Skip to content

Commit

Permalink
Agenda item permission checks for motion.create (#2728)
Browse files Browse the repository at this point in the history
  • Loading branch information
luisa-beerboom authored Nov 20, 2024
1 parent b5921c5 commit cf020c4
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 0 deletions.
5 changes: 5 additions & 0 deletions openslides_backend/action/actions/motion/create.py
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,11 @@ def check_permissions(self, instance: dict[str, Any]) -> None:
# whitelist the fields depending on the user's permissions
whitelist = []
forbidden_fields = set()
perm = Permissions.AgendaItem.CAN_MANAGE
if has_perm(self.datastore, self.user_id, perm, instance["meeting_id"]):
whitelist = [*agenda_creation_properties.keys()]
elif contained := set(agenda_creation_properties.keys()).intersection(instance):
forbidden_fields.update(contained)
perm = Permissions.Mediafile.CAN_SEE
if has_perm(self.datastore, self.user_id, perm, instance["meeting_id"]):
whitelist.append("attachment_mediafile_ids")
Expand Down
43 changes: 43 additions & 0 deletions tests/system/action/motion/test_create.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
from openslides_backend.action.mixins.delegation_based_restriction_mixin import (
DelegationBasedRestriction,
)
from openslides_backend.models.models import AgendaItem
from openslides_backend.permissions.base_classes import Permission
from openslides_backend.permissions.permissions import Permissions
from tests.system.action.base import BaseActionTestCase
Expand Down Expand Up @@ -422,6 +423,48 @@ def setup_permission_test(
if additional_data:
self.set_models(additional_data)

def test_create_permission_agenda_allowed(self) -> None:
self.setup_permission_test(
[
Permissions.AgendaItem.CAN_MANAGE,
Permissions.Motion.CAN_CREATE,
Permissions.Motion.CAN_MANAGE_METADATA,
]
)
response = self.request(
"motion.create",
{
"title": "test_Xcdfgee",
"meeting_id": 1,
"text": "test",
"agenda_create": True,
"agenda_type": AgendaItem.INTERNAL_ITEM,
},
)
self.assert_status_code(response, 200)

def test_create_permission_agenda_forbidden(self) -> None:
self.setup_permission_test(
[
Permissions.Motion.CAN_CREATE,
Permissions.Motion.CAN_MANAGE_METADATA,
]
)
response = self.request(
"motion.create",
{
"title": "test_Xcdfgee",
"meeting_id": 1,
"text": "test",
"agenda_create": True,
"agenda_type": AgendaItem.INTERNAL_ITEM,
},
)
self.assert_status_code(response, 403)
assert "Forbidden fields: " in response.json["message"]
assert "agenda_create" in response.json["message"]
assert "agenda_type" in response.json["message"]

def test_create_permission_missing_can_manage(self) -> None:
self.setup_permission_test([Permissions.Motion.CAN_CREATE])
response = self.request(
Expand Down

0 comments on commit cf020c4

Please sign in to comment.