Make it impossible to create a userless private story

This patch prevents people from creating private stories which no users can access. If no users are specified, it will automatically add the current user to the list of users for the story. Change-Id: Ibaedd23193297a0a9d697e9d97474b4a2c4db1c5
2017-01-02 15:08:33 +00:00 · 2017-01-02 15:08:33 +00:00 · aaf92992ee
parent 8a0893e8bf
commit aaf92992ee
1 changed files with 8 additions and 4 deletions
--- a/storyboard/api/v1/stories.py
+++ b/storyboard/api/v1/stories.py
@ -217,14 +217,18 @@ class StoriesController(rest.RestController):

        users = None
        teams = None
-        if "users" in story_dict:
-            users = story_dict.pop("users")
-        if users is None:
-            users = [wmodels.User.from_db_model(users_api.user_get(user_id))]
+        # We make sure that a user cannot remove all users and teams
+        # from the permissions list for a story
+        # This should be reworked so that users can be removed if there
+        # are teams, and vice versa
        if "teams" in story_dict:
            teams = story_dict.pop("teams")
        if teams is None:
            teams = []
+        if "users" in story_dict:
+            users = story_dict.pop("users")
+        if users is None or (users == [] and teams == []):
+            users = [wmodels.User.from_db_model(users_api.user_get(user_id))]

        created_story = stories_api.story_create(story_dict)
        events_api.story_created_event(created_story.id, user_id, story.title)