paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-04-09 09:58:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix: correctly respect superuser for document history (#6661)

Browse Source
This commit is contained in:
shamoon 2024-05-09 12:27:59 -07:00 committed by GitHub
parent 22c8d8ef2a
commit 5fec764018
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/documents/tests/test_api_documents.py
View File

@ -423,16 +423,18 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
def test_document_history_insufficient_perms(self): def test_document_history_insufficient_perms(self):
""" """
GIVEN: GIVEN:
- Audit log is disabled - Audit log is enabled
WHEN: WHEN:
- Document is updated - History is requested without auditlog permissions
- Audit log is requested - Or is requested as superuser on document with another owner
THEN: THEN:
- Audit log returns HTTP 400 Bad Request - History endpoint returns HTTP 403 Forbidden
- History is returned
""" """
# No auditlog permissions
user = User.objects.create_user(username="test") user = User.objects.create_user(username="test")
user.user_permissions.add(*Permission.objects.filter(codename="view_document")) user.user_permissions.add(*Permission.objects.filter(codename="view_document"))
self.client.force_login(user=user) self.client.force_authenticate(user=user)
doc = Document.objects.create( doc = Document.objects.create(
title="First title", title="First title",
checksum="123", checksum="123",
@ -443,6 +445,19 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
response = self.client.get(f"/api/documents/{doc.pk}/history/") response = self.client.get(f"/api/documents/{doc.pk}/history/")
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
# superuser
user.is_superuser = True
user.save()
user2 = User.objects.create_user(username="test2")
doc2 = Document.objects.create(
title="Second title",
checksum="456",
mime_type="application/pdf",
owner=user2,
)
response = self.client.get(f"/api/documents/{doc2.pk}/history/")
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_document_filters(self): def test_document_filters(self):
doc1 = Document.objects.create( doc1 = Document.objects.create(
title="none1", title="none1",

4
src/documents/views.py
View File

@ -767,7 +767,9 @@ class DocumentViewSet(
try: try:
doc = Document.objects.get(pk=pk) doc = Document.objects.get(pk=pk)
if not request.user.has_perm("auditlog.view_logentry") or ( if not request.user.has_perm("auditlog.view_logentry") or (
doc.owner is not None and doc.owner != request.user doc.owner is not None
and doc.owner != request.user
and not request.user.is_superuser
): ):
return HttpResponseForbidden( return HttpResponseForbidden(
"Insufficient permissions", "Insufficient permissions",