Allow meeting admin user to update a non admin user that shares all his meetings with requesting user.

openslides_backend/action/actions/user/create_update_permissions_mixin.py

@@ -213,7 +213,9 @@ class CreateUpdatePermissionsMixin(UserMixin, UserScopeMixin, Action):
     def check_permissions(self, instance: dict[str, Any]) -> None:
         """
         Checks the permissions on a per field and user.scope base, details see
-        https://github.com/OpenSlides/OpenSlides/wiki/user.update or user.create
+        https://github.com/OpenSlides/OpenSlides/wiki/Users
+        https://github.com/OpenSlides/OpenSlides/wiki/Permission-System
+        https://github.com/OpenSlides/OpenSlides/wiki/Restrictions-Overview
         The fields groups and their necessary permissions are also documented there.
         """
         self.assert_not_anonymous()
@@ -227,13 +229,14 @@ def check_permissions(self, instance: dict[str, Any]) -> None:
             )
         actual_group_fields = self._get_actual_grouping_from_instance(instance)
 
-        # store scope, id and OML-permission for requested user
+        # store id, scope, scope id and OML-permission for requested user
+        self.instance_id = instance.get("id", 0)
         (
             self.instance_user_scope,
             self.instance_user_scope_id,
             self.instance_user_oml_permission,
             self.instance_committee_ids,
-        ) = self.get_user_scope(instance.get("id") or instance)
+        ) = self.get_user_scope(self.instance_id or instance)
 
         if self.permstore.user_oml != OrganizationManagementLevel.SUPERADMIN:
             self._check_for_higher_OML(actual_group_fields, instance)
@@ -247,7 +250,9 @@ def check_permissions(self, instance: dict[str, Any]) -> None:
                 lock_result=False,
             ).get("locked_from_inside", False)
 
-        # Ordered by supposed velocity advantages. Changing order can only effect the sequence of detected errors for tests
+        # Ordered by supposed speed advantages. Changing order can only effect the sequence of detected errors for tests
+        if self._meeting_admin_can_manage_non_admin():
+            return
         self.check_group_H(actual_group_fields["H"])
         self.check_group_E(actual_group_fields["E"], instance)
         self.check_group_D(actual_group_fields["D"], instance)
@@ -257,6 +262,75 @@ def check_permissions(self, instance: dict[str, Any]) -> None:
         self.check_group_F(actual_group_fields["F"])
         self.check_group_G(actual_group_fields["G"])
 
+    def _meeting_admin_can_manage_non_admin(self) -> bool:
+        """
+        Checks if the requesting user has permissions to manage participants in all of requested users meetings.
+        Also checks if the requesting user has meeting admin rights and the requested user doesn't.
+        Returns true if permissions are given. False if not. Raises no Exceptions.
+        """
+        if not self.instance_id:
+            return False
+        b_user = self.datastore.get(
+            fqid_from_collection_and_id("user", self.instance_id),
+            ["meeting_ids", "committee_management_ids"],
+            lock_result=False,
+        )
+        if b_user.get("committee_management_ids"):
+            return False
+        b_meeting_ids = set(b_user.get("meeting_ids", []))
+        if not b_meeting_ids:
+            return False
+        a_meeting_ids = self.permstore.user_meetings
+        intersection_meeting_ids = a_meeting_ids.intersection(b_meeting_ids)
+        if not b_meeting_ids.issubset(intersection_meeting_ids):
+            return False
+        intersection_meetings = self.datastore.get_many(
+            [
+                GetManyRequest(
+                    "meeting",
+                    list(intersection_meeting_ids),
+                    ["meeting_user_ids", "admin_group_id"],
+                )
+            ],
+            lock_result=False,
+        ).get("meeting", {})
+        for meeting_id, meeting_dict in intersection_meetings.items():
+            # get meetings admins
+            admin_group = self.datastore.get(
+                fqid_from_collection_and_id(
+                    "group", meeting_dict.get("admin_group_id", 0)
+                ),
+                ["meeting_user_ids"],
+                lock_result=False,
+            )
+            admin_meeting_users = self.datastore.get_many(
+                [
+                    GetManyRequest(
+                        "meeting_user",
+                        admin_group.get("meeting_user_ids", []),
+                        ["user_id"],
+                    )
+                ],
+                lock_result=False,
+            ).get("meeting_user", {})
+            # if instance/requested user is a meeting admin in this meeting.
+            if [
+                admin_meeting_user
+                for admin_meeting_user in admin_meeting_users.values()
+                if admin_meeting_user.get("user_id") == self.instance_id
+            ] != []:
+                return False
+            # if requesting user is not a meeting admin in this meeting.
+            if not next(
+                iter(
+                    admin_meeting_user
+                    for admin_meeting_user in admin_meeting_users.values()
+                    if admin_meeting_user.get("user_id") == self.user_id
+                )
+            ):
+                return False
+        return True
+
     def check_group_A(
         self,
         fields: list[str],
@@ -475,8 +549,9 @@ def _get_actual_grouping_from_instance(
         """
         Returns a dictionary with an entry for each field group A-E with
         a list of fields from payload instance.
-        The field groups A-F refer to https://github.com/OpenSlides/OpenSlides/wiki/user.create
-        or user.update
+        The field groups A-F refer to https://github.com/OpenSlides/openslides-meta/blob/main/models.yml
+        or https://github.com/OpenSlides/openslides-backend/blob/main/docs/actions/user.create.md
+        or https://github.com/OpenSlides/openslides-backend/blob/main/docs/actions/user.update.md
         """
         act_grouping: dict[str, list[str]] = defaultdict(list)
         for key, _ in instance.items():

tests/system/action/user/test_update.py

@@ -860,6 +860,83 @@ def test_perm_group_A_meeting_manage_user(self) -> None:
             },
         )
 
+    def test_perm_group_A_belongs_to_same_meetings(self) -> None:
+        """May update group A fields on any scope as long as admin user Ann belongs to all meetings user Ben belongs to. See issue 2522."""
+        self.permission_setup()  # meeting 1 + logged in test user + user 111
+        self.create_meeting(4)  # meeting 4
+        # Admin groups of meeting/1 and meeting/4 for test user
+        self.set_user_groups(self.user_id, [2, 5])
+        self.set_user_groups(111, [1, 4])  # 111 into both meetings
+        response = self.request(
+            "user.update",
+            {
+                "id": 111,
+                "pronoun": "I'm gonna get updated.",
+            },
+        )
+        self.assert_status_code(response, 200)
+        self.assert_model_exists(
+            "user/111",
+            {
+                "pronoun": "I'm gonna get updated.",
+            },
+        )
+
+    def test_perm_group_A_belongs_to_same_meetings_both_admin(self) -> None:
+        """May update group A fields on any scope as long as admin user Ann belongs to all meetings user Ben belongs to. See issue 2522."""
+        self.permission_setup()  # meeting 1 + logged in test user + user 111
+        self.create_meeting(4)  # meeting 4
+        # Admin groups of meeting/1 and meeting/4 for test user
+        self.set_user_groups(self.user_id, [2, 5])
+        self.set_user_groups(111, [1, 5])  # 111 into both meetings one admin group
+        response = self.request(
+            "user.update",
+            {
+                "id": 111,
+                "pronoun": "I'm not gonna get updated.",
+            },
+        )
+        self.assert_status_code(response, 403)
+        self.assertIn(
+            "You are not allowed to perform action user.update. Missing permission: OrganizationManagementLevel can_manage_users in organization 1",
+            response.json["message"],
+        )
+        self.assert_model_exists(
+            "user/111",
+            {
+                "pronoun": None,
+            },
+        )
+
+    def test_perm_group_A_belongs_to_same_meetings_committe_admin(self) -> None:
+        """May not update group A fields on any scope as long as admin user Ann belongs
+        to all meetings user Ben belongs to but Ben is committee admin. See issue 2522.
+        """
+        self.permission_setup()  # meeting 1 + logged in test user + user 111
+        self.create_meeting(4)  # meeting 4
+        # Admin groups of meeting/1 and meeting/4 for test user
+        self.set_user_groups(self.user_id, [2, 5])
+        self.set_user_groups(111, [1, 4])  # 111 into both meetings
+        self.set_committee_management_level([60], 111)  # 111 is committee admin
+        response = self.request(
+            "user.update",
+            {
+                "id": 111,
+                "pronoun": "I'm not gonna get updated.",
+            },
+        )
+        self.assert_status_code(response, 403)
+        self.assertIn(
+            "You are not allowed to perform action user.update. Missing permission: OrganizationManagementLevel can_manage_users in organization 1",
+            response.json["message"],
+        )
+        self.assert_model_exists(
+            "user/111",
+            {
+                "pronoun": None,
+            },
+        )
+
     def test_perm_group_A_meeting_manage_user_archived_meeting(self) -> None:
         self.perm_group_A_meeting_manage_user_archived_meeting(
             Permissions.User.CAN_UPDATE