Prevent user can manage for groups with locked out users

openslides_backend/action/actions/group/update.py

@@ -9,6 +9,7 @@
     is_admin,
 )
 from ....permissions.permissions import Permissions
+from ....services.datastore.commands import GetManyRequest
 from ....shared.patterns import fqid_from_collection_and_id
 from ...generics.update import UpdateAction
 from ...util.default_schema import DefaultSchema
@@ -29,14 +30,16 @@ class GroupUpdateAction(GroupMixin, UpdateAction):
     permission = Permissions.User.CAN_MANAGE
 
     def update_instance(self, instance: dict[str, Any]) -> dict[str, Any]:
+        group = self.datastore.get(
+            fqid_from_collection_and_id("group", instance["id"]),
+            ["anonymous_group_for_meeting_id", "meeting_user_ids"],
+        )
         if "permissions" in instance:
             instance["permissions"] = filter_surplus_permissions(
                 instance["permissions"]
             )
-        if self.datastore.get(
-            fqid_from_collection_and_id("group", instance["id"]),
-            ["anonymous_group_for_meeting_id"],
-        ).get("anonymous_group_for_meeting_id"):
+            self.check_locked_users(instance, group.get("meeting_user_ids", []))
+        if group.get("anonymous_group_for_meeting_id"):
             if perms := instance.get("permissions", []):
                 check_if_perms_are_allowed_for_anonymous(perms)
             if "name" in instance:
@@ -52,3 +55,20 @@ def check_permissions(self, instance: dict[str, Any]) -> None:
             self.get_meeting_id(instance),
         ):
             raise PermissionDenied("Missing permission: Not admin of this meeting")
+
+    def check_locked_users(
+        self, instance: dict[str, Any], meeting_user_ids: list[int]
+    ) -> None:
+        if meeting_user_ids and {Permissions.User.CAN_MANAGE}.intersection(
+            instance.get("permissions", [])
+        ):
+            meeting_users = self.datastore.get_many(
+                [GetManyRequest("meeting_user", meeting_user_ids, ["locked_out"])]
+            )["meeting_user"]
+            if any(
+                meeting_user.get("locked_out", False)
+                for meeting_user in meeting_users.values()
+            ):
+                raise ActionException(
+                    "Cannot give user manage permissions to a group with locked users."
+                )

tests/system/action/group/test_update.py

@@ -103,6 +103,33 @@ def test_update_allowed(self) -> None:
             Permissions.User.CAN_MANAGE,
         )
 
+    def test_update_with_user(self) -> None:
+        self.create_user("sherlock", [3])
+        response = self.request(
+            "group.update", {"id": 3, "permissions": [Permissions.User.CAN_MANAGE]}
+        )
+        self.assert_status_code(response, 200)
+
+    def test_update_with_locked_out_user_error(self) -> None:
+        self.create_user("sherlock", [3])
+        self.set_models({"meeting_user/1": {"locked_out": True}})
+        response = self.request(
+            "group.update", {"id": 3, "permissions": [Permissions.User.CAN_MANAGE]}
+        )
+        self.assert_status_code(response, 400)
+        self.assertIn(
+            "Cannot give user manage permissions to a group with locked users.",
+            response.json["message"],
+        )
+
+    def test_update_with_locked_out_user_no_error(self) -> None:
+        self.create_user("sherlock", [3])
+        self.set_models({"meeting_user/1": {"locked_out": True}})
+        response = self.request(
+            "group.update", {"id": 3, "permissions": [Permissions.User.CAN_SEE]}
+        )
+        self.assert_status_code(response, 200)
+
     def test_update_permission_locked_meeting(self) -> None:
         self.base_locked_out_superadmin_permission_test(
             {},