Enhancement: dont require document model permissions for notes (#6913)

This commit is contained in:
shamoon 2024-06-07 18:23:45 -07:00 committed by GitHub
parent 3d6aa8a656
commit d8c96b6e4a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 26 additions and 1 deletions

View File

@ -138,3 +138,23 @@ def get_objects_for_user_owner_aware(user, perms, Model) -> QuerySet:
def has_perms_owner_aware(user, perms, obj):
checker = ObjectPermissionChecker(user)
return obj.owner is None or obj.owner == user or checker.has_perm(perms, obj)
class PaperlessNotePermissions(BasePermission):
"""
Permissions class that checks for model permissions for Notes.
"""
perms_map = {
"GET": ["documents.view_note"],
"POST": ["documents.add_note"],
"DELETE": ["documents.delete_note"],
}
def has_permission(self, request, view):
if not request.user or (not request.user.is_authenticated): # pragma: no cover
return False
perms = self.perms_map[request.method]
return request.user.has_perms(perms)

View File

@ -123,6 +123,7 @@ from documents.models import WorkflowTrigger
from documents.parsers import get_parser_class_for_mime_type
from documents.parsers import parse_date_generator
from documents.permissions import PaperlessAdminPermissions
from documents.permissions import PaperlessNotePermissions
from documents.permissions import PaperlessObjectPermissions
from documents.permissions import get_objects_for_user_owner_aware
from documents.permissions import has_perms_owner_aware
@ -622,7 +623,11 @@ class DocumentViewSet(
.order_by("-created")
]
@action(methods=["get", "post", "delete"], detail=True)
@action(
methods=["get", "post", "delete"],
detail=True,
permission_classes=[PaperlessNotePermissions],
)
def notes(self, request, pk=None):
currentUser = request.user
try: