Self actions (#156)

* Add tests for assignment.create_candidate The manager can assign himself in any phase Fixes #24 * motion.update Fixes #39
OpenSlides · Jan 27, 2021 · 2ea4078 · 2ea4078
1 parent c52cc7a
commit 2ea4078
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 1 deletion.
diff --git a/internal/collection/motion.go b/internal/collection/motion.go
@@ -18,6 +18,7 @@ func Motion(dp dataprovider.DataProvider) perm.ConnecterFunc {
 		s.RegisterAction("motion.set_state", m.modify("motion.can_manage_metadata"))
 		s.RegisterAction("motion.create", m.create())
 		s.RegisterAction("motion_submitter.create", m.submitterCreate())
+		s.RegisterAction("motion.update", m.modify("motion.can_manage"))
 
 		s.RegisterRestricter("motion", perm.CollectionFunc(m.readMotion))
 		s.RegisterRestricter("motion_submitter", perm.CollectionFunc(m.readSubmitter))
@@ -107,6 +108,17 @@ func (m *motion) modify(managePerm string) perm.ActionFunc {
 			return true, nil
 		}
 
+		// Non managers can only edit some fields
+		for k := range payload {
+			switch k {
+			case "id", "title", "text", "reason", "amendment_paragraphs":
+				continue
+			default:
+				perm.LogNotAllowedf("Non managers can not modify field %s", k)
+				return false, nil
+			}
+		}
+
 		motionID, err := strconv.Atoi(string(payload["id"]))
 		if err != nil {
 			return false, fmt.Errorf("invalid payload: %w", err)
@@ -118,6 +130,7 @@ func (m *motion) modify(managePerm string) perm.ActionFunc {
 		}
 
 		if !b {
+			perm.LogNotAllowedf("User %d can not see the motion", userID)
 			return false, nil
 		}
 

diff --git a/tests/assignment/candidate_create.yml b/tests/assignment/candidate_create.yml
@@ -27,6 +27,11 @@ cases:
     user_id: 1
     is_allowed: false
 
+  - name: nominate self as manager
+    permission: assignment.can_manage
+    user_id: 1
+    is_allowed: true
+
   - name: nominate other with perm
     permission: assignment.can_nominate_other
     is_allowed: true
@@ -57,6 +62,11 @@ cases:
     user_id: 1
     is_allowed: false
 
+  - name: nominate self as manager
+    permission: assignment.can_manage
+    user_id: 1
+    is_allowed: true
+
   - name: nominate other with perm
     permission: assignment.can_nominate_other
     is_allowed: false
@@ -67,3 +77,7 @@ cases:
   - name: nominate other with wrong perm
     permission: assignment.can_nominate_self
     is_allowed: false
+
+  - name: nominate other as manager
+    permission: assignment.can_manage
+    is_allowed: true
diff --git a/tests/motion/delete.yml b/tests/motion/delete.yml
@@ -40,7 +40,7 @@ cases:
   permission: motion.can_manage
   is_allowed: true
 
-- name: correct state but without see perm
+- name: correct state but internal
   db:
     motion_state/1:
       allow_submitter_edit: true

diff --git a/tests/motion/update.yml b/tests/motion/update.yml
@@ -0,0 +1,57 @@
+---
+action: motion.update
+
+db:
+  motion/1:
+    submitter_ids: [3]
+    state_id: 5
+    meeting_id: 1
+  motion_submitter/3/user_id: 1
+payload:
+  id: 1
+
+cases:
+- name: without perm
+  is_allowed: false
+
+- name: manager
+  permission: motion.can_manage
+  is_allowed: true
+
+- name: submitter wrong state
+  user_id: 1
+  is_allowed: false
+
+- name: submitter correct state, wrong fields
+  db:
+    motion_state/5/allow_submitter_edit: true
+  user_id: 1
+  permission: motion.can_see
+  payload:
+    id: 1
+    bad_field: value
+  is_allowed: false
+
+- name: submitter correct state, correct fields
+  db:
+    motion_state/5/allow_submitter_edit: true
+  user_id: 1
+  permission: motion.can_see
+  payload:
+    id: 1
+    title: value
+    text: value
+    reason: value
+    amendment_paragraphs: value
+  is_allowed: true
+
+- name: submitter, correct state and fields, can not see
+  db:
+    motion_state/5/allow_submitter_edit: true
+    motion_state/5/restrictions: [motion.can_see_internal]
+  user_id: 1
+  permission: motion.can_see
+  payload:
+    id: 1
+    title: value
+  is_allowed: false