Security: disallow API remote-user auth if disabled (#6739)

2025-07-30 18:27:45 -05:00 · 2024-05-15 13:18:50 -07:00
parent 97eec44647
commit ed05b40ba4
2 changed files with 44 additions and 0 deletions
--- a/src/paperless/tests/test_remote_user.py
+++ b/src/paperless/tests/test_remote_user.py
@@ -2,6 +2,7 @@ import os
 from unittest import mock

 from django.contrib.auth.models import User
+from django.test import override_settings
 from rest_framework import status
 from rest_framework.test import APITestCase

@@ -88,6 +89,38 @@ class TestRemoteUser(DirectoriesMixin, APITestCase):

            self.assertEqual(response.status_code, status.HTTP_200_OK)

+    @override_settings(
+        REST_FRAMEWORK={
+            "DEFAULT_AUTHENTICATION_CLASSES": [
+                "rest_framework.authentication.BasicAuthentication",
+                "rest_framework.authentication.TokenAuthentication",
+                "rest_framework.authentication.SessionAuthentication",
+            ],
+        },
+    )
+    def test_remote_user_api_disabled(self):
+        """
+        GIVEN:
+            - Configured user
+            - Remote user auth enabled for frontend but disabled for the API
+            - Note that REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] is set in settings.py in production
+        WHEN:
+            - API call is made to get documents
+        THEN:
+            - Call fails
+        """
+        response = self.client.get(
+            "/api/documents/",
+            headers={
+                "Remote-User": self.user.username,
+            },
+        )
+
+        self.assertIn(
+            response.status_code,
+            [status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN],
+        )
+
    def test_remote_user_header_setting(self):
        """
        GIVEN: