From a918361ec5b83098d7a195221a6365da2048498d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Norman=20J=C3=A4ckel?= Date: Sat, 14 Jan 2017 10:14:18 +0100 Subject: [PATCH] Fixed motion create view. Fixed #2506. --- openslides/motions/static/js/motions/site.js | 6 ++++-- openslides/motions/views.py | 19 ++++++++++++------- tests/unit/motions/test_views.py | 8 -------- 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/openslides/motions/static/js/motions/site.js b/openslides/motions/static/js/motions/site.js index 1887c83f0..66b82ebf6 100644 --- a/openslides/motions/static/js/motions/site.js +++ b/openslides/motions/static/js/motions/site.js @@ -1486,7 +1486,9 @@ angular.module('OpenSlidesApp.motions.site', [ Motion.bindOne($scope.model.parent_id, $scope, 'parent'); } // ... preselect default workflow - $scope.model.workflow_id = Config.get('motions_workflow').value; + if (operator.hasPerms('motions.can_manage')) { + $scope.model.workflow_id = Config.get('motions_workflow').value; + } // get all form fields $scope.formFields = MotionForm.getFormFields(true); @@ -1661,7 +1663,7 @@ angular.module('OpenSlidesApp.motions.site', [ // set initial data for csv import $scope.motions = []; - // set csv + // set csv $scope.csvConfig = { accept: '.csv, .txt', encodingOptions: ['UTF-8', 'ISO-8859-1'], diff --git a/openslides/motions/views.py b/openslides/motions/views.py index 29b33ade1..9c94efe95 100644 --- a/openslides/motions/views.py +++ b/openslides/motions/views.py @@ -83,13 +83,18 @@ class MotionViewSet(ModelViewSet): """ Customized view endpoint to create a new motion. """ - # Check permission to send submitter and supporter data. - if (not request.user.has_perm('motions.can_manage') and - (request.data.get('submitters_id') or request.data.get('supporters_id'))): - # Non-staff users are not allowed to send submitter or supporter data. - self.permission_denied(request) - - # TODO: Should non staff users be allowed to set motions to blocks or send categories, ...? #2506 + # Check permission to send some data. + if not request.user.has_perm('motions.can_manage'): + whitelist = ( + 'title', + 'text', + 'reason', + 'comments', # This is checked later. + ) + for key in request.data.keys(): + if key not in whitelist: + # Non-staff users are allowed to send only some data. + self.permission_denied(request) # Check permission to send comment data. if not request.user.has_perm('motions.can_see_and_manage_comments'): diff --git a/tests/unit/motions/test_views.py b/tests/unit/motions/test_views.py index 4687d5f1c..dd3af2608 100644 --- a/tests/unit/motions/test_views.py +++ b/tests/unit/motions/test_views.py @@ -1,8 +1,6 @@ from unittest import TestCase from unittest.mock import MagicMock, patch -from rest_framework.exceptions import PermissionDenied - from openslides.motions.views import MotionViewSet @@ -24,12 +22,6 @@ class MotionViewSetCreate(TestCase): self.view_instance.create(self.request) self.mock_serializer.save.assert_called_with(request_user=self.request.user) - @patch('openslides.motions.views.config') - def test_user_without_can_create_perm(self, mock_config): - self.request.user.has_perm.return_value = False - with self.assertRaises(PermissionDenied): - self.view_instance.create(self.request) - class MotionViewSetUpdate(TestCase): """