Security: enforce permissions for post_document

2026-02-05 23:32:46 -06:00 · 2026-01-30 12:14:18 -08:00
parent 836c81e037
commit c8c4c7c749
2 changed files with 13 additions and 0 deletions
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -1703,6 +1703,8 @@ class PostDocumentView(GenericAPIView):
    parser_classes = (parsers.MultiPartParser,)

    def post(self, request, *args, **kwargs):
+        if not request.user.has_perm("documents.add_document"):
+            return HttpResponseForbidden("Insufficient permissions")
        serializer = self.get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)