Object-level permissions + filtering

2025-07-28 18:24:38 -05:00 · 2022-12-05 22:56:03 -08:00
parent 8e552eb688
commit 6f62f300dc
5 changed files with 52 additions and 20 deletions
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -258,6 +258,11 @@ CHANNEL_LAYERS = {
 # Security                                                                    #
 ###############################################################################

+AUTHENTICATION_BACKENDS = [
+    "guardian.backends.ObjectPermissionBackend",
+    "django.contrib.auth.backends.ModelBackend",
+]
+
 AUTO_LOGIN_USERNAME = os.getenv("PAPERLESS_AUTO_LOGIN_USERNAME")

 if AUTO_LOGIN_USERNAME:
@@ -274,11 +279,7 @@ HTTP_REMOTE_USER_HEADER_NAME = os.getenv(

 if ENABLE_HTTP_REMOTE_USER:
    MIDDLEWARE.append("paperless.auth.HttpRemoteUserMiddleware")
-    AUTHENTICATION_BACKENDS = [
-        "django.contrib.auth.backends.RemoteUserBackend",
-        "django.contrib.auth.backends.ModelBackend",
-        "guardian.backends.ObjectPermissionBackend",
-    ]
+    AUTHENTICATION_BACKENDS.insert(0, "django.contrib.auth.backends.RemoteUserBackend")
    REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].append(
        "rest_framework.authentication.RemoteUserAuthentication",
    )
--- a/src/paperless/views.py
+++ b/src/paperless/views.py
@@ -6,7 +6,7 @@ from django.db.models.functions import Lower
 from django.http import HttpResponse
 from django.views.generic import View
 from django_filters.rest_framework import DjangoFilterBackend
-from documents.permissions import PaperlessModelPermissions
+from documents.permissions import PaperlessObjectPermissions
 from paperless.filters import GroupFilterSet
 from paperless.filters import UserFilterSet
 from paperless.serialisers import GroupSerializer
@@ -43,7 +43,7 @@ class UserViewSet(ModelViewSet):

    serializer_class = UserSerializer
    pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
+    permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
    filter_backends = (DjangoFilterBackend, OrderingFilter)
    filterset_class = UserFilterSet
    ordering_fields = ("username",)
@@ -56,7 +56,7 @@ class GroupViewSet(ModelViewSet):

    serializer_class = GroupSerializer
    pagination_class = StandardPagination
-    permission_classes = (IsAuthenticated, PaperlessModelPermissions)
+    permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
    filter_backends = (DjangoFilterBackend, OrderingFilter)
    filterset_class = GroupFilterSet
    ordering_fields = ("name",)