Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Agenda item permission checks for motion.create #2728

Merged
merged 1 commit into from
Nov 20, 2024
Merged

Agenda item permission checks for motion.create #2728

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions openslides_backend/action/actions/motion/create.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,11 @@ def check_permissions(self, instance: dict[str, Any]) -> None:
# whitelist the fields depending on the user's permissions
whitelist = []
forbidden_fields = set()
perm = Permissions.AgendaItem.CAN_MANAGE
if has_perm(self.datastore, self.user_id, perm, instance["meeting_id"]):
whitelist = [*agenda_creation_properties.keys()]
elif contained := set(agenda_creation_properties.keys()).intersection(instance):
forbidden_fields.update(contained)
perm = Permissions.Mediafile.CAN_SEE
if has_perm(self.datastore, self.user_id, perm, instance["meeting_id"]):
whitelist.append("attachment_mediafile_ids")
Expand Down
43 changes: 43 additions & 0 deletions tests/system/action/motion/test_create.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
from openslides_backend.action.mixins.delegation_based_restriction_mixin import (
DelegationBasedRestriction,
)
from openslides_backend.models.models import AgendaItem
from openslides_backend.permissions.base_classes import Permission
from openslides_backend.permissions.permissions import Permissions
from tests.system.action.base import BaseActionTestCase
Expand Down Expand Up @@ -422,6 +423,48 @@ def setup_permission_test(
if additional_data:
self.set_models(additional_data)

def test_create_permission_agenda_allowed(self) -> None:
self.setup_permission_test(
[
Permissions.AgendaItem.CAN_MANAGE,
Permissions.Motion.CAN_CREATE,
Permissions.Motion.CAN_MANAGE_METADATA,
]
)
response = self.request(
"motion.create",
{
"title": "test_Xcdfgee",
"meeting_id": 1,
"text": "test",
"agenda_create": True,
"agenda_type": AgendaItem.INTERNAL_ITEM,
},
)
self.assert_status_code(response, 200)

def test_create_permission_agenda_forbidden(self) -> None:
self.setup_permission_test(
[
Permissions.Motion.CAN_CREATE,
Permissions.Motion.CAN_MANAGE_METADATA,
]
)
response = self.request(
"motion.create",
{
"title": "test_Xcdfgee",
"meeting_id": 1,
"text": "test",
"agenda_create": True,
"agenda_type": AgendaItem.INTERNAL_ITEM,
},
)
self.assert_status_code(response, 403)
assert "Forbidden fields: " in response.json["message"]
assert "agenda_create" in response.json["message"]
assert "agenda_type" in response.json["message"]

def test_create_permission_missing_can_manage(self) -> None:
self.setup_permission_test([Permissions.Motion.CAN_CREATE])
response = self.request(
Expand Down