Fix: enforce object permissions for app config (#5516)

2025-04-25 10:49:30 -05:00 · 2024-01-23 12:23:15 -08:00 · 2024-01-23 12:23:15 -08:00 · 88ae60a4a0
commit 88ae60a4a0
parent 6651c80fb9
5 changed files with 10 additions and 4 deletions
--- a/src-ui/src/app/app-routing.module.ts
+++ b/src-ui/src/app/app-routing.module.ts
@ -186,8 +186,8 @@ export const routes: Routes = [
        canActivate: [PermissionsGuard],
        data: {
          requiredPermission: {
-            action: PermissionAction.View,
-            type: PermissionType.Admin,
+            action: PermissionAction.Change,
+            type: PermissionType.AppConfig,
          },
        },
      },
--- a/src-ui/src/app/components/app-frame/app-frame.component.html
+++ b/src-ui/src/app/components/app-frame/app-frame.component.html
@ -235,7 +235,7 @@
              <i-bs class="me-1" name="gear"></i-bs><span>&nbsp;<ng-container i18n>Settings</ng-container></span>
            </a>
          </li>
-          <li class="nav-item" *pngxIfPermissions="{ action: PermissionAction.View, type: PermissionType.Admin }">
+          <li class="nav-item" *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.AppConfig }">
            <a class="nav-link" routerLink="config" routerLinkActive="active" (click)="closeMenu()"
              ngbPopover="Configuration" i18n-ngbPopover [disablePopover]="!slimSidebarEnabled" placement="end"
              container="body" triggers="mouseenter:mouseleave" popoverClass="popover-slim">
--- a/src-ui/src/app/services/permissions.service.spec.ts
+++ b/src-ui/src/app/services/permissions.service.spec.ts
@ -260,6 +260,10 @@ describe('PermissionsService', () => {
        'view_customfield',
        'change_customfield',
        'delete_customfield',
+        'add_applicationconfiguration',
+        'change_applicationconfiguration',
+        'delete_applicationconfiguration',
+        'view_applicationconfiguration',
      ],
      {
        username: 'testuser',
--- a/src-ui/src/app/services/permissions.service.ts
+++ b/src-ui/src/app/services/permissions.service.ts
@ -17,6 +17,7 @@ export enum PermissionType {
  StoragePath = '%s_storagepath',
  SavedView = '%s_savedview',
  PaperlessTask = '%s_paperlesstask',
+  AppConfig = '%s_applicationconfiguration',
  UISettings = '%s_uisettings',
  Note = '%s_note',
  MailAccount = '%s_mailaccount',
--- a/src/paperless/views.py
+++ b/src/paperless/views.py
@ -11,6 +11,7 @@ from rest_framework.authtoken.models import Token
 from rest_framework.filters import OrderingFilter
 from rest_framework.generics import GenericAPIView
 from rest_framework.pagination import PageNumberPagination
+from rest_framework.permissions import DjangoObjectPermissions
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
@ -166,4 +167,4 @@ class ApplicationConfigurationViewSet(ModelViewSet):
    queryset = ApplicationConfiguration.objects

    serializer_class = ApplicationConfigurationSerializer
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, DjangoObjectPermissions)