paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-04-25 10:49:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add backend check for ws message ownership

Browse Source
This commit is contained in:
shamoon 2023-08-09 08:52:23 -07:00
parent 9291c98189
commit 3b666fef77
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src-ui/src/app/services/consumer-status.service.ts
View File

@ -146,7 +146,7 @@ export class ConsumerStatusService {
this.statusWebSocket.onmessage = (ev) => {
let statusMessage: WebsocketConsumerStatusMessage = JSON.parse(ev['data'])
// tasks are async so we rely on checking user id
// fallback if backend didnt restrict message
if (
statusMessage.owner_id &&
statusMessage.owner_id !== this.settingsService.currentUser?.id &&

13
src/paperless/consumers.py
View File

@ -10,6 +10,16 @@ class StatusConsumer(WebsocketConsumer):
def _authenticated(self):
return "user" in self.scope and self.scope["user"].is_authenticated
def _is_owner_or_unowned(self, data):
return (
(
self.scope["user"].is_superuser
or self.scope["user"].id == data["owner_id"]
)
if "owner_id" in data and "user" in self.scope
else True
)
def connect(self):
if not self._authenticated():
raise DenyConnection
@ -30,4 +40,5 @@ class StatusConsumer(WebsocketConsumer):
if not self._authenticated():
self.close()
else:
self.send(json.dumps(event["data"]))
if self._is_owner_or_unowned(event["data"]):
self.send(json.dumps(event["data"]))