Add backend check for ws message ownership

src-ui/src/app/services/consumer-status.service.ts

@@ -146,7 +146,7 @@ export class ConsumerStatusService {
     this.statusWebSocket.onmessage = (ev) => {
       let statusMessage: WebsocketConsumerStatusMessage = JSON.parse(ev['data'])
 
-      // tasks are async so we rely on checking user id
+      // fallback if backend didnt restrict message
       if (
         statusMessage.owner_id &&
         statusMessage.owner_id !== this.settingsService.currentUser?.id &&

src/paperless/consumers.py

@@ -10,6 +10,16 @@ class StatusConsumer(WebsocketConsumer):
     def _authenticated(self):
         return "user" in self.scope and self.scope["user"].is_authenticated
 
+    def _is_owner_or_unowned(self, data):
+        return (
+            (
+                self.scope["user"].is_superuser
+                or self.scope["user"].id == data["owner_id"]
+            )
+            if "owner_id" in data and "user" in self.scope
+            else True
+        )
+
     def connect(self):
         if not self._authenticated():
             raise DenyConnection
@@ -30,4 +40,5 @@ class StatusConsumer(WebsocketConsumer):
         if not self._authenticated():
             self.close()
         else:
+            if self._is_owner_or_unowned(event["data"]):
                 self.send(json.dumps(event["data"]))