Agenda item permission checks for motion.create

OpenSlides · Nov 15, 2024 · a0e971e · a0e971e
1 parent b5921c5
commit a0e971e
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/openslides_backend/action/actions/motion/create.py b/openslides_backend/action/actions/motion/create.py
@@ -149,6 +149,11 @@ def check_permissions(self, instance: dict[str, Any]) -> None:
         # whitelist the fields depending on the user's permissions
         whitelist = []
         forbidden_fields = set()
+        perm = Permissions.AgendaItem.CAN_MANAGE
+        if has_perm(self.datastore, self.user_id, perm, instance["meeting_id"]):
+            whitelist = [*agenda_creation_properties.keys()]
+        elif contained := set(agenda_creation_properties.keys()).intersection(instance):
+            forbidden_fields.update(contained)
         perm = Permissions.Mediafile.CAN_SEE
         if has_perm(self.datastore, self.user_id, perm, instance["meeting_id"]):
             whitelist.append("attachment_mediafile_ids")

diff --git a/tests/system/action/motion/test_create.py b/tests/system/action/motion/test_create.py
@@ -4,6 +4,7 @@
 from openslides_backend.action.mixins.delegation_based_restriction_mixin import (
     DelegationBasedRestriction,
 )
+from openslides_backend.models.models import AgendaItem
 from openslides_backend.permissions.base_classes import Permission
 from openslides_backend.permissions.permissions import Permissions
 from tests.system.action.base import BaseActionTestCase
@@ -422,6 +423,48 @@ def setup_permission_test(
         if additional_data:
             self.set_models(additional_data)
 
+    def test_create_permission_agenda_allowed(self) -> None:
+        self.setup_permission_test(
+            [
+                Permissions.AgendaItem.CAN_MANAGE,
+                Permissions.Motion.CAN_CREATE,
+                Permissions.Motion.CAN_MANAGE_METADATA,
+            ]
+        )
+        response = self.request(
+            "motion.create",
+            {
+                "title": "test_Xcdfgee",
+                "meeting_id": 1,
+                "text": "test",
+                "agenda_create": True,
+                "agenda_type": AgendaItem.INTERNAL_ITEM,
+            },
+        )
+        self.assert_status_code(response, 200)
+
+    def test_create_permission_agenda_forbidden(self) -> None:
+        self.setup_permission_test(
+            [
+                Permissions.Motion.CAN_CREATE,
+                Permissions.Motion.CAN_MANAGE_METADATA,
+            ]
+        )
+        response = self.request(
+            "motion.create",
+            {
+                "title": "test_Xcdfgee",
+                "meeting_id": 1,
+                "text": "test",
+                "agenda_create": True,
+                "agenda_type": AgendaItem.INTERNAL_ITEM,
+            },
+        )
+        self.assert_status_code(response, 403)
+        assert "Forbidden fields: " in response.json["message"]
+        assert "agenda_create" in response.json["message"]
+        assert "agenda_type" in response.json["message"]
+
     def test_create_permission_missing_can_manage(self) -> None:
         self.setup_permission_test([Permissions.Motion.CAN_CREATE])
         response = self.request(