paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-08-10 00:18:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix: check permissions for all documents via bulk download (#8631)

Browse Source
This commit is contained in:
shamoon
2025-01-07 00:10:11 -08:00
committed by GitHub
parent 9181aebc8c
commit 485237caf1
2 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/documents/views.py
View File

@@ -1584,10 +1584,15 @@ class BulkDownloadView(GenericAPIView):
serializer.is_valid(raise_exception=True)
ids = serializer.validated_data.get("documents")
documents = Document.objects.filter(pk__in=ids)
compression = serializer.validated_data.get("compression")
content = serializer.validated_data.get("content")
follow_filename_format = serializer.validated_data.get("follow_formatting")
for document in documents:
if not has_perms_owner_aware(request.user, "view_document", document):
return HttpResponseForbidden("Insufficient permissions")
settings.SCRATCH_DIR.mkdir(parents=True, exist_ok=True)
temp = tempfile.NamedTemporaryFile( # noqa: SIM115
dir=settings.SCRATCH_DIR,
@@ -1604,7 +1609,7 @@ class BulkDownloadView(GenericAPIView):
with zipfile.ZipFile(temp.name, "w", compression) as zipf:
strategy = strategy_class(zipf, follow_filename_format)
for document in Document.objects.filter(pk__in=ids):
for document in documents:
strategy.add_document(document)
# TODO(stumpylog): Investigate using FileResponse here