Fix: dont overwrite permissions with non-json patch requests

Update serialisers.py
2025-04-25 10:49:30 -05:00 · 2025-03-13 21:43:33 -07:00 · 2025-03-13 21:43:33 -07:00 · 2f02142651
commit 2f02142651
parent 7146a5f4fc
2 changed files with 51 additions and 1 deletions
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@ -226,7 +226,11 @@ class SerializerWithPerms(serializers.Serializer):
    },
 )
 class SetPermissionsSerializer(serializers.DictField):
-    pass
+    def validate_empty_values(self, data: dict | None):
+        if data is fields.empty or (data is not None and len(data) == 0):
+            # allow empty but skip the field to prevent overwriting permissions
+            raise fields.SkipField
+        return super().validate_empty_values(data)


 class OwnedObjectSerializer(
--- a/src/documents/tests/test_api_permissions.py
+++ b/src/documents/tests/test_api_permissions.py
@ -395,6 +395,52 @@ class TestApiAuth(DirectoriesMixin, APITestCase):
        self.assertTrue(checker.has_perm("view_document", doc))
        self.assertIn("view_document", get_perms(group1, doc))

+    def test_patch_doesnt_remove_permissions(self):
+        """
+        GIVEN:
+            - existing document with permissions set
+        WHEN:
+            - PATCH API request to update doc that is not json
+        THEN:
+            - Object permissions are not removed
+        """
+        doc = Document.objects.create(
+            title="test",
+            mime_type="application/pdf",
+            content="this is a document",
+        )
+        user1 = User.objects.create_superuser(username="user1")
+        user2 = User.objects.create(username="user2")
+        group1 = Group.objects.create(name="group1")
+        doc.owner = user1
+        doc.save()
+
+        assign_perm("view_document", user2, doc)
+        assign_perm("change_document", user2, doc)
+        assign_perm("view_document", group1, doc)
+        assign_perm("change_document", group1, doc)
+
+        self.client.force_authenticate(user1)
+
+        response = self.client.patch(
+            f"/api/documents/{doc.id}/",
+            {
+                "archive_serial_number": "123",
+            },
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        doc = Document.objects.get(pk=doc.id)
+
+        self.assertEqual(doc.owner, user1)
+        from guardian.core import ObjectPermissionChecker
+
+        checker = ObjectPermissionChecker(user2)
+        self.assertTrue(checker.has_perm("view_document", doc))
+        self.assertIn("view_document", get_perms(group1, doc))
+        self.assertTrue(checker.has_perm("change_document", doc))
+        self.assertIn("change_document", get_perms(group1, doc))
+
    def test_dynamic_permissions_fields(self):
        user1 = User.objects.create_user(username="user1")
        user1.user_permissions.add(*Permission.objects.filter(codename="view_document"))