Fix: remove unnecessary permission requirements for new email endpoint (#11215)

2025-12-24 02:05:48 -06:00 · 2025-10-29 07:14:51 -07:00
parent 3f32ed319a
commit b60fb8ed82
3 changed files with 54 additions and 1 deletions
--- a/src/documents/tests/test_api_email.py
+++ b/src/documents/tests/test_api_email.py
@@ -329,6 +329,34 @@ class TestEmail(DirectoriesMixin, SampleDirMixin, APITestCase):
        )
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

+    def test_email_only_requires_view_permission(self):
+        """
+        GIVEN:
+            - User having only view documents permission
+        WHEN:
+            - API request is made to bulk email documents
+        THEN:
+            - Request succeeds
+        """
+        user1 = User.objects.create_user(username="test1")
+        user1.user_permissions.add(*Permission.objects.filter(codename="view_document"))
+
+        self.client.force_authenticate(user1)
+
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "documents": [self.doc1.pk],
+                    "addresses": "test@example.com",
+                    "subject": "Test",
+                    "message": "Test message",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
    @override_settings(
        EMAIL_ENABLED=True,
        EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend",