Add backend check for ws message ownership

diff --git a/src-ui/src/app/services/consumer-status.service.ts b/src-ui/src/app/services/consumer-status.service.ts
index 3e21da1382668f0adeba0164ed7fa61369ba2c9f..2b587fbfd9c84bd92e33ce325d6b61deab2995a5 100644 (file)
--- a/src-ui/src/app/services/consumer-status.service.ts
+++ b/src-ui/src/app/services/consumer-status.service.ts
@@ -146,7 +146,7 @@ export class ConsumerStatusService {
     this.statusWebSocket.onmessage = (ev) => {
       let statusMessage: WebsocketConsumerStatusMessage = JSON.parse(ev['data'])
 
-      // tasks are async so we rely on checking user id
+      // fallback if backend didnt restrict message
       if (
         statusMessage.owner_id &&
         statusMessage.owner_id !== this.settingsService.currentUser?.id &&

diff --git a/src/paperless/consumers.py b/src/paperless/consumers.py
index 7c34c8c39d2dcdf278712ca752bec8db9cb470e3..cf1a3b548277de4f5069eb702220806b5f5db6c7 100644 (file)
--- a/src/paperless/consumers.py
+++ b/src/paperless/consumers.py
@@ -10,6 +10,16 @@ class StatusConsumer(WebsocketConsumer):
     def _authenticated(self):
         return "user" in self.scope and self.scope["user"].is_authenticated
 
+    def _is_owner_or_unowned(self, data):
+        return (
+            (
+                self.scope["user"].is_superuser
+                or self.scope["user"].id == data["owner_id"]
+            )
+            if "owner_id" in data and "user" in self.scope
+            else True
+        )
+
     def connect(self):
         if not self._authenticated():
             raise DenyConnection
@@ -30,4 +40,5 @@ class StatusConsumer(WebsocketConsumer):
         if not self._authenticated():
             self.close()
         else:
-            self.send(json.dumps(event["data"]))
+            if self._is_owner_or_unowned(event["data"]):
+                self.send(json.dumps(event["data"]))