Fix: disable invalid create endpoints (#6320)

This commit is contained in:
shamoon 2024-04-07 11:50:40 -07:00 committed by GitHub
parent 622fcf96a0
commit 1d85caa8d0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 30 additions and 10 deletions

View File

@ -163,14 +163,23 @@ class SetPermissionsMixin:
set_permissions_for_object(permissions, object)
class OwnedObjectSerializer(serializers.ModelSerializer, SetPermissionsMixin):
class SerializerWithPerms(serializers.Serializer):
def __init__(self, *args, **kwargs):
self.user = kwargs.pop("user", None)
full_perms = kwargs.pop("full_perms", False)
self.full_perms = kwargs.pop("full_perms", False)
super().__init__(*args, **kwargs)
class OwnedObjectSerializer(
SerializerWithPerms,
serializers.ModelSerializer,
SetPermissionsMixin,
):
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
try:
if full_perms:
if self.full_perms:
self.fields.pop("user_can_change")
self.fields.pop("is_shared_by_requester")
else:
@ -857,7 +866,11 @@ class DocumentListSerializer(serializers.Serializer):
return documents
class BulkEditSerializer(DocumentListSerializer, SetPermissionsMixin):
class BulkEditSerializer(
SerializerWithPerms,
DocumentListSerializer,
SetPermissionsMixin,
):
method = serializers.ChoiceField(
choices=[
"set_correspondent",
@ -1356,7 +1369,7 @@ class ShareLinkSerializer(OwnedObjectSerializer):
return super().create(validated_data)
class BulkEditObjectsSerializer(serializers.Serializer, SetPermissionsMixin):
class BulkEditObjectsSerializer(SerializerWithPerms, SetPermissionsMixin):
objects = serializers.ListField(
required=True,
allow_empty=False,

View File

@ -815,6 +815,14 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
self.assertIsNone(overrides.document_type_id)
self.assertIsNone(overrides.tag_ids)
def test_create_wrong_endpoint(self):
response = self.client.post(
"/api/documents/",
{},
)
self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
def test_upload_empty_metadata(self):
self.consume_file_mock.return_value = celery.result.AsyncResult(
id=str(uuid.uuid4()),

View File

@ -55,7 +55,6 @@ from rest_framework.exceptions import NotFound
from rest_framework.filters import OrderingFilter
from rest_framework.filters import SearchFilter
from rest_framework.generics import GenericAPIView
from rest_framework.mixins import CreateModelMixin
from rest_framework.mixins import DestroyModelMixin
from rest_framework.mixins import ListModelMixin
from rest_framework.mixins import RetrieveModelMixin
@ -201,7 +200,7 @@ class IndexView(TemplateView):
return context
class PassUserMixin(CreateModelMixin):
class PassUserMixin(GenericAPIView):
"""
Pass a user object to serializer
"""
@ -873,7 +872,7 @@ class SavedViewViewSet(ModelViewSet, PassUserMixin):
serializer.save(owner=self.request.user)
class BulkEditView(GenericAPIView, PassUserMixin):
class BulkEditView(PassUserMixin):
permission_classes = (IsAuthenticated,)
serializer_class = BulkEditSerializer
parser_classes = (parsers.JSONParser,)
@ -1450,7 +1449,7 @@ def serve_file(doc: Document, use_archive: bool, disposition: str):
return response
class BulkEditObjectsView(GenericAPIView, PassUserMixin):
class BulkEditObjectsView(PassUserMixin):
permission_classes = (IsAuthenticated,)
serializer_class = BulkEditObjectsSerializer
parser_classes = (parsers.JSONParser,)
@ -1582,7 +1581,7 @@ class CustomFieldViewSet(ModelViewSet):
queryset = CustomField.objects.all().order_by("-created")
class SystemStatusView(GenericAPIView, PassUserMixin):
class SystemStatusView(PassUserMixin):
permission_classes = (IsAuthenticated,)
def get(self, request, format=None):