From c8c4c7c749f5531259c5fd4d8e0b7cae28216920 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Fri, 30 Jan 2026 12:14:18 -0800
Subject: [PATCH] Security: enforce permissions for post_document

---
 src/documents/tests/test_api_documents.py | 11 +++++++++++
 src/documents/views.py                    |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/src/documents/tests/test_api_documents.py b/src/documents/tests/test_api_documents.py
index f40ef157f..700f56568 100644
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@@ -1216,6 +1216,17 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
 
         self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
 
+    def test_upload_insufficient_permissions(self):
+        self.client.force_authenticate(user=User.objects.create_user("testuser2"))
+
+        with (Path(__file__).parent / "samples" / "simple.pdf").open("rb") as f:
+            response = self.client.post(
+                "/api/documents/post_document/",
+                {"document": f},
+            )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
     def test_upload_empty_metadata(self):
         self.consume_file_mock.return_value = celery.result.AsyncResult(
             id=str(uuid.uuid4()),
diff --git a/src/documents/views.py b/src/documents/views.py
index f6bec1f0d..5a0f83699 100644
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -1703,6 +1703,8 @@ class PostDocumentView(GenericAPIView):
     parser_classes = (parsers.MultiPartParser,)
 
     def post(self, request, *args, **kwargs):
+        if not request.user.has_perm("documents.add_document"):
+            return HttpResponseForbidden("Insufficient permissions")
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)