From c6b1df9e247c02a5f56bc8c38b1c5abc599cf55b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Norman=20J=C3=A4ckel?= <openslides@normanjaeckel.de>
Date: Sun, 15 Jan 2017 09:50:20 +0100
Subject: [PATCH] Fixed security issue #2850: Comments were shown for
 unprivileged users.

---
 CHANGELOG                                | 1 +
 openslides/agenda/access_permissions.py  | 9 ++++++++-
 tests/integration/agenda/test_viewset.py | 8 ++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 1f2d1d363..7bf3efed5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -11,6 +11,7 @@ Version 2.1 (unreleased)
 Agenda:
 - Added button to remove all speakers from a list of speakers.
 - Added option to create or edit agenda items as subitems of others.
+- Fixed security issue: Comments were shown for unprivileged users.
 
 Core:
 - Added support for multiple projectors.
diff --git a/openslides/agenda/access_permissions.py b/openslides/agenda/access_permissions.py
index 19ce320ac..1581d694e 100644
--- a/openslides/agenda/access_permissions.py
+++ b/openslides/agenda/access_permissions.py
@@ -30,7 +30,14 @@ class ItemAccessPermissions(BaseAccessPermissions):
         if (has_perm(user, 'agenda.can_see') and
             (not full_data['is_hidden'] or
              has_perm(user, 'agenda.can_see_hidden_items'))):
-            data = full_data
+            if has_perm(user, 'agenda.can_manage'):
+                data = full_data
+            else:
+                # Strip out item comments for unprivileged users.
+                data = {}
+                for key in full_data.keys():
+                    if key != 'comment':
+                        data[key] = full_data[key]
         else:
             data = None
         return data
diff --git a/tests/integration/agenda/test_viewset.py b/tests/integration/agenda/test_viewset.py
index 06d6ec48a..01c87ae95 100644
--- a/tests/integration/agenda/test_viewset.py
+++ b/tests/integration/agenda/test_viewset.py
@@ -42,6 +42,14 @@ class RetrieveItem(TestCase):
         response = self.client.get(reverse('item-detail', args=[self.item.pk]))
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
+    def test_normal_by_anonymous_cant_see_agenda_comments(self):
+        self.item.type = Item.AGENDA_ITEM
+        self.item.comment = 'comment_gbiejd67gkbmsogh8374jf$kd'
+        self.item.save()
+        response = self.client.get(reverse('item-detail', args=[self.item.pk]))
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertTrue(response.data.get('comment') is None)
+
 
 class TestDBQueries(TestCase):
     """