mirror of
https://github.com/paperless-ngx/paperless-ngx.git
synced 2025-04-02 13:45:10 -05:00
Fix: disable invalid create endpoints (#6320)
This commit is contained in:
parent
622fcf96a0
commit
1d85caa8d0
@ -163,14 +163,23 @@ class SetPermissionsMixin:
|
||||
set_permissions_for_object(permissions, object)
|
||||
|
||||
|
||||
class OwnedObjectSerializer(serializers.ModelSerializer, SetPermissionsMixin):
|
||||
class SerializerWithPerms(serializers.Serializer):
|
||||
def __init__(self, *args, **kwargs):
|
||||
self.user = kwargs.pop("user", None)
|
||||
full_perms = kwargs.pop("full_perms", False)
|
||||
self.full_perms = kwargs.pop("full_perms", False)
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
|
||||
class OwnedObjectSerializer(
|
||||
SerializerWithPerms,
|
||||
serializers.ModelSerializer,
|
||||
SetPermissionsMixin,
|
||||
):
|
||||
def __init__(self, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
try:
|
||||
if full_perms:
|
||||
if self.full_perms:
|
||||
self.fields.pop("user_can_change")
|
||||
self.fields.pop("is_shared_by_requester")
|
||||
else:
|
||||
@ -857,7 +866,11 @@ class DocumentListSerializer(serializers.Serializer):
|
||||
return documents
|
||||
|
||||
|
||||
class BulkEditSerializer(DocumentListSerializer, SetPermissionsMixin):
|
||||
class BulkEditSerializer(
|
||||
SerializerWithPerms,
|
||||
DocumentListSerializer,
|
||||
SetPermissionsMixin,
|
||||
):
|
||||
method = serializers.ChoiceField(
|
||||
choices=[
|
||||
"set_correspondent",
|
||||
@ -1356,7 +1369,7 @@ class ShareLinkSerializer(OwnedObjectSerializer):
|
||||
return super().create(validated_data)
|
||||
|
||||
|
||||
class BulkEditObjectsSerializer(serializers.Serializer, SetPermissionsMixin):
|
||||
class BulkEditObjectsSerializer(SerializerWithPerms, SetPermissionsMixin):
|
||||
objects = serializers.ListField(
|
||||
required=True,
|
||||
allow_empty=False,
|
||||
|
@ -815,6 +815,14 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
|
||||
self.assertIsNone(overrides.document_type_id)
|
||||
self.assertIsNone(overrides.tag_ids)
|
||||
|
||||
def test_create_wrong_endpoint(self):
|
||||
response = self.client.post(
|
||||
"/api/documents/",
|
||||
{},
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
|
||||
|
||||
def test_upload_empty_metadata(self):
|
||||
self.consume_file_mock.return_value = celery.result.AsyncResult(
|
||||
id=str(uuid.uuid4()),
|
||||
|
@ -55,7 +55,6 @@ from rest_framework.exceptions import NotFound
|
||||
from rest_framework.filters import OrderingFilter
|
||||
from rest_framework.filters import SearchFilter
|
||||
from rest_framework.generics import GenericAPIView
|
||||
from rest_framework.mixins import CreateModelMixin
|
||||
from rest_framework.mixins import DestroyModelMixin
|
||||
from rest_framework.mixins import ListModelMixin
|
||||
from rest_framework.mixins import RetrieveModelMixin
|
||||
@ -201,7 +200,7 @@ class IndexView(TemplateView):
|
||||
return context
|
||||
|
||||
|
||||
class PassUserMixin(CreateModelMixin):
|
||||
class PassUserMixin(GenericAPIView):
|
||||
"""
|
||||
Pass a user object to serializer
|
||||
"""
|
||||
@ -873,7 +872,7 @@ class SavedViewViewSet(ModelViewSet, PassUserMixin):
|
||||
serializer.save(owner=self.request.user)
|
||||
|
||||
|
||||
class BulkEditView(GenericAPIView, PassUserMixin):
|
||||
class BulkEditView(PassUserMixin):
|
||||
permission_classes = (IsAuthenticated,)
|
||||
serializer_class = BulkEditSerializer
|
||||
parser_classes = (parsers.JSONParser,)
|
||||
@ -1450,7 +1449,7 @@ def serve_file(doc: Document, use_archive: bool, disposition: str):
|
||||
return response
|
||||
|
||||
|
||||
class BulkEditObjectsView(GenericAPIView, PassUserMixin):
|
||||
class BulkEditObjectsView(PassUserMixin):
|
||||
permission_classes = (IsAuthenticated,)
|
||||
serializer_class = BulkEditObjectsSerializer
|
||||
parser_classes = (parsers.JSONParser,)
|
||||
@ -1582,7 +1581,7 @@ class CustomFieldViewSet(ModelViewSet):
|
||||
queryset = CustomField.objects.all().order_by("-created")
|
||||
|
||||
|
||||
class SystemStatusView(GenericAPIView, PassUserMixin):
|
||||
class SystemStatusView(PassUserMixin):
|
||||
permission_classes = (IsAuthenticated,)
|
||||
|
||||
def get(self, request, format=None):
|
||||
|
Loading…
x
Reference in New Issue
Block a user