OpenSlides · hjanott · Aug 15, 2024 · Aug 21, 2024 · Aug 21, 2024 · Aug 21, 2024
diff --git a/docs/actions/user.set_password.md b/docs/actions/user.set_password.md
@@ -9,7 +9,6 @@
     set_as_default: boolean; // default false, if not given
 }
 ```
-
 ## Action
 Sets the password of the user given by `id` to `password`. If `set_as_default` is true, the `default_password` is also updated.
 

diff --git a/docs/presenters/get_user_editable.md b/docs/presenters/get_user_editable.md
@@ -0,0 +1,28 @@
+## Payload
+
+```
+{
+  user_ids: Id[];
+  fields: string[]
+}
+```
+
+## Returns
+
+```
+{
+  user_id: Id: {
+    editable: boolean // true if user can be updated or deleted
+    message?: string // error message if an exception was caught
+  },
+  ...
+}
+```
+
+## Logic
+
+It iterates over the given `user_ids` and calculates whether a user can be updated depending on the given payload fields, permissions in shared committees and meetings, OML and the user-scope. The user scope is defined [here](https://github.com/OpenSlides/OpenSlides/wiki/Users#user-scopes). The payload field permissions are described [here](https://github.com/OpenSlides/openslides-backend/blob/main/docs/actions/user.update.md) and [here](https://github.com/OpenSlides/openslides-backend/blob/main/docs/actions/user.create.md).
+
+## Permissions
+
+There are no special permissions necessary.
diff --git a/docs/presenters/get_user_related_models.md b/docs/presenters/get_user_related_models.md
@@ -1,14 +1,14 @@
 ## Payload
 
-```js
+```
 {
     user_ids: Id[];
 }
 ```
 
 ## Returns
 
-```js
+```
 {
   [user_id: Id]: {
     organization_management_level: OML-String,

diff --git a/docs/presenters/get_user_scope.md b/docs/presenters/get_user_scope.md
@@ -1,21 +1,22 @@
 ## Payload
 
-```js
+```
 {
   user_ids: Id[];
 }
 ```
 
 ## Returns
 
-```js
+```
 {
   user_id: Id: {
     collection: String,  # one of "meeting", "committee" or "organization"
     id: Id,
     user_oml: String, # one of "superadmin", "can_manage_organization", "can_manage_users", ""
-    committee_ids: int[] // Ids of all committees the user is part of
-  }
+    committee_ids: Id[] // Ids of all committees the user is part of
+  },
+  ...
 }
 ```
 

diff --git a/openslides_backend/action/actions/user/create.py b/openslides_backend/action/actions/user/create.py
@@ -2,6 +2,9 @@
 from typing import Any
 
 from openslides_backend.permissions.permissions import Permissions
+from openslides_backend.shared.mixins.user_create_update_permissions_mixin import (
+    CreateUpdatePermissionsMixin,
+)
 
 from ....models.models import User
 from ....shared.exceptions import ActionException
@@ -15,13 +18,13 @@
 from ...util.register import register_action
 from ...util.typing import ActionResultElement
 from ..meeting_user.mixin import CheckLockOutPermissionMixin
-from .create_update_permissions_mixin import CreateUpdatePermissionsMixin
 from .password_mixins import SetPasswordMixin
 from .user_mixins import LimitOfUserMixin, UserMixin, UsernameMixin, check_gender_exists
 
 
 @register_action("user.create")
 class UserCreate(
+    UserMixin,
     EmailCheckMixin,
     CreateAction,
     CreateUpdatePermissionsMixin,

diff --git a/openslides_backend/action/actions/user/participant_common.py b/openslides_backend/action/actions/user/participant_common.py
@@ -11,14 +11,14 @@
 )
 from openslides_backend.permissions.permissions import Permissions
 from openslides_backend.shared.exceptions import MissingPermission
+from openslides_backend.shared.mixins.user_create_update_permissions_mixin import (
+    CreateUpdatePermissionsFailingFields,
+    PermissionVarStore,
+)
 from openslides_backend.shared.patterns import fqid_from_collection_and_id
 
 from ....shared.filters import And, FilterOperator, Or
 from ..meeting_user.mixin import CheckLockOutPermissionMixin
-from ..user.create_update_permissions_mixin import (
-    CreateUpdatePermissionsFailingFields,
-    PermissionVarStore,
-)
 
 
 class ParticipantCommon(BaseImportJsonUploadAction, CheckLockOutPermissionMixin):

diff --git a/openslides_backend/action/actions/user/update.py b/openslides_backend/action/actions/user/update.py
@@ -2,6 +2,9 @@
 from typing import Any
 
 from openslides_backend.permissions.permissions import Permissions
+from openslides_backend.shared.mixins.user_create_update_permissions_mixin import (
+    CreateUpdatePermissionsMixin,
+)
 
 from ....action.action import original_instances
 from ....action.util.typing import ActionData
@@ -17,7 +20,6 @@
 from ...util.register import register_action
 from ..meeting_user.mixin import CheckLockOutPermissionMixin
 from .conditional_speaker_cascade_mixin import ConditionalSpeakerCascadeMixin
-from .create_update_permissions_mixin import CreateUpdatePermissionsMixin
 from .user_mixins import (
     AdminIntegrityCheckMixin,
     LimitOfUserMixin,
@@ -29,6 +31,7 @@
 
 @register_action("user.update")
 class UserUpdate(
+    UserMixin,
     EmailCheckMixin,
     CreateUpdatePermissionsMixin,
     UpdateAction,

diff --git a/openslides_backend/action/actions/user/user_mixins.py b/openslides_backend/action/actions/user/user_mixins.py
@@ -91,6 +91,10 @@ class UserMixin(CheckForArchivedMeetingMixin):
         "locked_out": {"type": "boolean"},
     }
 
+    def check_permissions(self, instance: dict[str, Any]) -> None:
+        self.assert_not_anonymous()
+        super().check_permissions(instance)
+
     def validate_instance(self, instance: dict[str, Any]) -> None:
         super().validate_instance(instance)
         if "meeting_id" not in instance and any(

diff --git a/openslides_backend/action/mixins/import_mixins.py b/openslides_backend/action/mixins/import_mixins.py
@@ -317,7 +317,7 @@ def flatten_copied_object_fields(
     ) -> list[ImportRow]:
         """The self.rows will be deepcopied, flattened and returned, without
         changes on the self.rows.
-        This is necessary for using the data in the executution of actions.
+        This is necessary for using the data in the execution of actions.
         The requests response should be given with the unchanged self.rows.
         Parameter:
         hook_method:

diff --git a/openslides_backend/presenter/__init__.py b/openslides_backend/presenter/__init__.py
@@ -7,6 +7,7 @@
     get_forwarding_meetings,
     get_history_information,
     get_mediafile_context,
+    get_user_editable,
     get_user_related_models,
     get_user_scope,
     get_users,

diff --git a/openslides_backend/presenter/base.py b/openslides_backend/presenter/base.py
@@ -17,6 +17,7 @@ class BasePresenter(BaseServiceProvider):
     Base class for presenters.
     """
 
+    internal: bool = False
     data: Any
     schema: Callable[[Any], None] | None = None
 

diff --git a/openslides_backend/presenter/get_user_editable.py b/openslides_backend/presenter/get_user_editable.py
@@ -0,0 +1,63 @@
+from typing import Any
+
+import fastjsonschema
+
+from openslides_backend.permissions.permissions import Permissions
+from openslides_backend.shared.exceptions import (
+    ActionException,
+    MissingPermission,
+    PermissionDenied,
+    PresenterException,
+)
+from openslides_backend.shared.mixins.user_create_update_permissions_mixin import (
+    CreateUpdatePermissionsMixin,
+)
+from openslides_backend.shared.schema import id_list_schema, str_list_schema
+
+from ..shared.schema import schema_version
+from .base import BasePresenter
+from .presenter import register_presenter
+
+get_user_editable_schema = fastjsonschema.compile(
+    {
+        "$schema": schema_version,
+        "type": "object",
+        "title": "get_user_editable",
+        "description": "get user editable",
+        "properties": {
+            "user_ids": id_list_schema,
+            "fields": str_list_schema,
+        },
+        "required": ["user_ids"],
+        "additionalProperties": False,
+    }
+)
+
+
+@register_presenter("get_user_editable")
+class GetUserEditable(CreateUpdatePermissionsMixin, BasePresenter):
+    """
+    Checks for each user whether it is editable by calling user.
+    """
+
+    schema = get_user_editable_schema
+    name = "get_user_editable"
+    permission = Permissions.User.CAN_MANAGE
+
+    def get_result(self) -> Any:
+        result: dict[str, Any] = {}
+        if not self.data["fields"]:
+            raise PresenterException(
+                "Need at least one field name to check editability."
+            )
+        instance = {field_name: "" for field_name in self.data["fields"]}
+        for user_id in self.data["user_ids"]:
+            instance.update({"id": user_id})
+            result[str(user_id)] = {}
+            try:
+                self.check_permissions(instance)
+                result[str(user_id)]["editable"] = True
+            except (PermissionDenied, MissingPermission, ActionException) as e:
+                result[str(user_id)]["editable"] = False
+                result[str(user_id)]["message"] = e.message
+        return result
diff --git a/openslides_backend/presenter/get_user_scope.py b/openslides_backend/presenter/get_user_scope.py
@@ -36,7 +36,10 @@ def get_result(self) -> Any:
         result: dict[str, Any] = {}
         user_ids = self.data["user_ids"]
         for user_id in user_ids:
-            scope, scope_id, user_oml, committee_ids = self.get_user_scope(user_id)
+            scope, scope_id, user_oml, committee_meeting_ids = self.get_user_scope(
+                user_id
+            )
+            committee_ids = [ci for ci in committee_meeting_ids.keys()]
             result[str(user_id)] = {
                 "collection": scope,
                 "id": scope_id,

diff --git a/openslides_backend/shared/exceptions.py b/openslides_backend/shared/exceptions.py
@@ -131,16 +131,29 @@ def __init__(self, action_name: str) -> None:
 class MissingPermission(PermissionDenied):
     def __init__(
         self,
-        permissions: AnyPermission | dict[AnyPermission, int],
+        permissions: AnyPermission | dict[AnyPermission, int | set[int]],
     ) -> None:
         if isinstance(permissions, dict):
-            self.message = (
-                "Missing permission" + ("s" if len(permissions) > 1 else "") + ": "
-            )
+            to_remove = []
+            for permission, id_or_ids in permissions.items():
+                if isinstance(id_or_ids, set) and not id_or_ids:
+                    to_remove.append(permission)
+            for permission in to_remove:
+                del permissions[permission]
+            self.message = "Missing permission" + self._plural_s(permissions) + ": "
             self.message += " or ".join(
-                f"{permission.get_verbose_type()} {permission} in {permission.get_base_model()} {id}"
-                for permission, id in permissions.items()
+                f"{permission.get_verbose_type()} {permission} in {permission.get_base_model()}{self._plural_s(id_or_ids)} {id_or_ids}"
+                for permission, id_or_ids in permissions.items()
             )
         else:
             self.message = f"Missing {permissions.get_verbose_type()}: {permissions}"
         super().__init__(self.message)
+
+    def _plural_s(self, permission_or_id_or_ids: int | set[int] | dict) -> str:
+        if (
+            isinstance(permission_or_id_or_ids, set)
+            or (isinstance(permission_or_id_or_ids, dict))
+        ) and len(permission_or_id_or_ids) > 1:
+            return "s"
+        else:
+            return ""