Add new setting to restrict same-lvl committee admin editing (#3263)

Author: luisa-beerboom

docs/actions/committee.update.md

@@ -19,6 +19,9 @@
 
 // Group C
     parent_id: Id;
+
+// Group D
+    manager_ids: Id[];
 }
 ```
 
@@ -32,3 +35,4 @@ Re-calculates `committee/all_parent_ids` from the new `parent_id` for this and a
 - Group A: The user needs the CML `can_manage` or the OML `can_manage_organization`
 - Group B: The user needs the OML `can_manage_organization` or the CML `can_manage` for all target committees that were added/removed from the list and not `organization/restrict_edit_forward_committees` to be set.
 - Group C: The user needs the OML `can_manage_organization` or the CML `can_manage` for a committee that is an _ancestor_ of the intended child committee and either the intended parent committee or one of its ancestors. Only organization managers may set this field to `None`.
+- Group D: Like group A, except if `organization/restrict_editing_same_level_committee_admins` is true, the CML requirement will be further restricted to ancestor committee `can_manage`CMLs only. Users with no other admin permission than that of the edited committee will therefore not be allowed.

docs/actions/organization.update.md

@@ -19,6 +19,7 @@
     users_email_body: text;
     require_duplicate_from: boolean;
     disable_forward_with_attachments: boolean;
+    restrict_editing_same_level_committee_admins: boolean;
     restrict_edit_forward_committees: boolean;
 
 // Group B

meta

@@ -12,6 +12,7 @@
 from ....services.datastore.commands import GetManyRequest
 from ....shared.exceptions import ActionException, MissingPermission
 from ....shared.patterns import fqid_from_collection_and_id
+from ....shared.util import ONE_ORGANIZATION_ID
 from ...generics.update import UpdateAction
 from ...util.default_schema import DefaultSchema
 from ...util.register import register_action
@@ -208,16 +209,42 @@ def check_permissions(self, instance: dict[str, Any]) -> None:
                     }
                 )
 
+        check_id: int = instance["id"]
+        if "manager_ids" in instance:
+            data = self.datastore.get_many(
+                [
+                    GetManyRequest(
+                        "committee",
+                        [check_id],
+                        ["parent_id"],
+                    ),
+                    GetManyRequest(
+                        "organization",
+                        [ONE_ORGANIZATION_ID],
+                        ["restrict_editing_same_level_committee_admins"],
+                    ),
+                ],
+                lock_result=False,
+            )
+            if data["organization"][ONE_ORGANIZATION_ID].get(
+                "restrict_editing_same_level_committee_admins"
+            ):
+                if not (parent_id := data["committee"][check_id].get("parent_id", 0)):
+                    raise MissingPermission(
+                        OrganizationManagementLevel.CAN_MANAGE_ORGANIZATION
+                    )
+                check_id = parent_id
+
         if has_committee_management_level(
             self.datastore,
             self.user_id,
-            instance["id"],
+            check_id,
         ):
             return
 
         raise MissingPermission(
             {
                 OrganizationManagementLevel.CAN_MANAGE_ORGANIZATION: 1,
-                CommitteeManagementLevel.CAN_MANAGE: instance["id"],
+                CommitteeManagementLevel.CAN_MANAGE: check_id,
             }
         )

openslides_backend/action/actions/committee/update.py

@@ -38,6 +38,7 @@ class OrganizationUpdate(
         "users_email_body",
         "require_duplicate_from",
         "disable_forward_with_attachments",
+        "restrict_editing_same_level_committee_admins",
         "restrict_edit_forward_committees",
     )
 

openslides_backend/action/actions/organization/update.py

@@ -40,6 +40,7 @@ class Organization(Model):
     )
     require_duplicate_from = fields.BooleanField()
     enable_anonymous = fields.BooleanField()
+    restrict_editing_same_level_committee_admins = fields.BooleanField()
     saml_enabled = fields.BooleanField()
     saml_login_button_text = fields.CharField(default="SAML login")
     saml_attr_mapping = fields.JSONField()

openslides_backend/models/models.py

@@ -632,6 +632,9 @@ def test_update_group_a_no_permission(self) -> None:
         )
 
     def test_update_group_a_permission_1(self) -> None:
+        """
+        Also tests the same for group d in case of the setting not being set.
+        """
         self.create_data()
         self.set_models(
             {
@@ -648,11 +651,15 @@ def test_update_group_a_permission_1(self) -> None:
                 "name": "test",
                 "description": "blablabla",
                 "external_id": "test",
+                "manager_ids": [20],
             },
         )
         self.assert_status_code(response, 200)
 
     def test_update_group_a_permission_2(self) -> None:
+        """
+        Also tests the same for group d in case of the setting not being set.
+        """
         self.create_data()
         self.set_models(
             {
@@ -673,13 +680,18 @@ def test_update_group_a_permission_2(self) -> None:
                 "name": "test",
                 "description": "blablabla",
                 "external_id": "test",
+                "manager_ids": [20],
             },
         )
         self.assert_status_code(response, 200)
 
     def test_update_group_a_permission_parent_committee_admin(self) -> None:
+        """
+        Also tests the same for group d in case of the setting not being set.
+        """
         self.create_committee(3)
         self.create_committee(4, parent_id=3)
+        bob_id = self.create_user("bob")
         self.set_committee_management_level([3])
         self.set_organization_management_level(None)
         response = self.request(
@@ -689,14 +701,19 @@ def test_update_group_a_permission_parent_committee_admin(self) -> None:
                 "name": "test",
                 "description": "blablabla",
                 "external_id": "test",
+                "manager_ids": [1, bob_id],
             },
         )
         self.assert_status_code(response, 200)
 
     def test_update_group_a_permission_grandparent_committee_admin(self) -> None:
+        """
+        Also tests the same for group d in case of the setting not being set.
+        """
         self.create_committee(2)
         self.create_committee(3, parent_id=2)
         self.create_committee(4, parent_id=3)
+        bob_id = self.create_user("bob")
         self.set_committee_management_level([2])
         self.set_organization_management_level(None)
         response = self.request(
@@ -706,6 +723,7 @@ def test_update_group_a_permission_grandparent_committee_admin(self) -> None:
                 "name": "test",
                 "description": "blablabla",
                 "external_id": "test",
+                "manager_ids": [1, bob_id],
             },
         )
         self.assert_status_code(response, 200)
@@ -1335,6 +1353,192 @@ def test_update_add_forwarding_relations_fail_forward_all(self) -> None:
             fail_forward_to=True, fail_forward_from=True, fail_remove=True
         )
 
+    def test_update_group_d_no_setting_no_permission(self) -> None:
+        self.create_data()
+        self.set_models(
+            {
+                "user/1": {
+                    "organization_management_level": OrganizationManagementLevel.CAN_MANAGE_USERS
+                }
+            }
+        )
+        response = self.request(
+            "committee.update",
+            {"id": 1, "manager_ids": [20]},
+        )
+        self.assert_status_code(response, 403)
+        self.assertIn(
+            "You are not allowed to perform action committee.update. Missing permissions: OrganizationManagementLevel can_manage_organization in organization 1 or CommitteeManagementLevel can_manage in committee 1",
+            response.json["message"],
+        )
+
+    def test_update_group_d_no_permission(self) -> None:
+        self.create_data()
+        self.set_models(
+            {
+                ONE_ORGANIZATION_FQID: {
+                    "restrict_editing_same_level_committee_admins": True
+                },
+                "user/1": {
+                    "organization_management_level": OrganizationManagementLevel.CAN_MANAGE_USERS
+                },
+            }
+        )
+        response = self.request(
+            "committee.update",
+            {"id": 1, "manager_ids": [20]},
+        )
+        self.assert_status_code(response, 403)
+        self.assertIn(
+            "You are not allowed to perform action committee.update. Missing OrganizationManagementLevel: can_manage_organization",
+            response.json["message"],
+        )
+
+    def test_update_group_d_no_permission_with_parent(self) -> None:
+        self.create_data()
+        self.set_models(
+            {
+                ONE_ORGANIZATION_FQID: {
+                    "restrict_editing_same_level_committee_admins": True
+                },
+                self.COMMITTEE_FQID: {"parent_id": 2, "all_parent_ids": [2]},
+                "committee/2": {
+                    "child_ids": [self.COMMITTEE_ID],
+                    "all_child_ids": [self.COMMITTEE_ID],
+                },
+                "user/1": {
+                    "organization_management_level": OrganizationManagementLevel.CAN_MANAGE_USERS
+                },
+            }
+        )
+        response = self.request(
+            "committee.update",
+            {"id": 1, "manager_ids": [20]},
+        )
+        self.assert_status_code(response, 403)
+        self.assertIn(
+            "You are not allowed to perform action committee.update. Missing permissions: OrganizationManagementLevel can_manage_organization in organization 1 or CommitteeManagementLevel can_manage in committee 2",
+            response.json["message"],
+        )
+
+    def test_update_group_d_permission_1(self) -> None:
+        self.create_data()
+        self.set_models(
+            {
+                ONE_ORGANIZATION_FQID: {
+                    "restrict_editing_same_level_committee_admins": True
+                },
+                "user/1": {
+                    "organization_management_level": OrganizationManagementLevel.CAN_MANAGE_ORGANIZATION,
+                },
+                "committee/1": {"organization_id": 1},
+            }
+        )
+        response = self.request(
+            "committee.update",
+            {"id": 1, "manager_ids": [20]},
+        )
+        self.assert_status_code(response, 200)
+
+    def test_update_group_d_permission_2(self) -> None:
+        self.create_data()
+        self.set_models(
+            {
+                ONE_ORGANIZATION_FQID: {
+                    "restrict_editing_same_level_committee_admins": True
+                },
+                "user/1": {
+                    "committee_management_ids": [1],
+                },
+                "committee/1": {
+                    "organization_id": 1,
+                    "manager_ids": [1],
+                },
+            }
+        )
+        self.set_organization_management_level(None)
+        response = self.request(
+            "committee.update",
+            {"id": 1, "manager_ids": [20]},
+        )
+        self.assert_status_code(response, 403)
+        self.assertIn(
+            "You are not allowed to perform action committee.update. Missing OrganizationManagementLevel: can_manage_organization",
+            response.json["message"],
+        )
+
+    def test_update_group_d_permission_2_with_parent(self) -> None:
+        self.create_data()
+        self.set_models(
+            {
+                ONE_ORGANIZATION_FQID: {
+                    "restrict_editing_same_level_committee_admins": True
+                },
+                "user/1": {
+                    "committee_management_ids": [1],
+                },
+                "committee/1": {
+                    "parent_id": 2,
+                    "all_parent_ids": [2],
+                    "organization_id": 1,
+                    "manager_ids": [1],
+                },
+                "committee/2": {
+                    "child_ids": [self.COMMITTEE_ID],
+                    "all_child_ids": [self.COMMITTEE_ID],
+                },
+            }
+        )
+        self.set_organization_management_level(None)
+        response = self.request(
+            "committee.update",
+            {"id": 1, "manager_ids": [20]},
+        )
+        self.assert_status_code(response, 403)
+        self.assertIn(
+            "You are not allowed to perform action committee.update. Missing permissions: OrganizationManagementLevel can_manage_organization in organization 1 or CommitteeManagementLevel can_manage in committee 2",
+            response.json["message"],
+        )
+
+    def test_update_group_d_permission_parent_committee_admin(self) -> None:
+        self.create_committee(3)
+        self.create_committee(4, parent_id=3)
+        bob_id = self.create_user("bob")
+        self.set_committee_management_level([3])
+        self.set_models(
+            {
+                ONE_ORGANIZATION_FQID: {
+                    "restrict_editing_same_level_committee_admins": True
+                }
+            }
+        )
+        self.set_organization_management_level(None)
+        response = self.request(
+            "committee.update",
+            {"id": 4, "manager_ids": [1, bob_id]},
+        )
+        self.assert_status_code(response, 200)
+
+    def test_update_group_d_permission_grandparent_committee_admin(self) -> None:
+        self.create_committee(2)
+        self.create_committee(3, parent_id=2)
+        self.create_committee(4, parent_id=3)
+        bob_id = self.create_user("bob")
+        self.set_committee_management_level([2])
+        self.set_models(
+            {
+                ONE_ORGANIZATION_FQID: {
+                    "restrict_editing_same_level_committee_admins": True
+                }
+            }
+        )
+        self.set_organization_management_level(None)
+        response = self.request(
+            "committee.update",
+            {"id": 4, "manager_ids": [1, bob_id]},
+        )
+        self.assert_status_code(response, 200)
+
     def test_update_restrict_forwarding(self) -> None:
         self.create_committee()
         self.create_committee(2)

tests/system/action/committee/test_update.py

@@ -252,6 +252,7 @@ def test_update_some_more_fields(self) -> None:
                 "theme_id": 2,
                 "reset_password_verbose_errors": False,
                 "disable_forward_with_attachments": True,
+                "restrict_editing_same_level_committee_admins": True,
                 "enable_chat": True,
                 "url": "https://openslides.example.com",
                 "users_email_sender": "email_sender",
@@ -298,6 +299,7 @@ def test_update_some_more_fields(self) -> None:
                 "theme_ids": [1, 2],
                 "reset_password_verbose_errors": False,
                 "disable_forward_with_attachments": True,
+                "restrict_editing_same_level_committee_admins": True,
                 "enable_chat": True,
                 "url": "https://openslides.example.com",
                 "users_email_sender": "email_sender",