Fix: correctly respect superuser for document history (#6661)

2025-08-12 00:19:48 +00:00 · 2024-05-09 12:27:59 -07:00
parent 22c8d8ef2a
commit 5fec764018
2 changed files with 23 additions and 6 deletions
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -767,7 +767,9 @@ class DocumentViewSet(
        try:
            doc = Document.objects.get(pk=pk)
            if not request.user.has_perm("auditlog.view_logentry") or (
-                doc.owner is not None and doc.owner != request.user
+                doc.owner is not None
+                and doc.owner != request.user
+                and not request.user.is_superuser
            ):
                return HttpResponseForbidden(
                    "Insufficient permissions",