Merge pull request #1865 from normanjaeckel/MediafileFix

Added possibility for non staff users to upload new files. See #1856.

openslides/mediafiles/views.py

@@ -19,11 +19,12 @@ class MediafileViewSet(ModelViewSet):
         """
         Returns True if the user has required permissions.
         """
-        # TODO: Use mediafiles.can_upload permission to create and update some
-        #       objects but restricted concerning the uploader.
         if self.action in ('metadata', 'list', 'retrieve'):
             result = self.request.user.has_perm('mediafiles.can_see')
-        elif self.action in ('create', 'partial_update', 'update'):
+        elif self.action == 'create':
+            result = (self.request.user.has_perm('mediafiles.can_see') and
+                      self.request.user.has_perm('mediafiles.can_upload'))
+        elif self.action in ('partial_update', 'update'):
             result = (self.request.user.has_perm('mediafiles.can_see') and
                       self.request.user.has_perm('mediafiles.can_upload') and
                       self.request.user.has_perm('mediafiles.can_manage'))
@@ -33,3 +34,15 @@ class MediafileViewSet(ModelViewSet):
         else:
             result = False
         return result
+
+    def create(self, request, *args, **kwargs):
+        """
+        Customized view endpoint to upload a new file.
+        """
+        # Check permission to check if the uploader has to be changed.
+        uploader_id = self.request.data.get('uploader_id')
+        if (uploader_id and
+                not request.user.has_perm('mediafiles.can_manage') and
+                str(self.request.user.pk) != str(uploader_id)):
+            self.permission_denied(request)
+        return super().create(request, *args, **kwargs)