diff --git a/src/documents/serialisers.py b/src/documents/serialisers.py index 777edca6f..f8537726f 100644 --- a/src/documents/serialisers.py +++ b/src/documents/serialisers.py @@ -163,14 +163,23 @@ class SetPermissionsMixin: set_permissions_for_object(permissions, object) -class OwnedObjectSerializer(serializers.ModelSerializer, SetPermissionsMixin): +class SerializerWithPerms(serializers.Serializer): def __init__(self, *args, **kwargs): self.user = kwargs.pop("user", None) - full_perms = kwargs.pop("full_perms", False) + self.full_perms = kwargs.pop("full_perms", False) + super().__init__(*args, **kwargs) + + +class OwnedObjectSerializer( + SerializerWithPerms, + serializers.ModelSerializer, + SetPermissionsMixin, +): + def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) try: - if full_perms: + if self.full_perms: self.fields.pop("user_can_change") self.fields.pop("is_shared_by_requester") else: @@ -857,7 +866,11 @@ class DocumentListSerializer(serializers.Serializer): return documents -class BulkEditSerializer(DocumentListSerializer, SetPermissionsMixin): +class BulkEditSerializer( + SerializerWithPerms, + DocumentListSerializer, + SetPermissionsMixin, +): method = serializers.ChoiceField( choices=[ "set_correspondent", @@ -1356,7 +1369,7 @@ class ShareLinkSerializer(OwnedObjectSerializer): return super().create(validated_data) -class BulkEditObjectsSerializer(serializers.Serializer, SetPermissionsMixin): +class BulkEditObjectsSerializer(SerializerWithPerms, SetPermissionsMixin): objects = serializers.ListField( required=True, allow_empty=False, diff --git a/src/documents/tests/test_api_documents.py b/src/documents/tests/test_api_documents.py index 4798fef95..0a94a5677 100644 --- a/src/documents/tests/test_api_documents.py +++ b/src/documents/tests/test_api_documents.py @@ -815,6 +815,14 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase): self.assertIsNone(overrides.document_type_id) self.assertIsNone(overrides.tag_ids) + def test_create_wrong_endpoint(self): + response = self.client.post( + "/api/documents/", + {}, + ) + + self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED) + def test_upload_empty_metadata(self): self.consume_file_mock.return_value = celery.result.AsyncResult( id=str(uuid.uuid4()), diff --git a/src/documents/views.py b/src/documents/views.py index 3fcc54023..655108f05 100644 --- a/src/documents/views.py +++ b/src/documents/views.py @@ -55,7 +55,6 @@ from rest_framework.exceptions import NotFound from rest_framework.filters import OrderingFilter from rest_framework.filters import SearchFilter from rest_framework.generics import GenericAPIView -from rest_framework.mixins import CreateModelMixin from rest_framework.mixins import DestroyModelMixin from rest_framework.mixins import ListModelMixin from rest_framework.mixins import RetrieveModelMixin @@ -201,7 +200,7 @@ class IndexView(TemplateView): return context -class PassUserMixin(CreateModelMixin): +class PassUserMixin(GenericAPIView): """ Pass a user object to serializer """ @@ -873,7 +872,7 @@ class SavedViewViewSet(ModelViewSet, PassUserMixin): serializer.save(owner=self.request.user) -class BulkEditView(GenericAPIView, PassUserMixin): +class BulkEditView(PassUserMixin): permission_classes = (IsAuthenticated,) serializer_class = BulkEditSerializer parser_classes = (parsers.JSONParser,) @@ -1450,7 +1449,7 @@ def serve_file(doc: Document, use_archive: bool, disposition: str): return response -class BulkEditObjectsView(GenericAPIView, PassUserMixin): +class BulkEditObjectsView(PassUserMixin): permission_classes = (IsAuthenticated,) serializer_class = BulkEditObjectsSerializer parser_classes = (parsers.JSONParser,) @@ -1582,7 +1581,7 @@ class CustomFieldViewSet(ModelViewSet): queryset = CustomField.objects.all().order_by("-created") -class SystemStatusView(GenericAPIView, PassUserMixin): +class SystemStatusView(PassUserMixin): permission_classes = (IsAuthenticated,) def get(self, request, format=None):