Merge pull request #3347 from paperless-ngx/fix/issue-3346

Fix: default frontend to current owner, allow setting no owner on create
2025-07-28 18:24:38 -05:00 · 2023-05-10 08:18:08 -07:00
parent 58b7230979 4443ba9d5e
commit e54e552aad
11 changed files with 116 additions and 18 deletions
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -220,6 +220,8 @@ class OwnedObjectSerializer(serializers.ModelSerializer, SetPermissionsMixin):
        permissions = None
        if "set_permissions" in validated_data:
            permissions = validated_data.pop("set_permissions")
+            if "user" not in permissions or permissions["user"] is None:
+                validated_data["owner"] = None
        instance = super().create(validated_data)
        if permissions is not None:
            self._set_permissions(permissions, instance)
--- a/src/documents/tests/test_api.py
+++ b/src/documents/tests/test_api.py
@@ -3550,6 +3550,77 @@ class TestApiAuth(DirectoriesMixin, APITestCase):
            status.HTTP_404_NOT_FOUND,
        )

+    def test_api_set_permissions(self):
+        """
+        GIVEN:
+            - API request to create an object (Tag) that supplies set_permissions object
+        WHEN:
+            - owner is passed as null or as a user id
+            - view > users is set
+        THEN:
+            - Object permissions are set appropriately
+        """
+        user1 = User.objects.create_superuser(username="user1")
+        user2 = User.objects.create(username="user2")
+
+        self.client.force_authenticate(user1)
+
+        response = self.client.post(
+            "/api/tags/",
+            json.dumps(
+                {
+                    "name": "test1",
+                    "matching_algorithm": MatchingModel.MATCH_AUTO,
+                    "set_permissions": {
+                        "owner": None,
+                        "view": {
+                            "users": None,
+                            "groups": None,
+                        },
+                        "change": {
+                            "users": None,
+                            "groups": None,
+                        },
+                    },
+                },
+            ),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+
+        tag1 = Tag.objects.filter(name="test1").first()
+        self.assertEqual(tag1.owner, None)
+
+        response = self.client.post(
+            "/api/tags/",
+            json.dumps(
+                {
+                    "name": "test2",
+                    "matching_algorithm": MatchingModel.MATCH_AUTO,
+                    "set_permissions": {
+                        "owner": user1.id,
+                        "view": {
+                            "users": [user2.id],
+                            "groups": None,
+                        },
+                        "change": {
+                            "users": None,
+                            "groups": None,
+                        },
+                    },
+                },
+            ),
+            content_type="application/json",
+        )
+
+        tag2 = Tag.objects.filter(name="test2").first()
+
+        from guardian.core import ObjectPermissionChecker
+
+        checker = ObjectPermissionChecker(user2)
+        self.assertEqual(checker.has_perm("view_tag", tag2), True)
+
    def test_dynamic_permissions_fields(self):
        user1 = User.objects.create_user(username="user1")
        user1.user_permissions.add(*Permission.objects.filter(codename="view_document"))