diff --git a/src/documents/permissions.py b/src/documents/permissions.py index 5bf3b145d..86cc66c18 100644 --- a/src/documents/permissions.py +++ b/src/documents/permissions.py @@ -1,3 +1,4 @@ +from rest_framework.permissions import BasePermission from rest_framework.permissions import DjangoModelPermissions @@ -11,3 +12,8 @@ class PaperlessModelPermissions(DjangoModelPermissions): "PATCH": ["%(app_label)s.change_%(model_name)s"], "DELETE": ["%(app_label)s.delete_%(model_name)s"], } + + +class PaperlessAdminPermissions(BasePermission): + def has_permission(self, request, view): + return request.user.has_perm("admin.view_logentry") diff --git a/src/documents/tests/test_api.py b/src/documents/tests/test_api.py index af061fa7f..d70452fdd 100644 --- a/src/documents/tests/test_api.py +++ b/src/documents/tests/test_api.py @@ -20,6 +20,7 @@ except ImportError: import pytest from django.conf import settings from django.contrib.auth.models import Group +from django.contrib.auth.models import Permission from django.contrib.auth.models import User from django.test import override_settings from django.utils import timezone @@ -2540,6 +2541,41 @@ class TestApiAuth(DirectoriesMixin, APITestCase): self.assertIn("X-Api-Version", response) self.assertIn("X-Version", response) + def test_api_insufficient_permissions(self): + user = User.objects.create_user(username="test") + self.client.force_authenticate(user) + + d = Document.objects.create(title="Test") + + self.assertEqual(self.client.get("/api/documents/").status_code, 403) + + self.assertEqual(self.client.get(f"/api/documents/{d.id}/").status_code, 403) + + self.assertEqual(self.client.get("/api/tags/").status_code, 403) + self.assertEqual(self.client.get("/api/correspondents/").status_code, 403) + self.assertEqual(self.client.get("/api/document_types/").status_code, 403) + + self.assertEqual(self.client.get("/api/logs/").status_code, 403) + self.assertEqual(self.client.get("/api/saved_views/").status_code, 403) + + def test_api_sufficient_permissions(self): + user = User.objects.create_user(username="test") + user.user_permissions.add(*Permission.objects.all()) + self.client.force_authenticate(user) + + d = Document.objects.create(title="Test") + + self.assertEqual(self.client.get("/api/documents/").status_code, 200) + + self.assertEqual(self.client.get(f"/api/documents/{d.id}/").status_code, 200) + + self.assertEqual(self.client.get("/api/tags/").status_code, 200) + self.assertEqual(self.client.get("/api/correspondents/").status_code, 200) + self.assertEqual(self.client.get("/api/document_types/").status_code, 200) + + self.assertEqual(self.client.get("/api/logs/").status_code, 200) + self.assertEqual(self.client.get("/api/saved_views/").status_code, 200) + class TestApiRemoteVersion(DirectoriesMixin, APITestCase): ENDPOINT = "/api/remote_version/" diff --git a/src/documents/views.py b/src/documents/views.py index e7557eb7d..9ffc23693 100644 --- a/src/documents/views.py +++ b/src/documents/views.py @@ -28,6 +28,7 @@ from django.utils.translation import get_language from django.views.decorators.cache import cache_control from django.views.generic import TemplateView from django_filters.rest_framework import DjangoFilterBackend +from documents.permissions import PaperlessAdminPermissions from documents.permissions import PaperlessModelPermissions from documents.tasks import consume_file from packaging import version as packaging_version @@ -523,7 +524,7 @@ class UnifiedSearchViewSet(DocumentViewSet): class LogViewSet(ViewSet): - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, PaperlessAdminPermissions) log_files = ["paperless", "mail"]