Merge branch 'release/v2.20.x'

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: shamoon <4887959+shamoon@users.noreply.github.com>

.github/workflows/ci.yml

@@ -617,7 +617,7 @@ jobs:
           version: ${{ steps.get_version.outputs.version }}
           prerelease: ${{ steps.get_version.outputs.prerelease }}
           publish: true # ensures release is not marked as draft
-          commitish: ${{ github.sha }}
+          committish: ${{ github.sha }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload release archive

docker/management_script.sh

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py management_command "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py management_command "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py management_command "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/convert_mariadb_uuid

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py convert_mariadb_uuid "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py convert_mariadb_uuid "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py convert_mariadb_uuid "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/createsuperuser

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py createsuperuser "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py createsuperuser "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py createsuperuser "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/decrypt_documents

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py decrypt_documents "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py decrypt_documents "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py decrypt_documents "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/document_archiver

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_archiver "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_archiver "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_archiver "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/document_create_classifier

@@ -5,17 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_create_classifier "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_create_classifier "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_create_classifier "$@"
 else
 	echo "Unknown user."
-	exit 1
-fi
-er "$@"
-elif [[ $(id -un) == "paperless" ]]; then
-	s6-setuidgid paperless python3 manage.py document_create_classifier "$@"
 fi

docker/rootfs/usr/local/bin/document_exporter

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_exporter "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_exporter "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_exporter "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/document_fuzzy_match

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_fuzzy_match "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_fuzzy_match "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_fuzzy_match "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/document_importer

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_importer "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_importer "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_importer "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/document_index

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_index "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_index "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_index "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/document_renamer

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_renamer "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_renamer "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_renamer "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/document_retagger

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_retagger "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_retagger "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_retagger "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/document_sanity_checker

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_sanity_checker "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_sanity_checker "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_sanity_checker "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/document_thumbnails

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py document_thumbnails "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_thumbnails "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_thumbnails "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/mail_fetcher

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py mail_fetcher "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py mail_fetcher "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py mail_fetcher "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/manage_superuser

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py manage_superuser "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py manage_superuser "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py manage_superuser "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docker/rootfs/usr/local/bin/prune_audit_logs

@@ -5,13 +5,10 @@ set -e
 
 cd "${PAPERLESS_SRC_DIR}"
 
-if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+if [[ $(id -u) == 0 ]]; then
-	python3 manage.py prune_audit_logs "$@"
-elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py prune_audit_logs "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py prune_audit_logs "$@"
 else
 	echo "Unknown user."
-	exit 1
 fi

docs/changelog.md

@@ -1,7 +1,60 @@
 # Changelog
 
+## paperless-ngx 2.20.5
+
+### Bug Fixes
+
+-   Fix: ensure horizontal scroll for long tag names in list, wrap tags without parent [@shamoon](https://github.com/shamoon) ([#11811](https://github.com/paperless-ngx/paperless-ngx/pull/11811))
+-   Fix: use explicit order field for workflow actions [@shamoon](https://github.com/shamoon) [@stumpylog](https://github.com/stumpylog) ([#11781](https://github.com/paperless-ngx/paperless-ngx/pull/11781))
+
+### All App Changes
+
+<details>
+<summary>2 changes</summary>
+
+-   Fix: ensure horizontal scroll for long tag names in list, wrap tags without parent [@shamoon](https://github.com/shamoon) ([#11811](https://github.com/paperless-ngx/paperless-ngx/pull/11811))
+-   Fix: use explicit order field for workflow actions [@shamoon](https://github.com/shamoon) [@stumpylog](https://github.com/stumpylog) ([#11781](https://github.com/paperless-ngx/paperless-ngx/pull/11781))
+</details>
+
+## paperless-ngx 2.20.4
+
+### Security
+
+-   Resolve [GHSA-28cf-xvcf-hw6m](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-28cf-xvcf-hw6m)
+
+### Bug Fixes
+
+-   Fix: propagate metadata override created value [@shamoon](https://github.com/shamoon) ([#11659](https://github.com/paperless-ngx/paperless-ngx/pull/11659))
+-   Fix: support ordering by storage path name [@shamoon](https://github.com/shamoon) ([#11661](https://github.com/paperless-ngx/paperless-ngx/pull/11661))
+-   Fix: validate cf integer values within PostgreSQL range [@shamoon](https://github.com/shamoon) ([#11666](https://github.com/paperless-ngx/paperless-ngx/pull/11666))
+-   Fixhancement: add error handling and retry when opening index [@shamoon](https://github.com/shamoon) ([#11731](https://github.com/paperless-ngx/paperless-ngx/pull/11731))
+-   Fix: fix recurring workflow to respect latest run time [@shamoon](https://github.com/shamoon) ([#11735](https://github.com/paperless-ngx/paperless-ngx/pull/11735))
+
+### All App Changes
+
+<details>
+<summary>5 changes</summary>
+
+-   Fix: propagate metadata override created value [@shamoon](https://github.com/shamoon) ([#11659](https://github.com/paperless-ngx/paperless-ngx/pull/11659))
+-   Fix: support ordering by storage path name [@shamoon](https://github.com/shamoon) ([#11661](https://github.com/paperless-ngx/paperless-ngx/pull/11661))
+-   Fix: validate cf integer values within PostgreSQL range [@shamoon](https://github.com/shamoon) ([#11666](https://github.com/paperless-ngx/paperless-ngx/pull/11666))
+-   Fixhancement: add error handling and retry when opening index [@shamoon](https://github.com/shamoon) ([#11731](https://github.com/paperless-ngx/paperless-ngx/pull/11731))
+-   Fix: fix recurring workflow to respect latest run time [@shamoon](https://github.com/shamoon) ([#11735](https://github.com/paperless-ngx/paperless-ngx/pull/11735))
+</details>
+
+## paperless-ngx 2.20.3
+
+### Security
+
+-   Resolve [GHSA-7cq3-mhxq-w946](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-7cq3-mhxq-w946)
+
 ## paperless-ngx 2.20.2
 
+### Security
+
+-   Resolve [GHSA-6653-vcx4-69mc](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-6653-vcx4-69mc)
+-   Resolve [GHSA-24x5-wp64-9fcc](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-24x5-wp64-9fcc)
+
 ### Features / Enhancements
 
 -   Tweakhancement: dim inactive users in users-groups list [@shamoon](https://github.com/shamoon) ([#11537](https://github.com/paperless-ngx/paperless-ngx/pull/11537))

docs/configuration.md

@@ -170,11 +170,18 @@ Available options are `postgresql` and `mariadb`.
 
     !!! note
 
-        A small pool is typically sufficient — for example, a size of 4.
+        A pool of 8-10 connections per worker is typically sufficient.
-        Make sure your PostgreSQL server's max_connections setting is large enough to handle:
+        If you encounter error messages such as `couldn't get a connection`
-        ```(Paperless workers + Celery workers) × pool size + safety margin```
+        or database connection timeouts, you probably need to increase the pool size.
-        For example, with 4 Paperless workers and 2 Celery workers, and a pool size of 4:
+
-        (4 + 2) × 4 + 10 = 34 connections required.
+    !!! warning
+        Make sure your PostgreSQL `max_connections` setting is large enough to handle the connection pools:
+        `(NB_PAPERLESS_WORKERS + NB_CELERY_WORKERS) × POOL_SIZE + SAFETY_MARGIN`. For example, with
+        4 Paperless workers and 2 Celery workers, and a pool size of 8:``(4 + 2) × 8 + 10 = 58`,
+        so `max_connections = 60` (or even more) is appropriate.
+
+        This assumes only Paperless-ngx connects to your PostgreSQL instance. If you have other applications,
+        you should increase `max_connections` accordingly.
 
 #### [`PAPERLESS_DB_READ_CACHE_ENABLED=<bool>`](#PAPERLESS_DB_READ_CACHE_ENABLED) {#PAPERLESS_DB_READ_CACHE_ENABLED}
 
@@ -1007,7 +1014,7 @@ still perform some basic text pre-processing before matching.
 
 : See also `PAPERLESS_NLTK_DIR`.
 
-    Defaults to 1.
+    Defaults to true, enabling the feature.
 
 #### [`PAPERLESS_DATE_PARSER_LANGUAGES=<lang>`](#PAPERLESS_DATE_PARSER_LANGUAGES) {#PAPERLESS_DATE_PARSER_LANGUAGES}
 
@@ -1074,7 +1081,7 @@ valid crontab(5) expression describing when to run.
 
 : Enables compression of the responses from the webserver.
 
-: Defaults to 1, enabling compression.
+: Defaults to true, enabling compression.
 
     !!! note
 

pyproject.toml

@@ -238,7 +238,7 @@ lint.isort.force-single-line = true
 
 [tool.codespell]
 write-changes = true
-ignore-words-list = "criterias,afterall,valeu,ureue,equest,ure,assertIn,Oktober,commitish"
+ignore-words-list = "criterias,afterall,valeu,ureue,equest,ure,assertIn,Oktober"
 skip = "src-ui/src/locale/*,src-ui/pnpm-lock.yaml,src-ui/e2e/*,src/paperless_mail/tests/samples/*,src/documents/tests/samples/*,*.po,*.json"
 
 [tool.pytest.ini_options]

src-ui/src/app/components/manage/management-list/management-list.component.spec.ts

@@ -229,21 +229,6 @@ describe('ManagementListComponent', () => {
     expect(reloadSpy).toHaveBeenCalled()
   })
 
-  it('should use the all list length for collection size when provided', fakeAsync(() => {
-    jest.spyOn(tagService, 'listFiltered').mockReturnValueOnce(
-      of({
-        count: 1,
-        all: [1, 2, 3],
-        results: tags.slice(0, 1),
-      })
-    )
-
-    component.reloadData()
-    tick(100)
-
-    expect(component.collectionSize).toBe(3)
-  }))
-
   it('should support quick filter for objects', () => {
     const qfSpy = jest.spyOn(documentListViewService, 'quickFilter')
     const filterButton = fixture.debugElement.queryAll(By.css('button'))[9]

src-ui/src/app/components/manage/management-list/management-list.component.ts

@@ -171,7 +171,7 @@ export abstract class ManagementListComponent<T extends MatchingModel>
         tap((c) => {
           this.unfilteredData = c.results
           this.data = this.filterData(c.results)
-          this.collectionSize = c.all?.length ?? c.count
+          this.collectionSize = c.count
         }),
         delay(100)
       )

src/documents/data_models.py

@@ -115,7 +115,7 @@ class DocumentMetadataOverrides:
             ).values_list("id", flat=True),
         )
         overrides.custom_fields = {
-            custom_field.field.id: custom_field.value
+            custom_field.id: custom_field.value
             for custom_field in doc.custom_fields.all()
         }
 

src/documents/index.py

@@ -602,7 +602,7 @@ def rewrite_natural_date_keywords(query_string: str) -> str:
 
             case "this year":
                 start = datetime(local_now.year, 1, 1, 0, 0, 0, tzinfo=tz)
-                end = datetime(local_now.year, 12, 31, 23, 59, 59, tzinfo=tz)
+                end = datetime.combine(today, time.max, tzinfo=tz)
 
             case "previous week":
                 days_since_monday = local_now.weekday()

src/documents/permissions.py

@@ -2,17 +2,10 @@ from django.contrib.auth.models import Group
 from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.contrib.contenttypes.models import ContentType
-from django.db.models import Count
-from django.db.models import IntegerField
-from django.db.models import OuterRef
 from django.db.models import Q
 from django.db.models import QuerySet
-from django.db.models import Subquery
-from django.db.models.functions import Cast
-from django.db.models.functions import Coalesce
 from guardian.core import ObjectPermissionChecker
 from guardian.models import GroupObjectPermission
-from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from guardian.shortcuts import get_objects_for_user
 from guardian.shortcuts import get_users_with_perms
@@ -136,93 +129,23 @@ def set_permissions_for_object(permissions: dict, object, *, merge: bool = False
                         )
 
 
-def _permitted_document_ids(user):
-    """
-    Return a queryset of document IDs the user may view, limited to non-deleted
-    documents. This intentionally avoids ``get_objects_for_user`` to keep the
-    subquery small and index-friendly.
-    """
-
-    base_docs = Document.objects.filter(deleted_at__isnull=True).only("id", "owner")
-
-    if user is None or not getattr(user, "is_authenticated", False):
-        # Just Anonymous user e.g. for drf-spectacular
-        return base_docs.filter(owner__isnull=True).values_list("id", flat=True)
-
-    if getattr(user, "is_superuser", False):
-        return base_docs.values_list("id", flat=True)
-
-    document_ct = ContentType.objects.get_for_model(Document)
-    perm_filter = {
-        "permission__codename": "view_document",
-        "permission__content_type": document_ct,
-    }
-
-    user_perm_docs = (
-        UserObjectPermission.objects.filter(user=user, **perm_filter)
-        .annotate(object_pk_int=Cast("object_pk", IntegerField()))
-        .values_list("object_pk_int", flat=True)
-    )
-
-    group_perm_docs = (
-        GroupObjectPermission.objects.filter(group__user=user, **perm_filter)
-        .annotate(object_pk_int=Cast("object_pk", IntegerField()))
-        .values_list("object_pk_int", flat=True)
-    )
-
-    permitted_documents = user_perm_docs.union(group_perm_docs)
-
-    return base_docs.filter(
-        Q(owner=user) | Q(owner__isnull=True) | Q(id__in=permitted_documents),
-    ).values_list("id", flat=True)
-
-
 def get_document_count_filter_for_user(user):
     """
     Return the Q object used to filter document counts for the given user.
-
-    The filter is expressed as an ``id__in`` against a small subquery of permitted
-    document IDs to keep the generated SQL simple and avoid large OR clauses.
     """
 
+    if user is None or not getattr(user, "is_authenticated", False):
+        return Q(documents__deleted_at__isnull=True, documents__owner__isnull=True)
     if getattr(user, "is_superuser", False):
-        # Superuser: no permission filtering needed
         return Q(documents__deleted_at__isnull=True)
-
+    return Q(
-    permitted_ids = _permitted_document_ids(user)
+        documents__deleted_at__isnull=True,
-    return Q(documents__id__in=permitted_ids)
+        documents__id__in=get_objects_for_user_owner_aware(
-
+            user,
-
+            "documents.view_document",
-def annotate_document_count_for_related_queryset(
+            Document,
-    queryset,
+        ).values_list("id", flat=True),
-    through_model,
-    source_field: str,
-    target_field: str = "document_id",
-    user=None,
-):
-    """
-    Annotate a queryset with permissions-aware document counts using a subquery
-    against a relation table.
-
-    Args:
-        queryset: base queryset to annotate (must contain pk)
-        through_model: model representing the relation (e.g., Document.tags.through
-                       or CustomFieldInstance)
-        source_field: field on the relation pointing back to queryset pk
-        target_field: field on the relation pointing to Document id
-        user: the user for whom to filter permitted document ids
-    """
-
-    permitted_ids = _permitted_document_ids(user)
-    counts = (
-        through_model.objects.filter(
-            **{source_field: OuterRef("pk"), f"{target_field}__in": permitted_ids},
     )
-        .values(source_field)
-        .annotate(c=Count(target_field))
-        .values("c")
-    )
-    return queryset.annotate(document_count=Coalesce(Subquery(counts[:1]), 0))
 
 
 def get_objects_for_user_owner_aware(user, perms, Model) -> QuerySet:

src/documents/serialisers.py

@@ -580,10 +580,6 @@ class TagSerializer(MatchingModelSerializer, OwnedObjectSerializer):
         ),
     )
     def get_children(self, obj):
-        children_map = self.context.get("children_map")
-        if children_map is not None:
-            children = children_map.get(obj.pk, [])
-        else:
         filter_q = self.context.get("document_count_filter")
         request = self.context.get("request")
         if filter_q is None:
@@ -591,7 +587,7 @@ class TagSerializer(MatchingModelSerializer, OwnedObjectSerializer):
             filter_q = get_document_count_filter_for_user(user)
             self.context["document_count_filter"] = filter_q
 
-            children = (
+        children_queryset = (
             obj.get_children_queryset()
             .select_related("owner")
             .annotate(document_count=Count("documents", filter=filter_q))
@@ -599,15 +595,15 @@ class TagSerializer(MatchingModelSerializer, OwnedObjectSerializer):
 
         view = self.context.get("view")
         ordering = (
-                OrderingFilter().get_ordering(request, children, view)
+            OrderingFilter().get_ordering(request, children_queryset, view)
             if request and view
             else None
         )
         ordering = ordering or (Lower("name"),)
-            children = children.order_by(*ordering)
+        children_queryset = children_queryset.order_by(*ordering)
 
         serializer = TagSerializer(
-            children,
+            children_queryset,
             many=True,
             user=self.user,
             full_perms=self.full_perms,
@@ -699,9 +695,6 @@ class StoragePathField(serializers.PrimaryKeyRelatedField):
 
 class CustomFieldSerializer(serializers.ModelSerializer):
     def __init__(self, *args, **kwargs):
-        # Ignore args passed by permissions mixin
-        kwargs.pop("user", None)
-        kwargs.pop("full_perms", None)
         context = kwargs.get("context")
         self.api_version = int(
             context.get("request").version

src/documents/tests/test_index.py

@@ -180,7 +180,7 @@ class TestRewriteNaturalDateKeywords(SimpleTestCase):
             (
                 "added:this year",
                 datetime(2025, 7, 15, 12, 0, 0, tzinfo=timezone.utc),
-                ("added:[20250101", "TO 20251231"),
+                ("added:[20250101", "TO 20250715"),
             ),
             (
                 "added:previous year",

src/documents/views.py

@@ -32,6 +32,7 @@ from django.db.models import Count
 from django.db.models import IntegerField
 from django.db.models import Max
 from django.db.models import Model
+from django.db.models import Q
 from django.db.models import Sum
 from django.db.models import When
 from django.db.models.functions import Length
@@ -127,7 +128,6 @@ from documents.matching import match_storage_paths
 from documents.matching import match_tags
 from documents.models import Correspondent
 from documents.models import CustomField
-from documents.models import CustomFieldInstance
 from documents.models import Document
 from documents.models import DocumentType
 from documents.models import Note
@@ -147,7 +147,6 @@ from documents.permissions import PaperlessAdminPermissions
 from documents.permissions import PaperlessNotePermissions
 from documents.permissions import PaperlessObjectPermissions
 from documents.permissions import ViewDocumentsPermissions
-from documents.permissions import annotate_document_count_for_related_queryset
 from documents.permissions import get_document_count_filter_for_user
 from documents.permissions import get_objects_for_user_owner_aware
 from documents.permissions import has_perms_owner_aware
@@ -371,37 +370,22 @@ class PermissionsAwareDocumentCountMixin(BulkPermissionMixin, PassUserMixin):
     Mixin to add document count to queryset, permissions-aware if needed
     """
 
-    # Default is simple relation path, override for through-table/count specialization.
-    document_count_through = None
-    document_count_source_field = None
-
     def get_document_count_filter(self):
         request = getattr(self, "request", None)
         user = getattr(request, "user", None) if request else None
         return get_document_count_filter_for_user(user)
 
     def get_queryset(self):
-        base_qs = super().get_queryset()
-
-        # Use optimized through-table counting when configured.
-        if self.document_count_through:
-            user = getattr(getattr(self, "request", None), "user", None)
-            return annotate_document_count_for_related_queryset(
-                base_qs,
-                through_model=self.document_count_through,
-                source_field=self.document_count_source_field,
-                user=user,
-            )
-
-        # Fallback: simple Count on relation with permission filter.
         filter = self.get_document_count_filter()
-        return base_qs.annotate(
+        return (
-            document_count=Count("documents", filter=filter),
+            super()
+            .get_queryset()
+            .annotate(document_count=Count("documents", filter=filter))
         )
 
 
 @extend_schema_view(**generate_object_with_permissions_schema(CorrespondentSerializer))
-class CorrespondentViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class CorrespondentViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
     model = Correspondent
 
     queryset = Correspondent.objects.select_related("owner").order_by(Lower("name"))
@@ -438,10 +422,8 @@ class CorrespondentViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
 
 
 @extend_schema_view(**generate_object_with_permissions_schema(TagSerializer))
-class TagViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class TagViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
     model = Tag
-    document_count_through = Document.tags.through
-    document_count_source_field = "tag_id"
 
     queryset = Tag.objects.select_related("owner").order_by(
         Lower("name"),
@@ -466,51 +448,8 @@ class TagViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
     def get_serializer_context(self):
         context = super().get_serializer_context()
         context["document_count_filter"] = self.get_document_count_filter()
-        if hasattr(self, "_children_map"):
-            context["children_map"] = self._children_map
         return context
 
-    def list(self, request, *args, **kwargs):
-        """
-        Build a children map once to avoid per-parent queries in the serializer.
-        """
-        queryset = self.filter_queryset(self.get_queryset())
-        ordering = OrderingFilter().get_ordering(request, queryset, self) or (
-            Lower("name"),
-        )
-        queryset = queryset.order_by(*ordering)
-
-        all_tags = list(queryset)
-        descendant_pks = {pk for tag in all_tags for pk in tag.get_descendants_pks()}
-
-        if descendant_pks:
-            user = getattr(getattr(self, "request", None), "user", None)
-            children_source = list(
-                annotate_document_count_for_related_queryset(
-                    Tag.objects.filter(pk__in=descendant_pks | {t.pk for t in all_tags})
-                    .select_related("owner")
-                    .order_by(*ordering),
-                    through_model=self.document_count_through,
-                    source_field=self.document_count_source_field,
-                    user=user,
-                ),
-            )
-        else:
-            children_source = all_tags
-
-        children_map = {}
-        for tag in children_source:
-            children_map.setdefault(tag.tn_parent_id, []).append(tag)
-        self._children_map = children_map
-
-        page = self.paginate_queryset(queryset)
-        serializer = self.get_serializer(page, many=True)
-        response = self.get_paginated_response(serializer.data)
-        if descendant_pks:
-            # Include children in the "all" field, if needed
-            response.data["all"] = [tag.pk for tag in children_source]
-        return response
-
     def perform_update(self, serializer):
         old_parent = self.get_object().get_parent()
         tag = serializer.save()
@@ -520,7 +459,7 @@ class TagViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
 
 
 @extend_schema_view(**generate_object_with_permissions_schema(DocumentTypeSerializer))
-class DocumentTypeViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class DocumentTypeViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
     model = DocumentType
 
     queryset = DocumentType.objects.select_related("owner").order_by(Lower("name"))
@@ -1121,7 +1060,7 @@ class DocumentViewSet(
             ):
                 return HttpResponseForbidden("Insufficient permissions to delete notes")
 
-            note = Note.objects.get(id=int(request.GET.get("id")), document=doc)
+            note = Note.objects.get(id=int(request.GET.get("id")))
             if settings.AUDIT_LOG_ENABLED:
                 LogEntry.objects.log_create(
                     instance=doc,
@@ -2364,7 +2303,7 @@ class BulkDownloadView(GenericAPIView):
 
 
 @extend_schema_view(**generate_object_with_permissions_schema(StoragePathSerializer))
-class StoragePathViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class StoragePathViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
     model = StoragePath
 
     queryset = StoragePath.objects.select_related("owner").order_by(
@@ -2881,7 +2820,7 @@ class WorkflowViewSet(ModelViewSet):
     )
 
 
-class CustomFieldViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class CustomFieldViewSet(ModelViewSet):
     permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
 
     serializer_class = CustomFieldSerializer
@@ -2893,11 +2832,35 @@ class CustomFieldViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
     filterset_class = CustomFieldFilterSet
 
     model = CustomField
-    document_count_through = CustomFieldInstance
-    document_count_source_field = "field_id"
 
     queryset = CustomField.objects.all().order_by("-created")
 
+    def get_queryset(self):
+        filter = (
+            Q(fields__document__deleted_at__isnull=True)
+            if self.request.user is None or self.request.user.is_superuser
+            else (
+                Q(
+                    fields__document__deleted_at__isnull=True,
+                    fields__document__id__in=get_objects_for_user_owner_aware(
+                        self.request.user,
+                        "documents.view_document",
+                        Document,
+                    ).values_list("id", flat=True),
+                )
+            )
+        )
+        return (
+            super()
+            .get_queryset()
+            .annotate(
+                document_count=Count(
+                    "fields",
+                    filter=filter,
+                ),
+            )
+        )
+
 
 @extend_schema_view(
     get=extend_schema(