Respect permissions on document view actions

2025-09-03 01:56:16 +00:00 · 2023-04-25 09:20:56 -07:00
parent 08ac40dd48
commit 1fb03a755f
3 changed files with 99 additions and 3 deletions
--- a/src/documents/permissions.py
+++ b/src/documents/permissions.py
@@ -9,6 +9,7 @@ from guardian.shortcuts import get_users_with_perms
 from guardian.shortcuts import remove_perm
 from rest_framework.permissions import BasePermission
 from rest_framework.permissions import DjangoObjectPermissions
+from guardian.core import ObjectPermissionChecker


 class PaperlessObjectPermissions(DjangoObjectPermissions):
@@ -114,3 +115,8 @@ def get_objects_for_user_owner_aware(user, perms, Model):
        accept_global_perms=False,
    )
    return objects_owned | objects_unowned | objects_with_perms
+
+
+def has_perms_owner_aware(user, perms, obj):
+    checker = ObjectPermissionChecker(user)
+    return obj.owner is None or obj.owner == user or checker.has_perm(perms, obj)