Fix: respect global permissions for UI settings (#5919)

2025-04-02 13:45:10 -05:00 · 2024-02-26 12:19:31 -08:00 · 2024-02-26 12:19:31 -08:00 · d2f9b5d5e5
commit d2f9b5d5e5
parent f5e1675107
5 changed files with 58 additions and 5 deletions
--- a/src-ui/src/app/app-routing.module.ts
+++ b/src-ui/src/app/app-routing.module.ts
@ -163,7 +163,7 @@ export const routes: Routes = [
        canActivate: [PermissionsGuard],
        data: {
          requiredPermission: {
-            action: PermissionAction.View,
+            action: PermissionAction.Change,
            type: PermissionType.UISettings,
          },
        },
--- a/src-ui/src/app/components/admin/settings/settings.component.html
+++ b/src-ui/src/app/components/admin/settings/settings.component.html
@ -351,5 +351,5 @@
  <div [ngbNavOutlet]="nav" class="border-start border-end border-bottom p-3 mb-3 shadow-sm"></div>
-  <button type="submit" class="btn btn-primary mb-2" *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.UISettings }" [disabled]="(isDirty$ | async) === false" i18n>Save</button>
+  <button type="submit" class="btn btn-primary mb-2" [disabled]="(isDirty$ | async) === false" i18n>Save</button>
 </form>
--- a/src-ui/src/app/components/app-frame/app-frame.component.html
+++ b/src-ui/src/app/components/app-frame/app-frame.component.html
@ -55,7 +55,7 @@
          <i-bs class="me-2" name="person"></i-bs>&nbsp;<ng-container i18n>My Profile</ng-container>
        </button>
        <a ngbDropdownItem class="nav-link" routerLink="settings" (click)="closeMenu()"
-          *pngxIfPermissions="{ action: PermissionAction.View, type: PermissionType.UISettings }">
+          *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.UISettings }">
          <i-bs class="me-2" name="gear"></i-bs><ng-container i18n>Settings</ng-container>
        </a>
        <a ngbDropdownItem class="nav-link d-flex" href="accounts/logout/" (click)="onLogout()">
@ -227,7 +227,7 @@
          <span i18n>Administration</span>
        </h6>
        <ul class="nav flex-column mb-2">
-          <li class="nav-item" *pngxIfPermissions="{ action: PermissionAction.View, type: PermissionType.UISettings }"
+          <li class="nav-item" *pngxIfPermissions="{ action: PermissionAction.Change, type: PermissionType.UISettings }"
            tourAnchor="tour.settings">
            <a class="nav-link" routerLink="settings" routerLinkActive="active" (click)="closeMenu()"
              ngbPopover="Settings" i18n-ngbPopover [disablePopover]="!slimSidebarEnabled" placement="end"
--- a/src/documents/tests/test_api_uisettings.py
+++ b/src/documents/tests/test_api_uisettings.py
@ -1,5 +1,6 @@
 import json
 from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from rest_framework import status
 from rest_framework.test import APITestCase
@ -65,3 +66,47 @@ class TestApiUiSettings(DirectoriesMixin, APITestCase):
            ui_settings.settings,
            settings["settings"],
        )
    def test_api_set_ui_settings_insufficient_global_permissions(self):
        not_superuser = User.objects.create_user(username="test_not_superuser")
        self.client.force_authenticate(user=not_superuser)
        settings = {
            "settings": {
                "dark_mode": {
                    "enabled": True,
                },
            },
        }
        response = self.client.post(
            self.ENDPOINT,
            json.dumps(settings),
            content_type="application/json",
        )
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
    def test_api_set_ui_settings_sufficient_global_permissions(self):
        not_superuser = User.objects.create_user(username="test_not_superuser")
        not_superuser.user_permissions.add(
            *Permission.objects.filter(codename__contains="uisettings"),
        )
        not_superuser.save()
        self.client.force_authenticate(user=not_superuser)
        settings = {
            "settings": {
                "dark_mode": {
                    "enabled": True,
                },
            },
        }
        response = self.client.post(
            self.ENDPOINT,
            json.dumps(settings),
            content_type="application/json",
        )
        self.assertEqual(response.status_code, status.HTTP_200_OK)
--- a/src/documents/views.py
+++ b/src/documents/views.py
@ -51,6 +51,7 @@ from rest_framework.mixins import DestroyModelMixin
 from rest_framework.mixins import ListModelMixin
 from rest_framework.mixins import RetrieveModelMixin
 from rest_framework.mixins import UpdateModelMixin
 from rest_framework.permissions import DjangoModelPermissions
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
@ -103,6 +104,7 @@ from documents.models import SavedView
 from documents.models import ShareLink
 from documents.models import StoragePath
 from documents.models import Tag
 from documents.models import UiSettings
 from documents.models import Workflow
 from documents.models import WorkflowAction
 from documents.models import WorkflowTrigger
@ -1190,9 +1192,15 @@ class StoragePathViewSet(ModelViewSet, PassUserMixin):
 class UiSettingsView(GenericAPIView):
-    permission_classes = (IsAuthenticated,)
+    queryset = UiSettings.objects.all()
    permission_classes = (IsAuthenticated, DjangoModelPermissions)
    serializer_class = UiSettingsViewSerializer
    perms_map = {
        "GET": ["%(app_label)s.view_%(model_name)s"],
        "POST": ["%(app_label)s.change_%(model_name)s"],
    }
    def get(self, request, format=None):
        serializer = self.get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)