Add Django model permissions to API endpoints

diff --git a/src/documents/permissions.py b/src/documents/permissions.py
new file mode 100644 (file)
index 0000000..5bf3b14
--- /dev/null
+++ b/src/documents/permissions.py
@@ -0,0 +1,13 @@
+from rest_framework.permissions import DjangoModelPermissions
+
+
+class PaperlessModelPermissions(DjangoModelPermissions):
+    perms_map = {
+        "GET": ["%(app_label)s.view_%(model_name)s"],
+        "OPTIONS": [],
+        "HEAD": [],
+        "POST": ["%(app_label)s.add_%(model_name)s"],
+        "PUT": ["%(app_label)s.change_%(model_name)s"],
+        "PATCH": ["%(app_label)s.change_%(model_name)s"],
+        "DELETE": ["%(app_label)s.delete_%(model_name)s"],
+    }

diff --git a/src/documents/views.py b/src/documents/views.py
index dd960cbcf0967725a0d64a45dc6e6214da651cae..e7557eb7dc5e2da71ce51d57157eb3757e6f6c3b 100644 (file)
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -28,6 +28,7 @@ from django.utils.translation import get_language
 from django.views.decorators.cache import cache_control
 from django.views.generic import TemplateView
 from django_filters.rest_framework import DjangoFilterBackend
+from documents.permissions import PaperlessModelPermissions
 from documents.tasks import consume_file
 from packaging import version as packaging_version
 from paperless import version
@@ -144,7 +145,7 @@ class CorrespondentViewSet(ModelViewSet):
 
     serializer_class = CorrespondentSerializer
     pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     filterset_class = CorrespondentFilterSet
     ordering_fields = (
@@ -170,7 +171,7 @@ class TagViewSet(ModelViewSet):
             return TagSerializer
 
     pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     filterset_class = TagFilterSet
     ordering_fields = ("name", "matching_algorithm", "match", "document_count")
@@ -185,7 +186,7 @@ class DocumentTypeViewSet(ModelViewSet):
 
     serializer_class = DocumentTypeSerializer
     pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     filterset_class = DocumentTypeFilterSet
     ordering_fields = ("name", "matching_algorithm", "match", "document_count")
@@ -202,7 +203,7 @@ class DocumentViewSet(
     queryset = Document.objects.all()
     serializer_class = DocumentSerializer
     pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
     filter_backends = (DjangoFilterBackend, SearchFilter, OrderingFilter)
     filterset_class = DocumentFilterSet
     search_fields = ("title", "correspondent__name", "content")
@@ -550,7 +551,7 @@ class SavedViewViewSet(ModelViewSet):
     queryset = SavedView.objects.all()
     serializer_class = SavedViewSerializer
     pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
 
     def get_queryset(self):
         user = self.request.user
@@ -826,7 +827,7 @@ class StoragePathViewSet(ModelViewSet):
 
     serializer_class = StoragePathSerializer
     pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     filterset_class = StoragePathFilterSet
     ordering_fields = ("name", "path", "matching_algorithm", "match", "document_count")

diff --git a/src/paperless/views.py b/src/paperless/views.py
index f116385ba4faaa7dc6ed9c2f216e6b3c01958fa7..431bbfd8164b92b3b01df5a78060bd6fc5d8db7f 100644 (file)
--- a/src/paperless/views.py
+++ b/src/paperless/views.py
@@ -6,6 +6,7 @@ from django.db.models.functions import Lower
 from django.http import HttpResponse
 from django.views.generic import View
 from django_filters.rest_framework import DjangoFilterBackend
+from documents.permissions import PaperlessModelPermissions
 from paperless.filters import GroupFilterSet
 from paperless.filters import UserFilterSet
 from paperless.serialisers import GroupSerializer
@@ -42,7 +43,7 @@ class UserViewSet(ModelViewSet):
 
     serializer_class = UserSerializer
     pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     filterset_class = UserFilterSet
     ordering_fields = ("username",)
@@ -55,7 +56,7 @@ class GroupViewSet(ModelViewSet):
 
     serializer_class = GroupSerializer
     pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     filterset_class = GroupFilterSet
     ordering_fields = ("name",)