diff --git a/src-ui/src/app/components/document-detail/document-detail.component.spec.ts b/src-ui/src/app/components/document-detail/document-detail.component.spec.ts index b85a7eaf4..a90fe0148 100644 --- a/src-ui/src/app/components/document-detail/document-detail.component.spec.ts +++ b/src-ui/src/app/components/document-detail/document-detail.component.spec.ts @@ -1,5 +1,9 @@ import { DatePipe } from '@angular/common' -import { provideHttpClient, withInterceptorsFromDi } from '@angular/common/http' +import { + HttpErrorResponse, + provideHttpClient, + withInterceptorsFromDi, +} from '@angular/common/http' import { HttpTestingController, provideHttpClientTesting, @@ -503,7 +507,7 @@ describe('DocumentDetailComponent', () => { const updateSpy = jest.spyOn(documentService, 'update') const toastSpy = jest.spyOn(toastService, 'showInfo') updateSpy.mockImplementation(() => - throwError(() => new Error('failed to save')) + throwError(() => new HttpErrorResponse({ status: 403 })) ) component.save(true) expect(updateSpy).toHaveBeenCalled() diff --git a/src-ui/src/app/components/document-detail/document-detail.component.ts b/src-ui/src/app/components/document-detail/document-detail.component.ts index 27a74cfcd..45d5a8bc1 100644 --- a/src-ui/src/app/components/document-detail/document-detail.component.ts +++ b/src-ui/src/app/components/document-detail/document-detail.component.ts @@ -824,11 +824,13 @@ export class DocumentDetailComponent }, error: (error) => { this.networkActive = false - if (!this.userCanEdit) { + if (error.status === 403) { + // e.g. document was 'given away' + this.openDocumentService.setDirty(this.document, false) this.toastService.showInfo( $localize`Document "${this.document.title}" saved successfully.` ) - close && this.close() + this.close() } else { this.error = error.error this.toastService.showError( diff --git a/src/documents/tests/test_api_documents.py b/src/documents/tests/test_api_documents.py index a0a380e41..40a5d1477 100644 --- a/src/documents/tests/test_api_documents.py +++ b/src/documents/tests/test_api_documents.py @@ -262,6 +262,34 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase): response = self.client.get(f"/api/documents/{doc.pk}/thumb/") self.assertEqual(response.status_code, status.HTTP_200_OK) + def test_document_given_away(self): + """ + GIVEN: + - Document with owner + WHEN: + - Document is update and given away + THEN: + - 403 Forbidden is returned + """ + non_superuser = User.objects.create_user(username="test") + non_superuser.user_permissions.add(*Permission.objects.all()) + self.client.force_authenticate(user=non_superuser) + + doc = Document.objects.create( + title="none", + checksum="123", + mime_type="application/pdf", + owner=non_superuser, + ) + + response = self.client.patch( + f"/api/documents/{doc.pk}/", + {"owner": self.user.id}, + format="json", + ) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + @override_settings(FILENAME_FORMAT="") def test_download_with_archive(self): content = b"This is a test" diff --git a/src/documents/views.py b/src/documents/views.py index 7298391f2..d1de0ddea 100644 --- a/src/documents/views.py +++ b/src/documents/views.py @@ -580,15 +580,24 @@ class DocumentViewSet( def update(self, request, *args, **kwargs): response = super().update(request, *args, **kwargs) + try: + doc = self.get_object() + except Http404: + # if we get this far document it was probably 'given away' + doc = Document.objects.get(id=kwargs["pk"]) + from documents import index - index.add_or_update_document(self.get_object()) + index.add_or_update_document(doc) document_updated.send( sender=self.__class__, - document=self.get_object(), + document=doc, ) + if not has_perms_owner_aware(request.user, "change_document", doc): + return HttpResponseForbidden("Insufficient permissions") + return response def destroy(self, request, *args, **kwargs):