From 339a4db8933effdd4827503c8449bd2b0cf9d832 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Mon, 8 Sep 2025 09:12:10 -0700
Subject: [PATCH] Update views.py

---
 src/documents/views.py | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/documents/views.py b/src/documents/views.py
index 37c2170ce..20da3b789 100644
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -871,8 +871,36 @@ class DocumentViewSet(
     )
     def preview(self, request, pk=None):
         try:
-            response = self.file_response(pk, request, "inline")
-            return response
+            request_doc = Document.objects.select_related("owner").get(id=pk)
+            head_doc = (
+                request_doc
+                if request_doc.head_version_id is None
+                else Document.objects.select_related("owner").get(
+                    id=request_doc.head_version_id,
+                )
+            )
+            if request.user is not None and not has_perms_owner_aware(
+                request.user,
+                "view_document",
+                head_doc,
+            ):
+                return HttpResponseForbidden("Insufficient permissions")
+
+            if "version" in request.query_params:
+                file_doc = self._resolve_file_doc(head_doc, request)
+            else:
+                file_doc = (
+                    self._resolve_file_doc(head_doc, request)
+                    if request_doc.head_version_id is None
+                    else request_doc
+                )
+
+            return serve_file(
+                doc=file_doc,
+                use_archive=not self.original_requested(request)
+                and file_doc.has_archive_version,
+                disposition="inline",
+            )
         except (FileNotFoundError, Document.DoesNotExist):
             raise Http404