from django_filters.rest_framework import BooleanFilter
from django_filters.rest_framework import Filter
from django_filters.rest_framework import FilterSet
+from rest_framework_guardian.filters import ObjectPermissionsFilter
from .models import Correspondent
from .models import Document
"name": CHAR_KWARGS,
"path": CHAR_KWARGS,
}
+
+
+class ObjectOwnedOrGrandtedPermissionsFilter(ObjectPermissionsFilter):
+ """
+ A filter backend that limits results to those where the requesting user
+ has read object level permissions, owns the objects, or objects without
+ an owner (for backwards compat)
+ """
+
+ def filter_queryset(self, request, queryset, view):
+ objects_with_perms = super().filter_queryset(request, queryset, view)
+ objects_owned = queryset.filter(owner=request.user)
+ objects_unowned = queryset.filter(owner__isnull=True)
+ return objects_with_perms | objects_owned | objects_unowned
from rest_framework.permissions import BasePermission
-from rest_framework.permissions import DjangoModelPermissions
+from rest_framework.permissions import DjangoObjectPermissions
-class PaperlessModelPermissions(DjangoModelPermissions):
+class PaperlessObjectPermissions(DjangoObjectPermissions):
+ """
+ A permissions backend that checks for object-level permissions
+ or for ownership.
+ """
+
perms_map = {
"GET": ["%(app_label)s.view_%(model_name)s"],
- "OPTIONS": [],
- "HEAD": [],
+ "OPTIONS": ["%(app_label)s.view_%(model_name)s"],
+ "HEAD": ["%(app_label)s.view_%(model_name)s"],
"POST": ["%(app_label)s.add_%(model_name)s"],
"PUT": ["%(app_label)s.change_%(model_name)s"],
"PATCH": ["%(app_label)s.change_%(model_name)s"],
"DELETE": ["%(app_label)s.delete_%(model_name)s"],
}
+ def has_object_permission(self, request, view, obj):
+ if hasattr(obj, "owner") and request.user == obj.owner:
+ return True
+ else:
+ return super().has_object_permission(request, view, obj)
+
class PaperlessAdminPermissions(BasePermission):
def has_permission(self, request, view):
from django.views.decorators.cache import cache_control
from django.views.generic import TemplateView
from django_filters.rest_framework import DjangoFilterBackend
+from documents.filters import ObjectOwnedOrGrandtedPermissionsFilter
from documents.permissions import PaperlessAdminPermissions
-from documents.permissions import PaperlessModelPermissions
+from documents.permissions import PaperlessObjectPermissions
from documents.tasks import consume_file
from packaging import version as packaging_version
from paperless import version
serializer_class = CorrespondentSerializer
pagination_class = StandardPagination
- permission_classes = (IsAuthenticated, PaperlessModelPermissions)
- filter_backends = (DjangoFilterBackend, OrderingFilter)
+ permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
+ filter_backends = (
+ DjangoFilterBackend,
+ OrderingFilter,
+ ObjectOwnedOrGrandtedPermissionsFilter,
+ )
filterset_class = CorrespondentFilterSet
ordering_fields = (
"name",
return TagSerializer
pagination_class = StandardPagination
- permission_classes = (IsAuthenticated, PaperlessModelPermissions)
+ permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
filter_backends = (DjangoFilterBackend, OrderingFilter)
filterset_class = TagFilterSet
ordering_fields = ("name", "matching_algorithm", "match", "document_count")
serializer_class = DocumentTypeSerializer
pagination_class = StandardPagination
- permission_classes = (IsAuthenticated, PaperlessModelPermissions)
+ permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
filter_backends = (DjangoFilterBackend, OrderingFilter)
filterset_class = DocumentTypeFilterSet
ordering_fields = ("name", "matching_algorithm", "match", "document_count")
queryset = Document.objects.all()
serializer_class = DocumentSerializer
pagination_class = StandardPagination
- permission_classes = (IsAuthenticated, PaperlessModelPermissions)
+ permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
filter_backends = (DjangoFilterBackend, SearchFilter, OrderingFilter)
filterset_class = DocumentFilterSet
search_fields = ("title", "correspondent__name", "content")
queryset = SavedView.objects.all()
serializer_class = SavedViewSerializer
pagination_class = StandardPagination
- permission_classes = (IsAuthenticated, PaperlessModelPermissions)
+ permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
def get_queryset(self):
user = self.request.user
serializer_class = StoragePathSerializer
pagination_class = StandardPagination
- permission_classes = (IsAuthenticated, PaperlessModelPermissions)
+ permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
filter_backends = (DjangoFilterBackend, OrderingFilter)
filterset_class = StoragePathFilterSet
ordering_fields = ("name", "path", "matching_algorithm", "match", "document_count")
# Security #
###############################################################################
+AUTHENTICATION_BACKENDS = [
+ "guardian.backends.ObjectPermissionBackend",
+ "django.contrib.auth.backends.ModelBackend",
+]
+
AUTO_LOGIN_USERNAME = os.getenv("PAPERLESS_AUTO_LOGIN_USERNAME")
if AUTO_LOGIN_USERNAME:
if ENABLE_HTTP_REMOTE_USER:
MIDDLEWARE.append("paperless.auth.HttpRemoteUserMiddleware")
- AUTHENTICATION_BACKENDS = [
- "django.contrib.auth.backends.RemoteUserBackend",
- "django.contrib.auth.backends.ModelBackend",
- "guardian.backends.ObjectPermissionBackend",
- ]
+ AUTHENTICATION_BACKENDS.insert(0, "django.contrib.auth.backends.RemoteUserBackend")
REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].append(
"rest_framework.authentication.RemoteUserAuthentication",
)
from django.http import HttpResponse
from django.views.generic import View
from django_filters.rest_framework import DjangoFilterBackend
-from documents.permissions import PaperlessModelPermissions
+from documents.permissions import PaperlessObjectPermissions
from paperless.filters import GroupFilterSet
from paperless.filters import UserFilterSet
from paperless.serialisers import GroupSerializer
serializer_class = UserSerializer
pagination_class = StandardPagination
- permission_classes = (IsAuthenticated, PaperlessModelPermissions)
+ permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
filter_backends = (DjangoFilterBackend, OrderingFilter)
filterset_class = UserFilterSet
ordering_fields = ("username",)
serializer_class = GroupSerializer
pagination_class = StandardPagination
- permission_classes = (IsAuthenticated, PaperlessModelPermissions)
+ permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
filter_backends = (DjangoFilterBackend, OrderingFilter)
filterset_class = GroupFilterSet
ordering_fields = ("name",)
projects / thirdparty / paperless-ngx.git / commitdiff
