Fix mediafiles for non superadmins

openslides/mediafiles/access_permissions.py

@@ -1,7 +1,7 @@
-from typing import Any, Dict, List, cast
+from typing import Any, Dict, List
 
 from ..utils.access_permissions import BaseAccessPermissions
-from ..utils.auth import async_has_perm, async_in_some_groups
+from ..utils.auth import async_has_perm, async_in_some_groups, async_is_superadmin
 
 
 class MediafileAccessPermissions(BaseAccessPermissions):
@@ -21,12 +21,17 @@ class MediafileAccessPermissions(BaseAccessPermissions):
         if not await async_has_perm(user_id, "mediafiles.can_see"):
             return []
 
+        # This allows to see everything, which is important for inherited_access_groups=False.
+        if await async_is_superadmin(user_id):
+            return full_data
+
         data = []
         for full in full_data:
             access_groups = full["inherited_access_groups_id"]
-            if (
-                isinstance(access_groups, bool) and access_groups
-            ) or await async_in_some_groups(user_id, cast(List[int], access_groups)):
+            if (isinstance(access_groups, bool) and access_groups) or (
+                isinstance(access_groups, list)
+                and await async_in_some_groups(user_id, access_groups)
+            ):
                 data.append(full)
 
         return data

openslides/mediafiles/apps.py

@@ -1,5 +1,3 @@
-from typing import Any, Dict, Set
-
 from django.apps import AppConfig
 from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured
@@ -17,7 +15,6 @@ class MediafilesAppConfig(AppConfig):
         from .signals import get_permission_change_data
         from .views import MediafileViewSet
         from . import serializers  # noqa
-        from ..utils.access_permissions import required_user
 
         # Validate, that the media_url is correct formatted:
         # Must begin and end with a slash. It has to be at least "/".
@@ -41,23 +38,9 @@ class MediafilesAppConfig(AppConfig):
             self.get_model("Mediafile").get_collection_string(), MediafileViewSet
         )
 
-        # register required_users
-        required_user.add_collection_string(
-            self.get_model("Mediafile").get_collection_string(), required_users
-        )
-
     def get_startup_elements(self):
         """
         Yields all Cachables required on startup i. e. opening the websocket
         connection.
         """
         yield self.get_model("Mediafile")
-
-
-def required_users(element: Dict[str, Any]) -> Set[int]:
-    """
-    Returns all user ids that are displayed as uploaders in any mediafile
-    if request_user can see mediafiles. This function may return an empty
-    set.
-    """
-    return set((element["uploader_id"],))

openslides/utils/auth.py

@@ -35,6 +35,16 @@ def get_group_model() -> Model:
         )
 
 
+async def async_is_superadmin(user_id: int) -> bool:
+    """
+    Checks, if the user is a superadmin (in the admin group).
+
+    This is done by querying a non existing permission, becuase has_perm
+    should always return true, if the user is in the admin group.
+    """
+    return await async_has_perm(user_id, "superadmin")
+
+
 def has_perm(user_id: int, perm: str) -> bool:
     """
     Checks that user has a specific permission.