Fix: enforce object permissions for app config (#5516)

This commit is contained in:
shamoon 2024-01-23 12:23:15 -08:00 committed by GitHub
parent 6651c80fb9
commit 88ae60a4a0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 10 additions and 4 deletions

View File

@ -186,8 +186,8 @@ export const routes: Routes = [
canActivate: [PermissionsGuard],
data: {
requiredPermission: {
action: PermissionAction.View,
type: PermissionType.Admin,
action: PermissionAction.Change,
type: PermissionType.AppConfig,
},
},
},

View File

@ -235,7 +235,7 @@
<i-bs class="me-1" name="gear"></i-bs><span>&nbsp;<ng-container i18n>Settings</ng-container></span>
</a>
</li>
<li class="nav-item" *pngxIfPermissions="{ action: PermissionAction.View, type: PermissionType.Admin }">
<li class="nav-item" *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.AppConfig }">
<a class="nav-link" routerLink="config" routerLinkActive="active" (click)="closeMenu()"
ngbPopover="Configuration" i18n-ngbPopover [disablePopover]="!slimSidebarEnabled" placement="end"
container="body" triggers="mouseenter:mouseleave" popoverClass="popover-slim">

View File

@ -260,6 +260,10 @@ describe('PermissionsService', () => {
'view_customfield',
'change_customfield',
'delete_customfield',
'add_applicationconfiguration',
'change_applicationconfiguration',
'delete_applicationconfiguration',
'view_applicationconfiguration',
],
{
username: 'testuser',

View File

@ -17,6 +17,7 @@ export enum PermissionType {
StoragePath = '%s_storagepath',
SavedView = '%s_savedview',
PaperlessTask = '%s_paperlesstask',
AppConfig = '%s_applicationconfiguration',
UISettings = '%s_uisettings',
Note = '%s_note',
MailAccount = '%s_mailaccount',

View File

@ -11,6 +11,7 @@ from rest_framework.authtoken.models import Token
from rest_framework.filters import OrderingFilter
from rest_framework.generics import GenericAPIView
from rest_framework.pagination import PageNumberPagination
from rest_framework.permissions import DjangoObjectPermissions
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response
from rest_framework.viewsets import ModelViewSet
@ -166,4 +167,4 @@ class ApplicationConfigurationViewSet(ModelViewSet):
queryset = ApplicationConfiguration.objects
serializer_class = ApplicationConfigurationSerializer
permission_classes = (IsAuthenticated,)
permission_classes = (IsAuthenticated, DjangoObjectPermissions)