Prevent non-owners from changing db models

2026-02-22 00:49:35 -06:00 · 2026-02-20 11:02:04 -08:00
parent ef723a5c93
commit 32ef2913b1
2 changed files with 18 additions and 0 deletions
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -1416,6 +1416,17 @@ class SavedViewSerializer(OwnedObjectSerializer):
        return attrs

    def update(self, instance, validated_data):
+        user = getattr(self, "user", None)
+        is_superuser = user.is_superuser if user is not None else False
+        is_owner = instance.owner == user if user is not None else False
+        is_unowned = instance.owner is None
+        if not (is_superuser or is_owner or is_unowned) and (
+            "show_on_dashboard" in validated_data or "show_in_sidebar" in validated_data
+        ):
+            raise PermissionDenied(
+                _("Insufficient permissions."),
+            )
+
        if "filter_rules" in validated_data:
            rules_data = validated_data.pop("filter_rules")
        else:
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@@ -2066,6 +2066,13 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
            {"show_in_sidebar": True},
            format="json",
        )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        response = self.client.patch(
+            f"/api/saved_views/{v2.id}/",
+            {"sort_field": "added"},
+            format="json",
+        )
        self.assertEqual(response.status_code, status.HTTP_200_OK)

        response = self.client.patch(