Merge branch 'main' into identical-motions

.github/workflows/autoupdate.yml

@@ -8,7 +8,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.21'
+        go-version: '1.22'
 
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4

.github/workflows/readme.yml

@@ -29,7 +29,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.21'
+        go-version: '1.22'
       id: go
 
     - name: Check out code

.github/workflows/update-generated-files.yml

@@ -17,7 +17,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.21'
+        go-version: '1.22'
 
     - name: Check out code
       uses: actions/checkout@v4

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21.6-alpine as base
+FROM golang:1.22.0-alpine as base
 WORKDIR /root/
 
 RUN apk add git

go.mod

@@ -1,6 +1,6 @@
 module github.com/OpenSlides/openslides-autoupdate-service
 
-go 1.21
+go 1.22
 
 require (
 	github.com/alecthomas/kong v0.8.1
@@ -32,7 +32,7 @@ require (
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 // indirect
 	github.com/jackc/puddle/v2 v2.2.1 // indirect
 	github.com/kr/text v0.1.0 // indirect
 	github.com/lib/pq v1.10.8 // indirect
@@ -48,7 +48,7 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/crypto v0.19.0 // indirect
 	golang.org/x/mod v0.9.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.7.0 // indirect

go.sum

@@ -45,8 +45,8 @@ github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM=
 github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 h1:L0QtFUgDarD7Fpv9jeVMgy/+Ec0mtnmYuImjTz6dtDA=
+github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgx/v5 v5.5.3 h1:Ces6/M3wbDXYpM8JyyPD57ivTtJACFZJd885pdIaV2s=
 github.com/jackc/pgx/v5 v5.5.3/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
@@ -103,8 +103,8 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=

internal/restrict/collection/collection.go

@@ -178,12 +178,14 @@ var collectionMap = map[string]Restricter{
 	MotionBlock{}.Name():                  MotionBlock{},
 	MotionCategory{}.Name():               MotionCategory{},
 	MotionChangeRecommendation{}.Name():   MotionChangeRecommendation{},
+	MotionEditor{}.Name():                 MotionEditor{},
 	MotionState{}.Name():                  MotionState{},
 	MotionStatuteParagraph{}.Name():       MotionStatuteParagraph{},
 	MotionComment{}.Name():                MotionComment{},
 	MotionCommentSection{}.Name():         MotionCommentSection{},
 	MotionSubmitter{}.Name():              MotionSubmitter{},
 	MotionWorkflow{}.Name():               MotionWorkflow{},
+	MotionWorkingGroupSpeaker{}.Name():    MotionWorkingGroupSpeaker{},
 	Option{}.Name():                       Option{},
 	Organization{}.Name():                 Organization{},
 	OrganizationTag{}.Name():              OrganizationTag{},

internal/restrict/collection/motion.go

@@ -22,11 +22,13 @@ import (
 //
 // Mode A: The user can see the motion or can see a referenced motion in motion/all_origin_ids and motion/all_derived_motion_ids.
 //
-// Mode B: The user has the permission motion.can_manage in the motion's meeting.
+// Mode B: The user has the permission motion.can_manage_metadata in the motion's meeting.
 //
 // Mode C: The user can see the motion.
 //
 // Mode D: Never published to any user.
+//
+// Mode E: If the motion states is_internal is true the user needs the permission motion.can_manage_metadata otherwise same as Mode C
 type Motion struct{}
 
 // Name returns the collection name.
@@ -55,6 +57,8 @@ func (m Motion) Modes(mode string) FieldRestricter {
 		return m.see
 	case "D":
 		return never
+	case "E":
+		return m.modeE
 	}
 	return nil
 }
@@ -120,7 +124,7 @@ func (m Motion) see(ctx context.Context, ds *dsfetch.Fetch, motionIDs ...int) ([
 }
 
 func (m Motion) modeB(ctx context.Context, ds *dsfetch.Fetch, motionIDs ...int) ([]int, error) {
-	return meetingPerm(ctx, ds, m, motionIDs, perm.MotionCanManage)
+	return meetingPerm(ctx, ds, m, motionIDs, perm.MotionCanManageMetadata)
 }
 
 // leadMotionIndex creates an index from a motionID to its lead motion id. It
@@ -297,3 +301,35 @@ func (m Motion) modeA(ctx context.Context, ds *dsfetch.Fetch, motionIDs ...int)
 
 	return append(allowed, allowed2...), nil
 }
+
+func (m Motion) modeE(ctx context.Context, ds *dsfetch.Fetch, motionIDs ...int) ([]int, error) {
+	allowed, err := m.see(ctx, ds, motionIDs...)
+	if err != nil {
+		return nil, fmt.Errorf("see motion: %w", err)
+	}
+
+	return eachMeeting(ctx, ds, m, allowed, func(meetingID int, ids []int) ([]int, error) {
+		perms, err := perm.FromContext(ctx, meetingID)
+		if err != nil {
+			return nil, fmt.Errorf("getting permissions: %w", err)
+		}
+
+		if perms.Has(perm.MotionCanManageMetadata) {
+			return ids, nil
+		}
+
+		return eachCondition(ids, func(motionID int) (bool, error) {
+			motionStateID, err := ds.Motion_StateID(motionID).Value(ctx)
+			if err != nil {
+				return false, fmt.Errorf("getting motionStateID: %w", err)
+			}
+
+			isInternal, err := ds.MotionState_IsInternal(motionStateID).Value(ctx)
+			if err != nil {
+				return false, fmt.Errorf("getting motion state isInternal: %w", err)
+			}
+
+			return !isInternal, nil
+		})
+	})
+}

internal/restrict/collection/motion_editor.go

@@ -0,0 +1,44 @@
+package collection
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/OpenSlides/openslides-autoupdate-service/internal/restrict/perm"
+	"github.com/OpenSlides/openslides-autoupdate-service/pkg/datastore/dsfetch"
+)
+
+// MotionEditor handels restrictions of the collection motion_editor.
+//
+// The user can see a motion_editor if he has `motion.can_manage_metadata`
+//
+// Mode A: The user can see the motion editor.
+type MotionEditor struct{}
+
+// Name returns the collection name.
+func (m MotionEditor) Name() string {
+	return "motion_editor"
+}
+
+// MeetingID returns the meetingID for the object.
+func (m MotionEditor) MeetingID(ctx context.Context, ds *dsfetch.Fetch, id int) (int, bool, error) {
+	meetingID, err := ds.MotionEditor_MeetingID(id).Value(ctx)
+	if err != nil {
+		return 0, false, fmt.Errorf("get meeting id: %w", err)
+	}
+
+	return meetingID, true, nil
+}
+
+// Modes returns the restrictions modes for the meeting collection.
+func (m MotionEditor) Modes(mode string) FieldRestricter {
+	switch mode {
+	case "A":
+		return m.see
+	}
+	return nil
+}
+
+func (m MotionEditor) see(ctx context.Context, ds *dsfetch.Fetch, motionEditorIDs ...int) ([]int, error) {
+	return meetingPerm(ctx, ds, m, motionEditorIDs, perm.MotionCanManageMetadata)
+}

internal/restrict/collection/motion_test.go

@@ -495,16 +495,16 @@ func TestMotionModeB(t *testing.T) {
 	)
 
 	testCase(
-		"motion.can_manage",
+		"motion.can_manage_metadata",
 		t,
 		f,
 		true,
 		`---
 		motion/1:
 			meeting_id: 30
-			editor_id: 3
+			editor_ids: [3]
 		`,
-		withPerms(30, perm.MotionCanManage),
+		withPerms(30, perm.MotionCanManageMetadata),
 	)
 }
 
@@ -519,3 +519,52 @@ func TestMotionModeD(t *testing.T) {
 		`motion/1/id: 1`,
 	)
 }
+
+func TestMotionModeE(t *testing.T) {
+	f := collection.Motion{}.Modes("E")
+
+	testCase(
+		"no permissions",
+		t,
+		f,
+		false,
+		`---
+		motion/1:
+			meeting_id: 30
+			state_id: 3
+
+		motion_state/3/is_internal: true
+		`,
+		withPerms(30, perm.MotionCanSee),
+	)
+
+	testCase(
+		"is_internal false",
+		t,
+		f,
+		true,
+		`---
+		motion/1:
+			meeting_id: 30
+			state_id: 3
+
+		motion_state/3/is_internal: false
+		`,
+		withPerms(30, perm.MotionCanSee),
+	)
+
+	testCase(
+		"motion.can_manage_metadata",
+		t,
+		f,
+		true,
+		`---
+		motion/1:
+			meeting_id: 30
+			state_id: 3
+
+		motion_state/3/is_internal: true
+		`,
+		withPerms(30, perm.MotionCanManageMetadata),
+	)
+}

internal/restrict/collection/motion_working_group_speaker.go

@@ -0,0 +1,44 @@
+package collection
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/OpenSlides/openslides-autoupdate-service/internal/restrict/perm"
+	"github.com/OpenSlides/openslides-autoupdate-service/pkg/datastore/dsfetch"
+)
+
+// MotionWorkingGroupSpeaker handels restrictions of the collection motion_working_group_speaker.
+//
+// The user can see a motion_working_group_speaker if he has `motion.can_manage_metadata`
+//
+// Mode A: The user can see the motion working group speaker.
+type MotionWorkingGroupSpeaker struct{}
+
+// Name returns the collection name.
+func (m MotionWorkingGroupSpeaker) Name() string {
+	return "motion_working_group_speaker"
+}
+
+// MeetingID returns the meetingID for the object.
+func (m MotionWorkingGroupSpeaker) MeetingID(ctx context.Context, ds *dsfetch.Fetch, id int) (int, bool, error) {
+	meetingID, err := ds.MotionWorkingGroupSpeaker_MeetingID(id).Value(ctx)
+	if err != nil {
+		return 0, false, fmt.Errorf("get meeting id: %w", err)
+	}
+
+	return meetingID, true, nil
+}
+
+// Modes returns the restrictions modes for the meeting collection.
+func (m MotionWorkingGroupSpeaker) Modes(mode string) FieldRestricter {
+	switch mode {
+	case "A":
+		return m.see
+	}
+	return nil
+}
+
+func (m MotionWorkingGroupSpeaker) see(ctx context.Context, ds *dsfetch.Fetch, motionWorkingGroupSpeakerIDs ...int) ([]int, error) {
+	return meetingPerm(ctx, ds, m, motionWorkingGroupSpeakerIDs, perm.MotionCanManageMetadata)
+}