Fixhancement: check more permissions for status consumer messages (#9804)

2025-08-14 00:26:21 +00:00 · 2025-04-26 23:31:04 -07:00
parent 0cefdc8475
commit a3b85c64ca
6 changed files with 125 additions and 12 deletions
--- a/src/paperless/tests/test_websockets.py
+++ b/src/paperless/tests/test_websockets.py
@@ -90,6 +90,52 @@ class TestWebSockets(TestCase):

        await communicator.disconnect()

+    async def test_status_update_check_perms(self):
+        communicator = WebsocketCommunicator(application, "/ws/status/")
+
+        communicator.scope["user"] = mock.Mock()
+        communicator.scope["user"].is_authenticated = True
+        communicator.scope["user"].is_superuser = False
+        communicator.scope["user"].id = 1
+
+        connected, subprotocol = await communicator.connect()
+        self.assertTrue(connected)
+
+        # Test as owner
+        message = {"type": "status_update", "data": {"task_id": "test", "owner_id": 1}}
+        channel_layer = get_channel_layer()
+        await channel_layer.group_send(
+            "status_updates",
+            message,
+        )
+        response = await communicator.receive_json_from()
+        self.assertEqual(response, message)
+
+        # Test with a group that the user belongs to
+        communicator.scope["user"].groups.filter.return_value.exists.return_value = True
+        message = {
+            "type": "status_update",
+            "data": {"task_id": "test", "owner_id": 2, "groups_can_view": [1]},
+        }
+        channel_layer = get_channel_layer()
+        await channel_layer.group_send(
+            "status_updates",
+            message,
+        )
+        response = await communicator.receive_json_from()
+        self.assertEqual(response, message)
+
+        # Test with a different owner_id
+        message = {"type": "status_update", "data": {"task_id": "test", "owner_id": 2}}
+        channel_layer = get_channel_layer()
+        await channel_layer.group_send(
+            "status_updates",
+            message,
+        )
+        response = await communicator.receive_nothing()
+        self.assertNotEqual(response, message)
+        await communicator.disconnect()
+
    @mock.patch("paperless.consumers.StatusConsumer._authenticated")
    async def test_receive_documents_deleted(self, _authenticated):
        _authenticated.return_value = True