Fixed get_queryset method of ItemViewSet. Fixed #2027.

This commit is contained in:
Norman Jäckel 2016-03-04 11:24:22 +01:00
parent 66de30f852
commit bc93b61a02
2 changed files with 36 additions and 4 deletions

View File

@ -68,10 +68,11 @@ class ItemViewSet(ListModelMixin, RetrieveModelMixin, UpdateModelMixin, GenericV
"""
Filters organizational items if the user has no permission to see them.
"""
if self.request.user.has_perm('agenda.can_see_hidden_items'):
return super().get_queryset()
else:
return Item.objects.get_only_agenda_items()
queryset = super().get_queryset()
if not self.request.user.has_perm('agenda.can_see_hidden_items'):
pk_list = [item.pk for item in Item.objects.get_only_agenda_items()]
queryset = queryset.filter(pk__in=pk_list)
return queryset
@detail_route(methods=['POST', 'DELETE'])
def manage_speaker(self, request, pk=None):

View File

@ -1,5 +1,6 @@
from django.contrib.auth import get_user_model
from django.core.urlresolvers import reverse
from rest_framework import status
from rest_framework.test import APIClient
from openslides.agenda.models import Item, Speaker
@ -8,6 +9,36 @@ from openslides.core.models import CustomSlide, Projector
from openslides.utils.test import TestCase
class RetrieveItem(TestCase):
"""
Tests retrieving items.
"""
def setUp(self):
self.client = APIClient()
config['general_system_enable_anonymous'] = True
self.item = CustomSlide.objects.create(title='test_title_Idais2pheepeiz5uph1c').agenda_item
def test_normal_by_anonymous_without_perm_to_see_hidden_items(self):
group = get_user_model().groups.field.related_model.objects.get(pk=1) # Group with pk 1 is for anonymous users.
permission_string = 'agenda.can_see_hidden_items'
app_label, codename = permission_string.split('.')
permission = group.permissions.get(content_type__app_label=app_label, codename=codename)
group.permissions.remove(permission)
self.item.type = Item.AGENDA_ITEM
self.item.save()
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_hidden_by_anonymous_without_perm_to_see_hidden_items(self):
group = get_user_model().groups.field.related_model.objects.get(pk=1) # Group with pk 1 is for anonymous users.
permission_string = 'agenda.can_see_hidden_items'
app_label, codename = permission_string.split('.')
permission = group.permissions.get(content_type__app_label=app_label, codename=codename)
group.permissions.remove(permission)
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
class ManageSpeaker(TestCase):
"""
Tests managing speakers.