From 88ae60a4a0f62c1de14ac1675d7a211d9148bd90 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Tue, 23 Jan 2024 12:23:15 -0800
Subject: [PATCH] Fix: enforce object permissions for app config (#5516)
---
src-ui/src/app/app-routing.module.ts | 4 ++--
src-ui/src/app/components/app-frame/app-frame.component.html | 2 +-
src-ui/src/app/services/permissions.service.spec.ts | 4 ++++
src-ui/src/app/services/permissions.service.ts | 1 +
src/paperless/views.py | 3 ++-
5 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src-ui/src/app/app-routing.module.ts b/src-ui/src/app/app-routing.module.ts
index 6da2cd253..160e3bb97 100644
--- a/src-ui/src/app/app-routing.module.ts
+++ b/src-ui/src/app/app-routing.module.ts
@@ -186,8 +186,8 @@ export const routes: Routes = [
canActivate: [PermissionsGuard],
data: {
requiredPermission: {
- action: PermissionAction.View,
- type: PermissionType.Admin,
+ action: PermissionAction.Change,
+ type: PermissionType.AppConfig,
},
},
},
diff --git a/src-ui/src/app/components/app-frame/app-frame.component.html b/src-ui/src/app/components/app-frame/app-frame.component.html
index f07266589..3dec0f691 100644
--- a/src-ui/src/app/components/app-frame/app-frame.component.html
+++ b/src-ui/src/app/components/app-frame/app-frame.component.html
@@ -235,7 +235,7 @@
Settings
-
+
diff --git a/src-ui/src/app/services/permissions.service.spec.ts b/src-ui/src/app/services/permissions.service.spec.ts
index a4fe4e463..61e7c9978 100644
--- a/src-ui/src/app/services/permissions.service.spec.ts
+++ b/src-ui/src/app/services/permissions.service.spec.ts
@@ -260,6 +260,10 @@ describe('PermissionsService', () => {
'view_customfield',
'change_customfield',
'delete_customfield',
+ 'add_applicationconfiguration',
+ 'change_applicationconfiguration',
+ 'delete_applicationconfiguration',
+ 'view_applicationconfiguration',
],
{
username: 'testuser',
diff --git a/src-ui/src/app/services/permissions.service.ts b/src-ui/src/app/services/permissions.service.ts
index d36af73e4..29b0c1a22 100644
--- a/src-ui/src/app/services/permissions.service.ts
+++ b/src-ui/src/app/services/permissions.service.ts
@@ -17,6 +17,7 @@ export enum PermissionType {
StoragePath = '%s_storagepath',
SavedView = '%s_savedview',
PaperlessTask = '%s_paperlesstask',
+ AppConfig = '%s_applicationconfiguration',
UISettings = '%s_uisettings',
Note = '%s_note',
MailAccount = '%s_mailaccount',
diff --git a/src/paperless/views.py b/src/paperless/views.py
index 73b383a6f..0f417b9ab 100644
--- a/src/paperless/views.py
+++ b/src/paperless/views.py
@@ -11,6 +11,7 @@ from rest_framework.authtoken.models import Token
from rest_framework.filters import OrderingFilter
from rest_framework.generics import GenericAPIView
from rest_framework.pagination import PageNumberPagination
+from rest_framework.permissions import DjangoObjectPermissions
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response
from rest_framework.viewsets import ModelViewSet
@@ -166,4 +167,4 @@ class ApplicationConfigurationViewSet(ModelViewSet):
queryset = ApplicationConfiguration.objects
serializer_class = ApplicationConfigurationSerializer
- permission_classes = (IsAuthenticated,)
+ permission_classes = (IsAuthenticated, DjangoObjectPermissions)