return obj.owner is None or obj.owner == user or checker.has_perm(perms, obj)
+class ViewDocumentsPermissions(BasePermission):
+ """
+ Permissions class that checks for model permissions for only viewing Documents.
+ """
+
+ perms_map = {
+ "OPTIONS": ["documents.view_document"],
+ "GET": ["documents.view_document"],
+ "POST": ["documents.view_document"],
+ }
+
+ def has_permission(self, request, view):
+ if not request.user or (not request.user.is_authenticated): # pragma: no cover
+ return False
+
+ return request.user.has_perms(self.perms_map.get(request.method, []))
+
+
class PaperlessNotePermissions(BasePermission):
"""
Permissions class that checks for model permissions for Notes.
)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+ def test_email_only_requires_view_permission(self):
+ """
+ GIVEN:
+ - User having only view documents permission
+ WHEN:
+ - API request is made to bulk email documents
+ THEN:
+ - Request succeeds
+ """
+ user1 = User.objects.create_user(username="test1")
+ user1.user_permissions.add(*Permission.objects.filter(codename="view_document"))
+
+ self.client.force_authenticate(user1)
+
+ response = self.client.post(
+ self.ENDPOINT,
+ json.dumps(
+ {
+ "documents": [self.doc1.pk],
+ "addresses": "test@example.com",
+ "subject": "Test",
+ "message": "Test message",
+ },
+ ),
+ content_type="application/json",
+ )
+ self.assertEqual(response.status_code, status.HTTP_200_OK)
+
@override_settings(
EMAIL_ENABLED=True,
EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend",
from documents.permissions import PaperlessAdminPermissions
from documents.permissions import PaperlessNotePermissions
from documents.permissions import PaperlessObjectPermissions
+from documents.permissions import ViewDocumentsPermissions
from documents.permissions import get_document_count_filter_for_user
from documents.permissions import get_objects_for_user_owner_aware
from documents.permissions import has_perms_owner_aware
return Response(sorted(entries, key=lambda x: x["timestamp"], reverse=True))
- @action(methods=["post"], detail=True, url_path="email")
+ @action(
+ methods=["post"],
+ detail=True,
+ url_path="email",
+ permission_classes=[IsAuthenticated, ViewDocumentsPermissions],
+ )
# TODO: deprecated as of 2.19, remove in future release
def email_document(self, request, pk=None):
request_data = request.data.copy()
detail=False,
url_path="email",
serializer_class=EmailSerializer,
+ permission_classes=[IsAuthenticated, ViewDocumentsPermissions],
)
def email_documents(self, request, data=None):
serializer = EmailSerializer(data=data or request.data)
projects / thirdparty / paperless-ngx.git / commitdiff
