From cf020c471b66f3d7f0d2e681a296eb7e8d3db9b5 Mon Sep 17 00:00:00 2001 From: luisa-beerboom <101706784+luisa-beerboom@users.noreply.github.com> Date: Wed, 20 Nov 2024 10:01:09 +0100 Subject: [PATCH] Agenda item permission checks for motion.create (#2728) --- .../action/actions/motion/create.py | 5 +++ tests/system/action/motion/test_create.py | 43 +++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/openslides_backend/action/actions/motion/create.py b/openslides_backend/action/actions/motion/create.py index 2a7128b83..01c241e99 100644 --- a/openslides_backend/action/actions/motion/create.py +++ b/openslides_backend/action/actions/motion/create.py @@ -149,6 +149,11 @@ def check_permissions(self, instance: dict[str, Any]) -> None: # whitelist the fields depending on the user's permissions whitelist = [] forbidden_fields = set() + perm = Permissions.AgendaItem.CAN_MANAGE + if has_perm(self.datastore, self.user_id, perm, instance["meeting_id"]): + whitelist = [*agenda_creation_properties.keys()] + elif contained := set(agenda_creation_properties.keys()).intersection(instance): + forbidden_fields.update(contained) perm = Permissions.Mediafile.CAN_SEE if has_perm(self.datastore, self.user_id, perm, instance["meeting_id"]): whitelist.append("attachment_mediafile_ids") diff --git a/tests/system/action/motion/test_create.py b/tests/system/action/motion/test_create.py index 4740c9e8a..5e4b305fe 100644 --- a/tests/system/action/motion/test_create.py +++ b/tests/system/action/motion/test_create.py @@ -4,6 +4,7 @@ from openslides_backend.action.mixins.delegation_based_restriction_mixin import ( DelegationBasedRestriction, ) +from openslides_backend.models.models import AgendaItem from openslides_backend.permissions.base_classes import Permission from openslides_backend.permissions.permissions import Permissions from tests.system.action.base import BaseActionTestCase @@ -422,6 +423,48 @@ def setup_permission_test( if additional_data: self.set_models(additional_data) + def test_create_permission_agenda_allowed(self) -> None: + self.setup_permission_test( + [ + Permissions.AgendaItem.CAN_MANAGE, + Permissions.Motion.CAN_CREATE, + Permissions.Motion.CAN_MANAGE_METADATA, + ] + ) + response = self.request( + "motion.create", + { + "title": "test_Xcdfgee", + "meeting_id": 1, + "text": "test", + "agenda_create": True, + "agenda_type": AgendaItem.INTERNAL_ITEM, + }, + ) + self.assert_status_code(response, 200) + + def test_create_permission_agenda_forbidden(self) -> None: + self.setup_permission_test( + [ + Permissions.Motion.CAN_CREATE, + Permissions.Motion.CAN_MANAGE_METADATA, + ] + ) + response = self.request( + "motion.create", + { + "title": "test_Xcdfgee", + "meeting_id": 1, + "text": "test", + "agenda_create": True, + "agenda_type": AgendaItem.INTERNAL_ITEM, + }, + ) + self.assert_status_code(response, 403) + assert "Forbidden fields: " in response.json["message"] + assert "agenda_create" in response.json["message"] + assert "agenda_type" in response.json["message"] + def test_create_permission_missing_can_manage(self) -> None: self.setup_permission_test([Permissions.Motion.CAN_CREATE]) response = self.request(