From e8dec048ef7d33f9195d1a076f2aae922f1f9517 Mon Sep 17 00:00:00 2001 From: FinnStutzenstein Date: Mon, 23 Sep 2019 09:36:32 +0200 Subject: [PATCH] Fixed submitter check for anonymous users --- openslides/motions/models.py | 4 ++++ tests/integration/motions/test_viewset.py | 11 +++++++++++ 2 files changed, 15 insertions(+) diff --git a/openslides/motions/models.py b/openslides/motions/models.py index e2e03fe65..32b82381a 100644 --- a/openslides/motions/models.py +++ b/openslides/motions/models.py @@ -408,7 +408,11 @@ class Motion(RESTModelMixin, AgendaItemWithListOfSpeakersMixin, models.Model): def is_submitter(self, user): """ Returns True if user is a submitter of this motion, else False. + Anonymous users cannot be submitters. """ + if isinstance(user, AnonymousUser): + return False + return self.submitters.filter(user=user).exists() def is_supporter(self, user): diff --git a/tests/integration/motions/test_viewset.py b/tests/integration/motions/test_viewset.py index 97e1170e9..a8c86f1ec 100644 --- a/tests/integration/motions/test_viewset.py +++ b/tests/integration/motions/test_viewset.py @@ -576,6 +576,17 @@ class UpdateMotion(TestCase): self.assertEqual(motion.title, "test_title_aeng7ahChie3waiR8xoh") self.assertEqual(motion.identifier, "test_identifier_jieseghohj7OoSah1Ko9") + def test_patch_as_anonymous_without_manage_perms(self): + config["general_system_enable_anonymous"] = True + guest_client = APIClient() + response = guest_client.patch( + reverse("motion-detail", args=[self.motion.pk]), + {"identifier": "test_identifier_4g2jgj1wrnmvvIRhtqqPO84WD"}, + ) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + motion = Motion.objects.get() + self.assertEqual(motion.identifier, "1") + def test_patch_empty_text(self): response = self.client.patch( reverse("motion-detail", args=[self.motion.pk]), {"text": ""}, format="json"