def has_perms_owner_aware(user, perms, obj):
checker = ObjectPermissionChecker(user)
return obj.owner is None or obj.owner == user or checker.has_perm(perms, obj)
+
+
+class PaperlessNotePermissions(BasePermission):
+ """
+ Permissions class that checks for model permissions for Notes.
+ """
+
+ perms_map = {
+ "GET": ["documents.view_note"],
+ "POST": ["documents.add_note"],
+ "DELETE": ["documents.delete_note"],
+ }
+
+ def has_permission(self, request, view):
+ if not request.user or (not request.user.is_authenticated): # pragma: no cover
+ return False
+
+ perms = self.perms_map[request.method]
+
+ return request.user.has_perms(perms)
from documents.parsers import get_parser_class_for_mime_type
from documents.parsers import parse_date_generator
from documents.permissions import PaperlessAdminPermissions
+from documents.permissions import PaperlessNotePermissions
from documents.permissions import PaperlessObjectPermissions
from documents.permissions import get_objects_for_user_owner_aware
from documents.permissions import has_perms_owner_aware
.order_by("-created")
]
- @action(methods=["get", "post", "delete"], detail=True)
+ @action(
+ methods=["get", "post", "delete"],
+ detail=True,
+ permission_classes=[PaperlessNotePermissions],
+ )
def notes(self, request, pk=None):
currentUser = request.user
try:
projects / thirdparty / paperless-ngx.git / commitdiff
