Merge pull request #3702 from paperless-ngx/fix/issue-3347

Fix: owner removed when set_permissions passed on object create
This commit is contained in:
shamoon 2023-06-27 07:17:01 -07:00 committed by GitHub
commit b5d04e575e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 75 additions and 41 deletions

View File

@ -213,15 +213,12 @@ class OwnedObjectSerializer(serializers.ModelSerializer, SetPermissionsMixin):
# other methods in mixin
def create(self, validated_data):
if self.user and (
"owner" not in validated_data or validated_data["owner"] is None
):
# default to current user if not set
if "owner" not in validated_data and self.user:
validated_data["owner"] = self.user
permissions = None
if "set_permissions" in validated_data:
permissions = validated_data.pop("set_permissions")
if "user" not in permissions or permissions["user"] is None:
validated_data["owner"] = None
instance = super().create(validated_data)
if permissions is not None:
self._set_permissions(permissions, instance)

View File

@ -28,6 +28,7 @@ from django.contrib.auth.models import User
from django.test import override_settings
from django.utils import timezone
from guardian.shortcuts import assign_perm
from guardian.shortcuts import get_perms
from rest_framework import status
from rest_framework.test import APITestCase
from whoosh.writing import AsyncWriter
@ -3855,7 +3856,7 @@ class TestApiAuth(DirectoriesMixin, APITestCase):
status.HTTP_200_OK,
)
def test_object_permissions(self):
def test_api_get_object_permissions(self):
user1 = User.objects.create_user(username="test1")
user2 = User.objects.create_user(username="test2")
user1.user_permissions.add(*Permission.objects.filter(codename="view_document"))
@ -3886,18 +3887,16 @@ class TestApiAuth(DirectoriesMixin, APITestCase):
status.HTTP_404_NOT_FOUND,
)
def test_api_set_permissions(self):
def test_api_default_owner(self):
"""
GIVEN:
- API request to create an object (Tag) that supplies set_permissions object
- API request to create an object (Tag)
WHEN:
- owner is passed as null or as a user id
- view > users is set
- owner is not set at all
THEN:
- Object permissions are set appropriately
- Object created with current user as owner
"""
user1 = User.objects.create_superuser(username="user1")
user2 = User.objects.create(username="user2")
self.client.force_authenticate(user1)
@ -3907,11 +3906,73 @@ class TestApiAuth(DirectoriesMixin, APITestCase):
{
"name": "test1",
"matching_algorithm": MatchingModel.MATCH_AUTO,
},
),
content_type="application/json",
)
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
tag1 = Tag.objects.filter(name="test1").first()
self.assertEqual(tag1.owner, user1)
def test_api_set_no_owner(self):
"""
GIVEN:
- API request to create an object (Tag)
WHEN:
- owner is passed as None
THEN:
- Object created with no owner
"""
user1 = User.objects.create_superuser(username="user1")
self.client.force_authenticate(user1)
response = self.client.post(
"/api/tags/",
json.dumps(
{
"name": "test1",
"matching_algorithm": MatchingModel.MATCH_AUTO,
"owner": None,
},
),
content_type="application/json",
)
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
tag1 = Tag.objects.filter(name="test1").first()
self.assertEqual(tag1.owner, None)
def test_api_set_owner_w_permissions(self):
"""
GIVEN:
- API request to create an object (Tag) that supplies set_permissions object
WHEN:
- owner is passed as user id
- view > users is set & view > groups is set
THEN:
- Object permissions are set appropriately
"""
user1 = User.objects.create_superuser(username="user1")
user2 = User.objects.create(username="user2")
group1 = Group.objects.create(name="group1")
self.client.force_authenticate(user1)
response = self.client.post(
"/api/tags/",
json.dumps(
{
"name": "test1",
"matching_algorithm": MatchingModel.MATCH_AUTO,
"owner": user1.id,
"set_permissions": {
"owner": None,
"view": {
"users": None,
"groups": None,
"users": [user2.id],
"groups": [group1.id],
},
"change": {
"users": None,
@ -3926,36 +3987,12 @@ class TestApiAuth(DirectoriesMixin, APITestCase):
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
tag1 = Tag.objects.filter(name="test1").first()
self.assertEqual(tag1.owner, None)
response = self.client.post(
"/api/tags/",
json.dumps(
{
"name": "test2",
"matching_algorithm": MatchingModel.MATCH_AUTO,
"set_permissions": {
"owner": user1.id,
"view": {
"users": [user2.id],
"groups": None,
},
"change": {
"users": None,
"groups": None,
},
},
},
),
content_type="application/json",
)
tag2 = Tag.objects.filter(name="test2").first()
from guardian.core import ObjectPermissionChecker
checker = ObjectPermissionChecker(user2)
self.assertEqual(checker.has_perm("view_tag", tag2), True)
self.assertEqual(checker.has_perm("view_tag", tag1), True)
self.assertIn("view_tag", get_perms(group1, tag1))
def test_dynamic_permissions_fields(self):
user1 = User.objects.create_user(username="user1")