Fixed get_queryset method of ItemViewSet. Fixed #2027.
This commit is contained in:
parent
66de30f852
commit
bc93b61a02
@ -68,10 +68,11 @@ class ItemViewSet(ListModelMixin, RetrieveModelMixin, UpdateModelMixin, GenericV
|
||||
"""
|
||||
Filters organizational items if the user has no permission to see them.
|
||||
"""
|
||||
if self.request.user.has_perm('agenda.can_see_hidden_items'):
|
||||
return super().get_queryset()
|
||||
else:
|
||||
return Item.objects.get_only_agenda_items()
|
||||
queryset = super().get_queryset()
|
||||
if not self.request.user.has_perm('agenda.can_see_hidden_items'):
|
||||
pk_list = [item.pk for item in Item.objects.get_only_agenda_items()]
|
||||
queryset = queryset.filter(pk__in=pk_list)
|
||||
return queryset
|
||||
|
||||
@detail_route(methods=['POST', 'DELETE'])
|
||||
def manage_speaker(self, request, pk=None):
|
||||
|
@ -1,5 +1,6 @@
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.core.urlresolvers import reverse
|
||||
from rest_framework import status
|
||||
from rest_framework.test import APIClient
|
||||
|
||||
from openslides.agenda.models import Item, Speaker
|
||||
@ -8,6 +9,36 @@ from openslides.core.models import CustomSlide, Projector
|
||||
from openslides.utils.test import TestCase
|
||||
|
||||
|
||||
class RetrieveItem(TestCase):
|
||||
"""
|
||||
Tests retrieving items.
|
||||
"""
|
||||
def setUp(self):
|
||||
self.client = APIClient()
|
||||
config['general_system_enable_anonymous'] = True
|
||||
self.item = CustomSlide.objects.create(title='test_title_Idais2pheepeiz5uph1c').agenda_item
|
||||
|
||||
def test_normal_by_anonymous_without_perm_to_see_hidden_items(self):
|
||||
group = get_user_model().groups.field.related_model.objects.get(pk=1) # Group with pk 1 is for anonymous users.
|
||||
permission_string = 'agenda.can_see_hidden_items'
|
||||
app_label, codename = permission_string.split('.')
|
||||
permission = group.permissions.get(content_type__app_label=app_label, codename=codename)
|
||||
group.permissions.remove(permission)
|
||||
self.item.type = Item.AGENDA_ITEM
|
||||
self.item.save()
|
||||
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
|
||||
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||
|
||||
def test_hidden_by_anonymous_without_perm_to_see_hidden_items(self):
|
||||
group = get_user_model().groups.field.related_model.objects.get(pk=1) # Group with pk 1 is for anonymous users.
|
||||
permission_string = 'agenda.can_see_hidden_items'
|
||||
app_label, codename = permission_string.split('.')
|
||||
permission = group.permissions.get(content_type__app_label=app_label, codename=codename)
|
||||
group.permissions.remove(permission)
|
||||
response = self.client.get(reverse('item-detail', args=[self.item.pk]))
|
||||
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
|
||||
|
||||
|
||||
class ManageSpeaker(TestCase):
|
||||
"""
|
||||
Tests managing speakers.
|
||||
|
Loading…
Reference in New Issue
Block a user