Merge staging/4.2.29 into stable/4.2.x. Update 20260117

Author: Magnus Schieder

.github/workflows/pick-to-staging.yml

@@ -53,7 +53,7 @@ jobs:
           private_key: ${{ secrets.AUTOMATION_APP_PRIVATE_KEY }}
 
       - name: Create or update PR
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@v8
         with:
           token: ${{ steps.generate-token.outputs.token }}
           branch: apply/commit-${{ github.sha }}

Makefile

@@ -34,7 +34,12 @@ coverage:
 	pytest --cov --cov-report html
 
 test-file:
-	python -m debugpy --listen 0.0.0.0:5678 --wait-for-client /usr/local/bin/pytest $f
+# f= to pass the file name
+# k= to pass a test name
+# v=1 to run verbose test output
+# cap=1 to capture print to system out
+# cov=1 to run coverage report
+	python -m debugpy --listen 0.0.0.0:5678 --wait-for-client /usr/local/bin/pytest $f $(if $(k),-k $k) $(if $(v),-vv) $(if $(cap),--capture=no) $(if $(cov),--cov --cov-report term-missing:skip-covered)
 
 check-all: validate-models-yml check-models check-initial-data-json check-example-data-json check-permissions
 

cli/generate_models.py

@@ -45,6 +45,7 @@
     "string[]": "CharArrayField",
     "number[]": "NumberArrayField",
     "text": "TextField",
+    "text[]": "TextArrayField",
 }
 
 RELATION_FIELD_CLASSES = {

docs/actions/committee.create.md

@@ -26,3 +26,5 @@ Calculates `committee/all_parent_ids` from the `parent_id`.
 ## Permissions
 The user needs to have the organization management level `can_manage_organization`.
 If a `parent_id` is given, CML `can_manage` for an ancestor committee will also suffice.
+If `organization/restrict_edit_forward_committees` is set, committee managers
+will not set `forward_to_committee_ids` or `receive_forwardings_from_committee_ids`.

docs/actions/committee.update.md

@@ -19,6 +19,9 @@
 
 // Group C
     parent_id: Id;
+
+// Group D
+    manager_ids: Id[];
 }
 ```
 
@@ -30,5 +33,6 @@ Re-calculates `committee/all_parent_ids` from the new `parent_id` for this and a
 
 ## Permissions
 - Group A: The user needs the CML `can_manage` or the OML `can_manage_organization`
-- Group B: The user needs the OML `can_manage_organization` or the CML `can_manage` for all target committees that were added/removed from the list
+- Group B: The user needs the OML `can_manage_organization` or the CML `can_manage` for all target committees that were added/removed from the list and not `organization/restrict_edit_forward_committees` to be set.
 - Group C: The user needs the OML `can_manage_organization` or the CML `can_manage` for a committee that is an _ancestor_ of the intended child committee and either the intended parent committee or one of its ancestors. Only organization managers may set this field to `None`.
+- Group D: Like group A, except if `organization/restrict_editing_same_level_committee_admins` is true, the CML requirement will be further restricted to ancestor committee `can_manage`CMLs only. Users with no other admin permission than that of the edited committee will therefore not be allowed.

docs/actions/organization.update.md

@@ -19,6 +19,8 @@
     users_email_body: text;
     require_duplicate_from: boolean;
     disable_forward_with_attachments: boolean;
+    restrict_editing_same_level_committee_admins: boolean;
+    restrict_edit_forward_committees: boolean;
 
 // Group B
     enable_electronic_voting: boolean;

meta

@@ -9,10 +9,13 @@
     CommitteeManagementLevel,
     OrganizationManagementLevel,
 )
-from ....permissions.permission_helper import get_failing_committee_management_levels
+from ....permissions.permission_helper import (
+    get_failing_committee_management_levels,
+    has_organization_management_level,
+)
 from ....shared.exceptions import ActionException, MissingPermission
 from ....shared.patterns import fqid_from_collection_and_id
-from ....shared.util import ONE_ORGANIZATION_ID
+from ....shared.util import ONE_ORGANIZATION_FQID, ONE_ORGANIZATION_ID
 
 
 class CommitteeCommonCreateUpdateMixin(
@@ -31,9 +34,22 @@ def check_forwarding_fields(self, instance: dict[str, Any]) -> None:
             )
         else:
             committee = {}
+        organization = self.datastore.get(
+            ONE_ORGANIZATION_FQID, ["restrict_edit_forward_committees"]
+        )
         field_difference: set[int] = set()
         for field in forwarding_fields:
             if field in instance:
+                if organization.get(
+                    "restrict_edit_forward_committees"
+                ) and not has_organization_management_level(
+                    self.datastore,
+                    self.user_id,
+                    OrganizationManagementLevel.CAN_MANAGE_ORGANIZATION,
+                ):
+                    raise ActionException(
+                        "You are not allowed to set 'forward_to_committee_ids' and 'receive_forwardings_from_committee_ids', because it is restricted."
+                    )
                 field_set = set(instance.get(field, []))
                 field_difference.update(
                     field_set.symmetric_difference(committee.get(field, []))

openslides_backend/action/actions/committee/committee_common_mixin.py

@@ -12,6 +12,7 @@
 from ....services.datastore.commands import GetManyRequest
 from ....shared.exceptions import ActionException, MissingPermission
 from ....shared.patterns import fqid_from_collection_and_id
+from ....shared.util import ONE_ORGANIZATION_ID
 from ...generics.update import UpdateAction
 from ...util.default_schema import DefaultSchema
 from ...util.register import register_action
@@ -208,16 +209,42 @@ def check_permissions(self, instance: dict[str, Any]) -> None:
                     }
                 )
 
+        check_id: int = instance["id"]
+        if "manager_ids" in instance:
+            data = self.datastore.get_many(
+                [
+                    GetManyRequest(
+                        "committee",
+                        [check_id],
+                        ["parent_id"],
+                    ),
+                    GetManyRequest(
+                        "organization",
+                        [ONE_ORGANIZATION_ID],
+                        ["restrict_editing_same_level_committee_admins"],
+                    ),
+                ],
+                lock_result=False,
+            )
+            if data["organization"][ONE_ORGANIZATION_ID].get(
+                "restrict_editing_same_level_committee_admins"
+            ):
+                if not (parent_id := data["committee"][check_id].get("parent_id", 0)):
+                    raise MissingPermission(
+                        OrganizationManagementLevel.CAN_MANAGE_ORGANIZATION
+                    )
+                check_id = parent_id
+
         if has_committee_management_level(
             self.datastore,
             self.user_id,
-            instance["id"],
+            check_id,
         ):
             return
 
         raise MissingPermission(
             {
                 OrganizationManagementLevel.CAN_MANAGE_ORGANIZATION: 1,
-                CommitteeManagementLevel.CAN_MANAGE: instance["id"],
+                CommitteeManagementLevel.CAN_MANAGE: check_id,
             }
         )

openslides_backend/action/actions/committee/update.py

@@ -38,6 +38,8 @@ class OrganizationUpdate(
         "users_email_body",
         "require_duplicate_from",
         "disable_forward_with_attachments",
+        "restrict_editing_same_level_committee_admins",
+        "restrict_edit_forward_committees",
     )
 
     group_B_fields = (