From 5fec76401808513955b42001872a80c9ba081c18 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Thu, 9 May 2024 12:27:59 -0700
Subject: [PATCH] Fix: correctly respect superuser for document history (#6661)

---
 src/documents/tests/test_api_documents.py | 25 ++++++++++++++++++-----
 src/documents/views.py                    |  4 +++-
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/src/documents/tests/test_api_documents.py b/src/documents/tests/test_api_documents.py
index 9667a8bb2..65e10539a 100644
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@@ -423,16 +423,18 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
     def test_document_history_insufficient_perms(self):
         """
         GIVEN:
-            - Audit log is disabled
+            - Audit log is enabled
         WHEN:
-            - Document is updated
-            - Audit log is requested
+            - History is requested without auditlog permissions
+            - Or is requested as superuser on document with another owner
         THEN:
-            - Audit log returns HTTP 400 Bad Request
+            - History endpoint returns HTTP 403 Forbidden
+            - History is returned
         """
+        # No auditlog permissions
         user = User.objects.create_user(username="test")
         user.user_permissions.add(*Permission.objects.filter(codename="view_document"))
-        self.client.force_login(user=user)
+        self.client.force_authenticate(user=user)
         doc = Document.objects.create(
             title="First title",
             checksum="123",
@@ -443,6 +445,19 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
         response = self.client.get(f"/api/documents/{doc.pk}/history/")
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
 
+        # superuser
+        user.is_superuser = True
+        user.save()
+        user2 = User.objects.create_user(username="test2")
+        doc2 = Document.objects.create(
+            title="Second title",
+            checksum="456",
+            mime_type="application/pdf",
+            owner=user2,
+        )
+        response = self.client.get(f"/api/documents/{doc2.pk}/history/")
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
     def test_document_filters(self):
         doc1 = Document.objects.create(
             title="none1",
diff --git a/src/documents/views.py b/src/documents/views.py
index 6bdfaa1d5..806585e4a 100644
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -767,7 +767,9 @@ class DocumentViewSet(
         try:
             doc = Document.objects.get(pk=pk)
             if not request.user.has_perm("auditlog.view_logentry") or (
-                doc.owner is not None and doc.owner != request.user
+                doc.owner is not None
+                and doc.owner != request.user
+                and not request.user.is_superuser
             ):
                 return HttpResponseForbidden(
                     "Insufficient permissions",