Enhancement: dont require document model permissions for notes (#6913)

src/documents/permissions.py

@@ -138,3 +138,23 @@ def get_objects_for_user_owner_aware(user, perms, Model) -> QuerySet:
 def has_perms_owner_aware(user, perms, obj):
     checker = ObjectPermissionChecker(user)
     return obj.owner is None or obj.owner == user or checker.has_perm(perms, obj)
+
+
+class PaperlessNotePermissions(BasePermission):
+    """
+    Permissions class that checks for model permissions for Notes.
+    """
+
+    perms_map = {
+        "GET": ["documents.view_note"],
+        "POST": ["documents.add_note"],
+        "DELETE": ["documents.delete_note"],
+    }
+
+    def has_permission(self, request, view):
+        if not request.user or (not request.user.is_authenticated):  # pragma: no cover
+            return False
+
+        perms = self.perms_map[request.method]
+
+        return request.user.has_perms(perms)

src/documents/views.py

@@ -123,6 +123,7 @@ from documents.models import WorkflowTrigger
 from documents.parsers import get_parser_class_for_mime_type
 from documents.parsers import parse_date_generator
 from documents.permissions import PaperlessAdminPermissions
+from documents.permissions import PaperlessNotePermissions
 from documents.permissions import PaperlessObjectPermissions
 from documents.permissions import get_objects_for_user_owner_aware
 from documents.permissions import has_perms_owner_aware
@@ -622,7 +623,11 @@ class DocumentViewSet(
             .order_by("-created")
         ]
 
-    @action(methods=["get", "post", "delete"], detail=True)
+    @action(
+        methods=["get", "post", "delete"],
+        detail=True,
+        permission_classes=[PaperlessNotePermissions],
+    )
     def notes(self, request, pk=None):
         currentUser = request.user
         try: