add api permissions test

src/documents/permissions.py

@@ -1,3 +1,4 @@
+from rest_framework.permissions import BasePermission
 from rest_framework.permissions import DjangoModelPermissions
 
 
@@ -11,3 +12,8 @@ class PaperlessModelPermissions(DjangoModelPermissions):
         "PATCH": ["%(app_label)s.change_%(model_name)s"],
         "DELETE": ["%(app_label)s.delete_%(model_name)s"],
     }
+
+
+class PaperlessAdminPermissions(BasePermission):
+    def has_permission(self, request, view):
+        return request.user.has_perm("admin.view_logentry")

src/documents/tests/test_api.py

@@ -20,6 +20,7 @@ except ImportError:
 import pytest
 from django.conf import settings
 from django.contrib.auth.models import Group
+from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.test import override_settings
 from django.utils import timezone
@@ -2540,6 +2541,41 @@ class TestApiAuth(DirectoriesMixin, APITestCase):
         self.assertIn("X-Api-Version", response)
         self.assertIn("X-Version", response)
 
+    def test_api_insufficient_permissions(self):
+        user = User.objects.create_user(username="test")
+        self.client.force_authenticate(user)
+
+        d = Document.objects.create(title="Test")
+
+        self.assertEqual(self.client.get("/api/documents/").status_code, 403)
+
+        self.assertEqual(self.client.get(f"/api/documents/{d.id}/").status_code, 403)
+
+        self.assertEqual(self.client.get("/api/tags/").status_code, 403)
+        self.assertEqual(self.client.get("/api/correspondents/").status_code, 403)
+        self.assertEqual(self.client.get("/api/document_types/").status_code, 403)
+
+        self.assertEqual(self.client.get("/api/logs/").status_code, 403)
+        self.assertEqual(self.client.get("/api/saved_views/").status_code, 403)
+
+    def test_api_sufficient_permissions(self):
+        user = User.objects.create_user(username="test")
+        user.user_permissions.add(*Permission.objects.all())
+        self.client.force_authenticate(user)
+
+        d = Document.objects.create(title="Test")
+
+        self.assertEqual(self.client.get("/api/documents/").status_code, 200)
+
+        self.assertEqual(self.client.get(f"/api/documents/{d.id}/").status_code, 200)
+
+        self.assertEqual(self.client.get("/api/tags/").status_code, 200)
+        self.assertEqual(self.client.get("/api/correspondents/").status_code, 200)
+        self.assertEqual(self.client.get("/api/document_types/").status_code, 200)
+
+        self.assertEqual(self.client.get("/api/logs/").status_code, 200)
+        self.assertEqual(self.client.get("/api/saved_views/").status_code, 200)
+
 
 class TestApiRemoteVersion(DirectoriesMixin, APITestCase):
     ENDPOINT = "/api/remote_version/"

src/documents/views.py

@@ -28,6 +28,7 @@ from django.utils.translation import get_language
 from django.views.decorators.cache import cache_control
 from django.views.generic import TemplateView
 from django_filters.rest_framework import DjangoFilterBackend
+from documents.permissions import PaperlessAdminPermissions
 from documents.permissions import PaperlessModelPermissions
 from documents.tasks import consume_file
 from packaging import version as packaging_version
@@ -523,7 +524,7 @@ class UnifiedSearchViewSet(DocumentViewSet):
 
 class LogViewSet(ViewSet):
 
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, PaperlessAdminPermissions)
 
     log_files = ["paperless", "mail"]