]> git.ipfire.org Git - thirdparty/paperless-ngx.git/commitdiff
Enhancement: dont require document model permissions for notes (#6913)
authorshamoon <4887959+shamoon@users.noreply.github.com>
Sat, 8 Jun 2024 01:23:45 +0000 (18:23 -0700)
committerGitHub <noreply@github.com>
Sat, 8 Jun 2024 01:23:45 +0000 (01:23 +0000)
src/documents/permissions.py
src/documents/views.py

index 76f1835f2e07a774d6061590acc9c4c94d58b041..a254f8377e9a6945ed52420bd372b7ff033023c3 100644 (file)
@@ -138,3 +138,23 @@ def get_objects_for_user_owner_aware(user, perms, Model) -> QuerySet:
 def has_perms_owner_aware(user, perms, obj):
     checker = ObjectPermissionChecker(user)
     return obj.owner is None or obj.owner == user or checker.has_perm(perms, obj)
+
+
+class PaperlessNotePermissions(BasePermission):
+    """
+    Permissions class that checks for model permissions for Notes.
+    """
+
+    perms_map = {
+        "GET": ["documents.view_note"],
+        "POST": ["documents.add_note"],
+        "DELETE": ["documents.delete_note"],
+    }
+
+    def has_permission(self, request, view):
+        if not request.user or (not request.user.is_authenticated):  # pragma: no cover
+            return False
+
+        perms = self.perms_map[request.method]
+
+        return request.user.has_perms(perms)
index 91b99b6109ef3d2bf2ddc16f5c0e559b2c3b2422..02023b59fe43daba9831fda9761f9be10371513e 100644 (file)
@@ -123,6 +123,7 @@ from documents.models import WorkflowTrigger
 from documents.parsers import get_parser_class_for_mime_type
 from documents.parsers import parse_date_generator
 from documents.permissions import PaperlessAdminPermissions
+from documents.permissions import PaperlessNotePermissions
 from documents.permissions import PaperlessObjectPermissions
 from documents.permissions import get_objects_for_user_owner_aware
 from documents.permissions import has_perms_owner_aware
@@ -622,7 +623,11 @@ class DocumentViewSet(
             .order_by("-created")
         ]
 
-    @action(methods=["get", "post", "delete"], detail=True)
+    @action(
+        methods=["get", "post", "delete"],
+        detail=True,
+        permission_classes=[PaperlessNotePermissions],
+    )
     def notes(self, request, pk=None):
         currentUser = request.user
         try: