From d8c96b6e4a573d7aada11409d5f241d8bd1ff84d Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Fri, 7 Jun 2024 18:23:45 -0700
Subject: [PATCH] Enhancement: dont require document model permissions for
 notes (#6913)

---
 src/documents/permissions.py | 20 ++++++++++++++++++++
 src/documents/views.py       |  7 ++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/documents/permissions.py b/src/documents/permissions.py
index 76f1835f2..a254f8377 100644
--- a/src/documents/permissions.py
+++ b/src/documents/permissions.py
@@ -138,3 +138,23 @@ def get_objects_for_user_owner_aware(user, perms, Model) -> QuerySet:
 def has_perms_owner_aware(user, perms, obj):
     checker = ObjectPermissionChecker(user)
     return obj.owner is None or obj.owner == user or checker.has_perm(perms, obj)
+
+
+class PaperlessNotePermissions(BasePermission):
+    """
+    Permissions class that checks for model permissions for Notes.
+    """
+
+    perms_map = {
+        "GET": ["documents.view_note"],
+        "POST": ["documents.add_note"],
+        "DELETE": ["documents.delete_note"],
+    }
+
+    def has_permission(self, request, view):
+        if not request.user or (not request.user.is_authenticated):  # pragma: no cover
+            return False
+
+        perms = self.perms_map[request.method]
+
+        return request.user.has_perms(perms)
diff --git a/src/documents/views.py b/src/documents/views.py
index 91b99b610..02023b59f 100644
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -123,6 +123,7 @@ from documents.models import WorkflowTrigger
 from documents.parsers import get_parser_class_for_mime_type
 from documents.parsers import parse_date_generator
 from documents.permissions import PaperlessAdminPermissions
+from documents.permissions import PaperlessNotePermissions
 from documents.permissions import PaperlessObjectPermissions
 from documents.permissions import get_objects_for_user_owner_aware
 from documents.permissions import has_perms_owner_aware
@@ -622,7 +623,11 @@ class DocumentViewSet(
             .order_by("-created")
         ]
 
-    @action(methods=["get", "post", "delete"], detail=True)
+    @action(
+        methods=["get", "post", "delete"],
+        detail=True,
+        permission_classes=[PaperlessNotePermissions],
+    )
     def notes(self, request, pk=None):
         currentUser = request.user
         try: