Fix: respect global permissions for UI settings (#5919)

2025-08-12 00:19:48 +00:00 · 2024-02-26 12:19:31 -08:00
parent f5e1675107
commit d2f9b5d5e5
5 changed files with 58 additions and 5 deletions
--- a/src/documents/tests/test_api_uisettings.py
+++ b/src/documents/tests/test_api_uisettings.py
@@ -1,5 +1,6 @@
 import json

+from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from rest_framework import status
 from rest_framework.test import APITestCase
@@ -65,3 +66,47 @@ class TestApiUiSettings(DirectoriesMixin, APITestCase):
            ui_settings.settings,
            settings["settings"],
        )
+
+    def test_api_set_ui_settings_insufficient_global_permissions(self):
+        not_superuser = User.objects.create_user(username="test_not_superuser")
+        self.client.force_authenticate(user=not_superuser)
+
+        settings = {
+            "settings": {
+                "dark_mode": {
+                    "enabled": True,
+                },
+            },
+        }
+
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(settings),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_api_set_ui_settings_sufficient_global_permissions(self):
+        not_superuser = User.objects.create_user(username="test_not_superuser")
+        not_superuser.user_permissions.add(
+            *Permission.objects.filter(codename__contains="uisettings"),
+        )
+        not_superuser.save()
+        self.client.force_authenticate(user=not_superuser)
+
+        settings = {
+            "settings": {
+                "dark_mode": {
+                    "enabled": True,
+                },
+            },
+        }
+
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(settings),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)