Prevent non-owners from changing db models

src/documents/serialisers.py

@@ -1416,6 +1416,17 @@ class SavedViewSerializer(OwnedObjectSerializer):
         return attrs
 
     def update(self, instance, validated_data):
+        user = getattr(self, "user", None)
+        is_superuser = user.is_superuser if user is not None else False
+        is_owner = instance.owner == user if user is not None else False
+        is_unowned = instance.owner is None
+        if not (is_superuser or is_owner or is_unowned) and (
+            "show_on_dashboard" in validated_data or "show_in_sidebar" in validated_data
+        ):
+            raise PermissionDenied(
+                _("Insufficient permissions."),
+            )
+
         if "filter_rules" in validated_data:
             rules_data = validated_data.pop("filter_rules")
         else:

src/documents/tests/test_api_documents.py

@@ -2066,6 +2066,13 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
             {"show_in_sidebar": True},
             format="json",
         )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        response = self.client.patch(
+            f"/api/saved_views/{v2.id}/",
+            {"sort_field": "added"},
+            format="json",
+        )
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
         response = self.client.patch(