From 70eb22df428eea8f59c3229b912a6920c5602cb5 Mon Sep 17 00:00:00 2001 From: Michael Shamoon <4887959+shamoon@users.noreply.github.com> Date: Mon, 14 Nov 2022 01:32:50 -0800 Subject: [PATCH] Add Django model permissions to API endpoints --- src/documents/permissions.py | 13 +++++++++++++ src/documents/views.py | 13 +++++++------ src/paperless/views.py | 5 +++-- 3 files changed, 23 insertions(+), 8 deletions(-) create mode 100644 src/documents/permissions.py diff --git a/src/documents/permissions.py b/src/documents/permissions.py new file mode 100644 index 000000000..5bf3b145d --- /dev/null +++ b/src/documents/permissions.py @@ -0,0 +1,13 @@ +from rest_framework.permissions import DjangoModelPermissions + + +class PaperlessModelPermissions(DjangoModelPermissions): + perms_map = { + "GET": ["%(app_label)s.view_%(model_name)s"], + "OPTIONS": [], + "HEAD": [], + "POST": ["%(app_label)s.add_%(model_name)s"], + "PUT": ["%(app_label)s.change_%(model_name)s"], + "PATCH": ["%(app_label)s.change_%(model_name)s"], + "DELETE": ["%(app_label)s.delete_%(model_name)s"], + } diff --git a/src/documents/views.py b/src/documents/views.py index dd960cbcf..e7557eb7d 100644 --- a/src/documents/views.py +++ b/src/documents/views.py @@ -28,6 +28,7 @@ from django.utils.translation import get_language from django.views.decorators.cache import cache_control from django.views.generic import TemplateView from django_filters.rest_framework import DjangoFilterBackend +from documents.permissions import PaperlessModelPermissions from documents.tasks import consume_file from packaging import version as packaging_version from paperless import version @@ -144,7 +145,7 @@ class CorrespondentViewSet(ModelViewSet): serializer_class = CorrespondentSerializer pagination_class = StandardPagination - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, PaperlessModelPermissions) filter_backends = (DjangoFilterBackend, OrderingFilter) filterset_class = CorrespondentFilterSet ordering_fields = ( @@ -170,7 +171,7 @@ class TagViewSet(ModelViewSet): return TagSerializer pagination_class = StandardPagination - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, PaperlessModelPermissions) filter_backends = (DjangoFilterBackend, OrderingFilter) filterset_class = TagFilterSet ordering_fields = ("name", "matching_algorithm", "match", "document_count") @@ -185,7 +186,7 @@ class DocumentTypeViewSet(ModelViewSet): serializer_class = DocumentTypeSerializer pagination_class = StandardPagination - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, PaperlessModelPermissions) filter_backends = (DjangoFilterBackend, OrderingFilter) filterset_class = DocumentTypeFilterSet ordering_fields = ("name", "matching_algorithm", "match", "document_count") @@ -202,7 +203,7 @@ class DocumentViewSet( queryset = Document.objects.all() serializer_class = DocumentSerializer pagination_class = StandardPagination - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, PaperlessModelPermissions) filter_backends = (DjangoFilterBackend, SearchFilter, OrderingFilter) filterset_class = DocumentFilterSet search_fields = ("title", "correspondent__name", "content") @@ -550,7 +551,7 @@ class SavedViewViewSet(ModelViewSet): queryset = SavedView.objects.all() serializer_class = SavedViewSerializer pagination_class = StandardPagination - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, PaperlessModelPermissions) def get_queryset(self): user = self.request.user @@ -826,7 +827,7 @@ class StoragePathViewSet(ModelViewSet): serializer_class = StoragePathSerializer pagination_class = StandardPagination - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, PaperlessModelPermissions) filter_backends = (DjangoFilterBackend, OrderingFilter) filterset_class = StoragePathFilterSet ordering_fields = ("name", "path", "matching_algorithm", "match", "document_count") diff --git a/src/paperless/views.py b/src/paperless/views.py index f116385ba..431bbfd81 100644 --- a/src/paperless/views.py +++ b/src/paperless/views.py @@ -6,6 +6,7 @@ from django.db.models.functions import Lower from django.http import HttpResponse from django.views.generic import View from django_filters.rest_framework import DjangoFilterBackend +from documents.permissions import PaperlessModelPermissions from paperless.filters import GroupFilterSet from paperless.filters import UserFilterSet from paperless.serialisers import GroupSerializer @@ -42,7 +43,7 @@ class UserViewSet(ModelViewSet): serializer_class = UserSerializer pagination_class = StandardPagination - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, PaperlessModelPermissions) filter_backends = (DjangoFilterBackend, OrderingFilter) filterset_class = UserFilterSet ordering_fields = ("username",) @@ -55,7 +56,7 @@ class GroupViewSet(ModelViewSet): serializer_class = GroupSerializer pagination_class = StandardPagination - permission_classes = (IsAuthenticated,) + permission_classes = (IsAuthenticated, PaperlessModelPermissions) filter_backends = (DjangoFilterBackend, OrderingFilter) filterset_class = GroupFilterSet ordering_fields = ("name",)