mirror of
https://github.com/paperless-ngx/paperless-ngx.git
synced 2025-04-02 13:45:10 -05:00
Fix: enforce object permissions for app config (#5516)
This commit is contained in:
parent
6651c80fb9
commit
88ae60a4a0
@ -186,8 +186,8 @@ export const routes: Routes = [
|
||||
canActivate: [PermissionsGuard],
|
||||
data: {
|
||||
requiredPermission: {
|
||||
action: PermissionAction.View,
|
||||
type: PermissionType.Admin,
|
||||
action: PermissionAction.Change,
|
||||
type: PermissionType.AppConfig,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -235,7 +235,7 @@
|
||||
<i-bs class="me-1" name="gear"></i-bs><span> <ng-container i18n>Settings</ng-container></span>
|
||||
</a>
|
||||
</li>
|
||||
<li class="nav-item" *pngxIfPermissions="{ action: PermissionAction.View, type: PermissionType.Admin }">
|
||||
<li class="nav-item" *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.AppConfig }">
|
||||
<a class="nav-link" routerLink="config" routerLinkActive="active" (click)="closeMenu()"
|
||||
ngbPopover="Configuration" i18n-ngbPopover [disablePopover]="!slimSidebarEnabled" placement="end"
|
||||
container="body" triggers="mouseenter:mouseleave" popoverClass="popover-slim">
|
||||
|
@ -260,6 +260,10 @@ describe('PermissionsService', () => {
|
||||
'view_customfield',
|
||||
'change_customfield',
|
||||
'delete_customfield',
|
||||
'add_applicationconfiguration',
|
||||
'change_applicationconfiguration',
|
||||
'delete_applicationconfiguration',
|
||||
'view_applicationconfiguration',
|
||||
],
|
||||
{
|
||||
username: 'testuser',
|
||||
|
@ -17,6 +17,7 @@ export enum PermissionType {
|
||||
StoragePath = '%s_storagepath',
|
||||
SavedView = '%s_savedview',
|
||||
PaperlessTask = '%s_paperlesstask',
|
||||
AppConfig = '%s_applicationconfiguration',
|
||||
UISettings = '%s_uisettings',
|
||||
Note = '%s_note',
|
||||
MailAccount = '%s_mailaccount',
|
||||
|
@ -11,6 +11,7 @@ from rest_framework.authtoken.models import Token
|
||||
from rest_framework.filters import OrderingFilter
|
||||
from rest_framework.generics import GenericAPIView
|
||||
from rest_framework.pagination import PageNumberPagination
|
||||
from rest_framework.permissions import DjangoObjectPermissions
|
||||
from rest_framework.permissions import IsAuthenticated
|
||||
from rest_framework.response import Response
|
||||
from rest_framework.viewsets import ModelViewSet
|
||||
@ -166,4 +167,4 @@ class ApplicationConfigurationViewSet(ModelViewSet):
|
||||
queryset = ApplicationConfiguration.objects
|
||||
|
||||
serializer_class = ApplicationConfigurationSerializer
|
||||
permission_classes = (IsAuthenticated,)
|
||||
permission_classes = (IsAuthenticated, DjangoObjectPermissions)
|
||||
|
Loading…
x
Reference in New Issue
Block a user