From ae6875aa93a2261ec8bddb33c4c2a048ba66f2c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Norman=20J=C3=A4ckel?= Date: Thu, 14 Jan 2016 22:55:43 +0100 Subject: [PATCH] Added possibility for non staff users to upload new files. See #1856. --- openslides/mediafiles/views.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/openslides/mediafiles/views.py b/openslides/mediafiles/views.py index 5b3f6e6af..08b300422 100644 --- a/openslides/mediafiles/views.py +++ b/openslides/mediafiles/views.py @@ -19,11 +19,12 @@ class MediafileViewSet(ModelViewSet): """ Returns True if the user has required permissions. """ - # TODO: Use mediafiles.can_upload permission to create and update some - # objects but restricted concerning the uploader. if self.action in ('metadata', 'list', 'retrieve'): result = self.request.user.has_perm('mediafiles.can_see') - elif self.action in ('create', 'partial_update', 'update'): + elif self.action == 'create': + result = (self.request.user.has_perm('mediafiles.can_see') and + self.request.user.has_perm('mediafiles.can_upload')) + elif self.action in ('partial_update', 'update'): result = (self.request.user.has_perm('mediafiles.can_see') and self.request.user.has_perm('mediafiles.can_upload') and self.request.user.has_perm('mediafiles.can_manage')) @@ -33,3 +34,15 @@ class MediafileViewSet(ModelViewSet): else: result = False return result + + def create(self, request, *args, **kwargs): + """ + Customized view endpoint to upload a new file. + """ + # Check permission to check if the uploader has to be changed. + uploader_id = self.request.data.get('uploader_id') + if (uploader_id and + not request.user.has_perm('mediafiles.can_manage') and + str(self.request.user.pk) != str(uploader_id)): + self.permission_denied(request) + return super().create(request, *args, **kwargs)