
-        { level: 1, label: '1: Submitters and all managers' },
-        { level: 2, label: '2: Only managers for motions and metadata' },
+        { level: 1, label: '1: Submitters, authorized users and managers' },
+        { level: 2, label: '2: Authorized users and managers for motions and metadata' },
         { level: 3, label: '3: Only managers for motions' }
     ] as AccessLevel[];
 

openslides/motions/access_permissions.py

@@ -41,7 +41,9 @@ class MotionAccessPermissions(BaseAccessPermissions):
 
                 if await async_has_perm(user_id, "motions.can_manage"):
                     level = State.MANAGERS_ONLY
-                elif await async_has_perm(user_id, "motions.can_manage_metadata"):
+                elif await async_has_perm(
+                    user_id, "motions.can_manage_metadata"
+                ) or await async_has_perm(user_id, "motions.can_see_internal"):
                     level = State.EXTENDED_MANAGERS
                 elif is_submitter:
                     level = State.EXTENDED_MANAGERS_AND_SUBMITTER

openslides/motions/migrations/0022_auto_20190320_0840.py

@@ -0,0 +1,49 @@
+# Generated by Django 2.1.7 on 2019-03-20 07:40
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [("motions", "0021_state_access_level_3")]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="motion",
+            options={
+                "default_permissions": (),
+                "ordering": ("identifier",),
+                "permissions": (
+                    ("can_see", "Can see motions"),
+                    ("can_see_internal", "Can see motions in internal state"),
+                    ("can_create", "Can create motions"),
+                    ("can_create_amendments", "Can create amendments"),
+                    ("can_support", "Can support motions"),
+                    ("can_manage_metadata", "Can manage motion metadata"),
+                    ("can_manage", "Can manage motions"),
+                ),
+                "verbose_name": "Motion",
+            },
+        ),
+        migrations.AlterField(
+            model_name="state",
+            name="access_level",
+            field=models.IntegerField(
+                choices=[
+                    (0, "All users with permission to see motions"),
+                    (
+                        1,
+                        "Submitters, authorized users (with permission to see internal motions), managers and "
+                        "users with permission to manage metadata",
+                    ),
+                    (
+                        2,
+                        "Only authorized users (with permission to see internal motions), managers and "
+                        "users with permission to manage metadata",
+                    ),
+                    (3, "Only managers"),
+                ],
+                default=0,
+            ),
+        ),
+    ]

openslides/motions/models.py

@@ -264,6 +264,7 @@ class Motion(RESTModelMixin, models.Model):
         default_permissions = ()
         permissions = (
             ("can_see", "Can see motions"),
+            ("can_see_internal", "Can see motions in internal state"),
             ("can_create", "Can create motions"),
             ("can_create_amendments", "Can create amendments"),
             ("can_support", "Can support motions"),
@@ -1050,11 +1051,11 @@ class State(RESTModelMixin, models.Model):
         (ALL, "All users with permission to see motions"),
         (
             EXTENDED_MANAGERS_AND_SUBMITTER,
-            "Submitters, managers and users with permission to manage metadata",
+            "Submitters, authorized users (with permission to see internal motions), managers and users with permission to manage metadata",
         ),
         (
             EXTENDED_MANAGERS,
-            "Only managers and users with permission to manage metadata",
+            "Only authorized users (with permission to see internal motions), managers and users with permission to manage metadata",
         ),
         (MANAGERS_ONLY, "Only managers"),
     )
@@ -1083,7 +1084,8 @@ class State(RESTModelMixin, models.Model):
     access_level = models.IntegerField(choices=ACCESS_LEVELS, default=0)
     """
     Defines which users may see motions in this state e. g. only managers,
-    users with permission to manage metadata and submitters.
+    authorized users with permission to see internal motiosn, users with permission
+    to manage metadata and submitters.
     """
 
     allow_support = models.BooleanField(default=False)

openslides/users/signals.py

@@ -59,6 +59,7 @@ def create_builtin_groups_and_admin(**kwargs):
         "motions.can_manage",
         "motions.can_manage_metadata",
         "motions.can_see",
+        "motions.can_see_internal",
         "motions.can_support",
         "users.can_change_password",
         "users.can_manage",
@@ -145,6 +146,7 @@ def create_builtin_groups_and_admin(**kwargs):
         permission_dict["mediafiles.can_upload"],
         permission_dict["mediafiles.can_see_hidden"],
         permission_dict["motions.can_see"],
+        permission_dict["motions.can_see_internal"],
         permission_dict["motions.can_create"],
         permission_dict["motions.can_create_amendments"],
         permission_dict["motions.can_manage"],