Fixed get_queryset method of ItemViewSet. Fixed #2027.

This commit is contained in:
Norman Jäckel 2016-03-04 11:24:22 +01:00
parent 66de30f852
commit bc93b61a02
2 changed files with 36 additions and 4 deletions

View File

@ -68,10 +68,11 @@ class ItemViewSet(ListModelMixin, RetrieveModelMixin, UpdateModelMixin, GenericV
""" """
Filters organizational items if the user has no permission to see them. Filters organizational items if the user has no permission to see them.
""" """
if self.request.user.has_perm('agenda.can_see_hidden_items'): queryset = super().get_queryset()
return super().get_queryset() if not self.request.user.has_perm('agenda.can_see_hidden_items'):
else: pk_list = [item.pk for item in Item.objects.get_only_agenda_items()]
return Item.objects.get_only_agenda_items() queryset = queryset.filter(pk__in=pk_list)
return queryset
@detail_route(methods=['POST', 'DELETE']) @detail_route(methods=['POST', 'DELETE'])
def manage_speaker(self, request, pk=None): def manage_speaker(self, request, pk=None):

View File

@ -1,5 +1,6 @@
from django.contrib.auth import get_user_model from django.contrib.auth import get_user_model
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from rest_framework import status
from rest_framework.test import APIClient from rest_framework.test import APIClient
from openslides.agenda.models import Item, Speaker from openslides.agenda.models import Item, Speaker
@ -8,6 +9,36 @@ from openslides.core.models import CustomSlide, Projector
from openslides.utils.test import TestCase from openslides.utils.test import TestCase
class RetrieveItem(TestCase):
"""
Tests retrieving items.
"""
def setUp(self):
self.client = APIClient()
config['general_system_enable_anonymous'] = True
self.item = CustomSlide.objects.create(title='test_title_Idais2pheepeiz5uph1c').agenda_item
def test_normal_by_anonymous_without_perm_to_see_hidden_items(self):
group = get_user_model().groups.field.related_model.objects.get(pk=1) # Group with pk 1 is for anonymous users.
permission_string = 'agenda.can_see_hidden_items'
app_label, codename = permission_string.split('.')
permission = group.permissions.get(content_type__app_label=app_label, codename=codename)
group.permissions.remove(permission)
self.item.type = Item.AGENDA_ITEM
self.item.save()
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_hidden_by_anonymous_without_perm_to_see_hidden_items(self):
group = get_user_model().groups.field.related_model.objects.get(pk=1) # Group with pk 1 is for anonymous users.
permission_string = 'agenda.can_see_hidden_items'
app_label, codename = permission_string.split('.')
permission = group.permissions.get(content_type__app_label=app_label, codename=codename)
group.permissions.remove(permission)
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
class ManageSpeaker(TestCase): class ManageSpeaker(TestCase):
""" """
Tests managing speakers. Tests managing speakers.