Merge "Make it impossible to create a userless private story"

2018-06-08 22:45:58 +00:00 · 2018-06-08 22:45:58 +00:00 · 0ce733f941
commit 0ce733f941
parent ac0ade25de aaf92992ee
1 changed files with 8 additions and 4 deletions
--- a/storyboard/api/v1/stories.py
+++ b/storyboard/api/v1/stories.py
@ -217,14 +217,18 @@ class StoriesController(rest.RestController):

        users = None
        teams = None
-        if "users" in story_dict:
-            users = story_dict.pop("users")
-        if users is None:
-            users = [wmodels.User.from_db_model(users_api.user_get(user_id))]
+        # We make sure that a user cannot remove all users and teams
+        # from the permissions list for a story
+        # This should be reworked so that users can be removed if there
+        # are teams, and vice versa
        if "teams" in story_dict:
            teams = story_dict.pop("teams")
        if teams is None:
            teams = []
+        if "users" in story_dict:
+            users = story_dict.pop("users")
+        if users is None or (users == [] and teams == []):
+            users = [wmodels.User.from_db_model(users_api.user_get(user_id))]

        created_story = stories_api.story_create(story_dict)
        events_api.story_created_event(created_story.id, user_id, story.title)