Add feature „lock participants out of a meeting“

[Elblinator]

See OpenSlides/OpenSlides#6756 (comment) for reference
Wanted behaviour:

• If locked out the participant is still in the meeting

• A participant with the permission of user.canManage can lock out users without user.canManage permission or cml or oml permissions.

• It should be possible to change is_locked_out and the group (with canManage rights) at the same time, as long as you try to activate a combination which is allowed

• What should happen you try to assign a group with canManage permission to a locked out participant?

  • You are told that this is a locked out participant and you cannot give this participant canManage rights until you lift the lock out first
  • participant edit-dialog: you should be able to select any group but if you select a group with canManage rights and you try to save it an Error should be thrown: It should tell you that a locked out participant is not allowed to have user.canManage rights and you have to lift the lockout first

• What should happen you try to lockout a participant with canManage permission?

  • You are told that this is a participant with canManage rights and you cannot lock out such participants until they lose this right

• Who can NOT be locked out:

  • You from yourself
  • (Meeting-) Admins
  • participant with user.canManage permission
  • Superadmins
  • Orgaadmins
  • Accountadmins
  • Committeeadmins (but only from their own committees)

• Who can be locked out:

  • Every User in a meeting who does not have the permission participant.canManage
  • Committeeadmins (but only from meetings where they are not committeeadmins)

• Imports:

  • If the import is faulty (you try to lock out <-> assign canManage rights) then the import should be stopped and every line which is faulty should have the error symbol

[luisa-beerboom]

During a discussion with @emanuelschuetze and @MSoeb it came up that lockout status for a meeting should always be settable, regardless of whether the meeting is archived or not.

This is to ensure that no one is permanently locked out of becoming f.E. a superadmin

[luisa-beerboom]

• A participant with the permission of user.canManage can lock out users without user.canManage permission or cml or oml permissions.

@Elblinator @MSoeb @emanuelschuetze
What about the user.can_update permission? It is usually used in the user.update to update meeting-internal fields. Should it really not be permitted with that permission?

[MSoeb]

How should we handle users with user.can_update permission:

• users with this permission can lock out other users from the meeting; except the ones which are listed above that should not be locked out.
• users with the user.can_update permission can not lock themselves out
• users with user.canManage permission CAN lock out users with user.can_update permission, because the update permission is not an admin level and therefor it should be possible to lock them out.

@luisa-beerboom If I have missed a point or a perspective, please let me know.

[luisa-beerboom]

* [ ]  users with user.canManage permission CAN lock out users with user.can_update permission, because the update permission is not an admin level and therefor it should be possible to lock them out.

So everyone with (explicit or implicit) user.can_manage rights should be able to lock out users with can_update, (Superadmin, Meetingadmin, Participant with a group that has user.can_manage), only users who have user.can_update alone should not be able to lock out other users with can_update permission, but can still set everyone else who doesn't have any of the two permissions?

I don't see what the use-case behind that is, can you tell me? Otherwise I'd say it seems rather convoluted and will only further complicate this already complicated implementation. I'd advocate for either allowing everyone with field-appropriate permissions to set the field when updating user.can_update people or forbidding it for everyone.

[Elblinator]

as far as I understood it it is wanted that users with user.canUpdate should be able to lock out other participants and can be locked out by other particiants.

canUpdate people should be able to lock out other canUpdate people

[luisa-beerboom]

Todo:
Look at meeting_user-specific actions