Fix: require only change permissions for task dismissal, add frontend error handling (#11023)

src/documents/permissions.py

@@ -161,3 +161,21 @@ class PaperlessNotePermissions(BasePermission):
         perms = self.perms_map[request.method]
 
         return request.user.has_perms(perms)
+
+
+class AcknowledgeTasksPermissions(BasePermission):
+    """
+    Permissions class that checks for model permissions for acknowledging tasks.
+    """
+
+    perms_map = {
+        "POST": ["documents.change_paperlesstask"],
+    }
+
+    def has_permission(self, request, view):
+        if not request.user or not request.user.is_authenticated:  # pragma: no cover
+            return False
+
+        perms = self.perms_map.get(request.method, [])
+
+        return request.user.has_perms(perms)

src/documents/tests/test_api_tasks.py

@@ -135,6 +135,44 @@ class TestTasks(DirectoriesMixin, APITestCase):
         response = self.client.get(self.ENDPOINT + "?acknowledged=false")
         self.assertEqual(len(response.data), 0)
 
+    def test_acknowledge_tasks_requires_change_permission(self):
+        """
+        GIVEN:
+            - A regular user initially without change permissions
+            - A regular user with change permissions
+        WHEN:
+            - API call is made to acknowledge tasks
+        THEN:
+            - The first user is forbidden from acknowledging tasks
+            - The second user is allowed to acknowledge tasks
+        """
+        regular_user = User.objects.create_user(username="test")
+        self.client.force_authenticate(user=regular_user)
+
+        task = PaperlessTask.objects.create(
+            task_id=str(uuid.uuid4()),
+            task_file_name="task_one.pdf",
+        )
+
+        response = self.client.post(
+            self.ENDPOINT + "acknowledge/",
+            {"tasks": [task.id]},
+        )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        regular_user2 = User.objects.create_user(username="test2")
+        regular_user2.user_permissions.add(
+            Permission.objects.get(codename="change_paperlesstask"),
+        )
+        regular_user2.save()
+        self.client.force_authenticate(user=regular_user2)
+
+        response = self.client.post(
+            self.ENDPOINT + "acknowledge/",
+            {"tasks": [task.id]},
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
     def test_tasks_owner_aware(self):
         """
         GIVEN:

src/documents/views.py

@@ -136,6 +136,7 @@ from documents.models import WorkflowAction
 from documents.models import WorkflowTrigger
 from documents.parsers import get_parser_class_for_mime_type
 from documents.parsers import parse_date_generator
+from documents.permissions import AcknowledgeTasksPermissions
 from documents.permissions import PaperlessAdminPermissions
 from documents.permissions import PaperlessNotePermissions
 from documents.permissions import PaperlessObjectPermissions
@@ -2487,7 +2488,11 @@ class TasksViewSet(ReadOnlyModelViewSet):
             queryset = PaperlessTask.objects.filter(task_id=task_id)
         return queryset
 
-    @action(methods=["post"], detail=False)
+    @action(
+        methods=["post"],
+        detail=False,
+        permission_classes=[IsAuthenticated, AcknowledgeTasksPermissions],
+    )
     def acknowledge(self, request):
         serializer = AcknowledgeTasksViewSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)