From 8cfb077747dac6ec06b797a978393745f1cb7d87 Mon Sep 17 00:00:00 2001 From: luisa-beerboom <101706784+luisa-beerboom@users.noreply.github.com> Date: Tue, 17 Sep 2024 15:17:59 +0200 Subject: [PATCH] Prevent user can manage for groups with locked out users (#2616) --- .../action/actions/group/update.py | 28 ++++++++++++++++--- tests/system/action/group/test_update.py | 27 ++++++++++++++++++ 2 files changed, 51 insertions(+), 4 deletions(-) diff --git a/openslides_backend/action/actions/group/update.py b/openslides_backend/action/actions/group/update.py index 8f394757b..713defcb3 100644 --- a/openslides_backend/action/actions/group/update.py +++ b/openslides_backend/action/actions/group/update.py @@ -9,6 +9,7 @@ is_admin, ) from ....permissions.permissions import Permissions +from ....services.datastore.commands import GetManyRequest from ....shared.patterns import fqid_from_collection_and_id from ...generics.update import UpdateAction from ...util.default_schema import DefaultSchema @@ -29,14 +30,16 @@ class GroupUpdateAction(GroupMixin, UpdateAction): permission = Permissions.User.CAN_MANAGE def update_instance(self, instance: dict[str, Any]) -> dict[str, Any]: + group = self.datastore.get( + fqid_from_collection_and_id("group", instance["id"]), + ["anonymous_group_for_meeting_id", "meeting_user_ids"], + ) if "permissions" in instance: instance["permissions"] = filter_surplus_permissions( instance["permissions"] ) - if self.datastore.get( - fqid_from_collection_and_id("group", instance["id"]), - ["anonymous_group_for_meeting_id"], - ).get("anonymous_group_for_meeting_id"): + self.check_locked_users(instance, group.get("meeting_user_ids", [])) + if group.get("anonymous_group_for_meeting_id"): if perms := instance.get("permissions", []): check_if_perms_are_allowed_for_anonymous(perms) if "name" in instance: @@ -52,3 +55,20 @@ def check_permissions(self, instance: dict[str, Any]) -> None: self.get_meeting_id(instance), ): raise PermissionDenied("Missing permission: Not admin of this meeting") + + def check_locked_users( + self, instance: dict[str, Any], meeting_user_ids: list[int] + ) -> None: + if meeting_user_ids and {Permissions.User.CAN_MANAGE}.intersection( + instance.get("permissions", []) + ): + meeting_users = self.datastore.get_many( + [GetManyRequest("meeting_user", meeting_user_ids, ["locked_out"])] + )["meeting_user"] + if any( + meeting_user.get("locked_out", False) + for meeting_user in meeting_users.values() + ): + raise ActionException( + "Cannot give user manage permissions to a group with locked users." + ) diff --git a/tests/system/action/group/test_update.py b/tests/system/action/group/test_update.py index 4a10ab7d0..6d8bd8f4e 100644 --- a/tests/system/action/group/test_update.py +++ b/tests/system/action/group/test_update.py @@ -103,6 +103,33 @@ def test_update_allowed(self) -> None: Permissions.User.CAN_MANAGE, ) + def test_update_with_user(self) -> None: + self.create_user("sherlock", [3]) + response = self.request( + "group.update", {"id": 3, "permissions": [Permissions.User.CAN_MANAGE]} + ) + self.assert_status_code(response, 200) + + def test_update_with_locked_out_user_error(self) -> None: + self.create_user("sherlock", [3]) + self.set_models({"meeting_user/1": {"locked_out": True}}) + response = self.request( + "group.update", {"id": 3, "permissions": [Permissions.User.CAN_MANAGE]} + ) + self.assert_status_code(response, 400) + self.assertIn( + "Cannot give user manage permissions to a group with locked users.", + response.json["message"], + ) + + def test_update_with_locked_out_user_no_error(self) -> None: + self.create_user("sherlock", [3]) + self.set_models({"meeting_user/1": {"locked_out": True}}) + response = self.request( + "group.update", {"id": 3, "permissions": [Permissions.User.CAN_SEE]} + ) + self.assert_status_code(response, 200) + def test_update_permission_locked_meeting(self) -> None: self.base_locked_out_superadmin_permission_test( {},