paradizelost/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-08-12 00:19:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixhancement: check more permissions for status consumer messages (#9804)

Browse Source
This commit is contained in:
shamoon
2025-04-26 23:31:04 -07:00
committed by GitHub
parent 0cefdc8475
commit a3b85c64ca
6 changed files with 125 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/paperless/consumers.py
View File

@@ -10,14 +10,18 @@ class StatusConsumer(WebsocketConsumer):
def _authenticated(self):
return "user" in self.scope and self.scope["user"].is_authenticated
def _is_owner_or_unowned(self, data):
def _can_view(self, data):
user = self.scope.get("user") if self.scope.get("user") else None
owner_id = data.get("owner_id")
users_can_view = data.get("users_can_view", [])
groups_can_view = data.get("groups_can_view", [])
return (
(
self.scope["user"].is_superuser
or self.scope["user"].id == data["owner_id"]
user.is_superuser
or user.id == owner_id
or user.id in users_can_view
or any(
user.groups.filter(pk=group_id).exists() for group_id in groups_can_view
)
if "owner_id" in data and "user" in self.scope
else True
)
def connect(self):
@@ -40,7 +44,7 @@ class StatusConsumer(WebsocketConsumer):
if not self._authenticated():
self.close()
else:
if self._is_owner_or_unowned(event["data"]):
if self._can_view(event["data"]):
self.send(json.dumps(event))
def documents_deleted(self, event):