Remove commitish for now

Bump version to 2.20.6
Security: enforce ownership for permission updates
2026-01-30 23:08:59 -06:00 · 2026-01-30 19:49:43 -08:00 · 2026-01-30 17:59:55 -08:00 · 2026-01-30 13:55:55 -08:00 · 2026-01-30 12:14:18 -08:00 · 2026-01-30 11:49:22 -08:00
33 changed files with 242 additions and 49 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -617,7 +617,6 @@ jobs:
          version: ${{ steps.get_version.outputs.version }}
          prerelease: ${{ steps.get_version.outputs.prerelease }}
          publish: true # ensures release is not marked as draft
-          committish: ${{ github.sha }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload release archive
--- a/docker/management_script.sh
+++ b/docker/management_script.sh
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py management_command "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py management_command "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py management_command "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/convert_mariadb_uuid
+++ b/docker/rootfs/usr/local/bin/convert_mariadb_uuid
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py convert_mariadb_uuid "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py convert_mariadb_uuid "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py convert_mariadb_uuid "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/createsuperuser
+++ b/docker/rootfs/usr/local/bin/createsuperuser
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py createsuperuser "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py createsuperuser "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py createsuperuser "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/decrypt_documents
+++ b/docker/rootfs/usr/local/bin/decrypt_documents
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py decrypt_documents "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py decrypt_documents "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py decrypt_documents "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/document_archiver
+++ b/docker/rootfs/usr/local/bin/document_archiver
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_archiver "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_archiver "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_archiver "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/document_create_classifier
+++ b/docker/rootfs/usr/local/bin/document_create_classifier
@@ -5,10 +5,17 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_create_classifier "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_create_classifier "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_create_classifier "$@"
 else
 	echo "Unknown user."
+	exit 1
+fi
+er "$@"
+elif [[ $(id -un) == "paperless" ]]; then
+	s6-setuidgid paperless python3 manage.py document_create_classifier "$@"
 fi
--- a/docker/rootfs/usr/local/bin/document_exporter
+++ b/docker/rootfs/usr/local/bin/document_exporter
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_exporter "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_exporter "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_exporter "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/document_fuzzy_match
+++ b/docker/rootfs/usr/local/bin/document_fuzzy_match
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_fuzzy_match "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_fuzzy_match "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_fuzzy_match "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/document_importer
+++ b/docker/rootfs/usr/local/bin/document_importer
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_importer "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_importer "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_importer "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/document_index
+++ b/docker/rootfs/usr/local/bin/document_index
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_index "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_index "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_index "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/document_renamer
+++ b/docker/rootfs/usr/local/bin/document_renamer
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_renamer "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_renamer "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_renamer "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/document_retagger
+++ b/docker/rootfs/usr/local/bin/document_retagger
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_retagger "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_retagger "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_retagger "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/document_sanity_checker
+++ b/docker/rootfs/usr/local/bin/document_sanity_checker
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_sanity_checker "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_sanity_checker "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_sanity_checker "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/document_thumbnails
+++ b/docker/rootfs/usr/local/bin/document_thumbnails
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py document_thumbnails "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_thumbnails "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_thumbnails "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/mail_fetcher
+++ b/docker/rootfs/usr/local/bin/mail_fetcher
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py mail_fetcher "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py mail_fetcher "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py mail_fetcher "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/manage_superuser
+++ b/docker/rootfs/usr/local/bin/manage_superuser
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py manage_superuser "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py manage_superuser "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py manage_superuser "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/docker/rootfs/usr/local/bin/prune_audit_logs
+++ b/docker/rootfs/usr/local/bin/prune_audit_logs
@@ -5,10 +5,13 @@ set -e

 cd "${PAPERLESS_SRC_DIR}"

-if [[ $(id -u) == 0 ]]; then
+if [[ -n "${USER_IS_NON_ROOT}" ]]; then
+	python3 manage.py prune_audit_logs "$@"
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py prune_audit_logs "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py prune_audit_logs "$@"
 else
 	echo "Unknown user."
+	exit 1
 fi
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "paperless-ngx"
-version = "2.20.5"
+version = "2.20.6"
 description = "A community-supported supercharged document management system: scan, index and archive all your physical documents"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -238,7 +238,7 @@ lint.isort.force-single-line = true

 [tool.codespell]
 write-changes = true
-ignore-words-list = "criterias,afterall,valeu,ureue,equest,ure,assertIn,Oktober"
+ignore-words-list = "criterias,afterall,valeu,ureue,equest,ure,assertIn,Oktober,commitish"
 skip = "src-ui/src/locale/*,src-ui/pnpm-lock.yaml,src-ui/e2e/*,src/paperless_mail/tests/samples/*,src/documents/tests/samples/*,*.po,*.json"

 [tool.pytest.ini_options]
--- a/src-ui/package.json
+++ b/src-ui/package.json
@@ -1,6 +1,6 @@
 {
  "name": "paperless-ngx-ui",
-  "version": "2.20.5",
+  "version": "2.20.6",
  "scripts": {
    "preinstall": "npx only-allow pnpm",
    "ng": "ng",
--- a/src-ui/src/app/components/manage/management-list/management-list.component.spec.ts
+++ b/src-ui/src/app/components/manage/management-list/management-list.component.spec.ts
@@ -229,6 +229,21 @@ describe('ManagementListComponent', () => {
    expect(reloadSpy).toHaveBeenCalled()
  })

+  it('should use the all list length for collection size when provided', fakeAsync(() => {
+    jest.spyOn(tagService, 'listFiltered').mockReturnValueOnce(
+      of({
+        count: 1,
+        all: [1, 2, 3],
+        results: tags.slice(0, 1),
+      })
+    )
+
+    component.reloadData()
+    tick(100)
+
+    expect(component.collectionSize).toBe(3)
+  }))
+
  it('should support quick filter for objects', () => {
    const qfSpy = jest.spyOn(documentListViewService, 'quickFilter')
    const filterButton = fixture.debugElement.queryAll(By.css('button'))[9]
--- a/src-ui/src/app/components/manage/management-list/management-list.component.ts
+++ b/src-ui/src/app/components/manage/management-list/management-list.component.ts
@@ -171,7 +171,7 @@ export abstract class ManagementListComponent<T extends MatchingModel>
        tap((c) => {
          this.unfilteredData = c.results
          this.data = this.filterData(c.results)
-          this.collectionSize = c.count
+          this.collectionSize = c.all?.length ?? c.count
        }),
        delay(100)
      )
--- a/src-ui/src/app/components/manage/saved-views/saved-views.component.html
+++ b/src-ui/src/app/components/manage/saved-views/saved-views.component.html
@@ -51,6 +51,7 @@
            @if (displayFields) {
              <pngx-input-drag-drop-select i18n-title title="Show" i18n-emptyText emptyText="Default" [items]="displayFields" formControlName="display_fields"></pngx-input-drag-drop-select>
            }
+            <span class="small text-muted fst-italic" i18n>Note: ordering is not preserved</span>
          </div>
      </div>
      </li>
--- a/src-ui/src/environments/environment.prod.ts
+++ b/src-ui/src/environments/environment.prod.ts
@@ -6,7 +6,7 @@ export const environment = {
  apiVersion: '9', // match src/paperless/settings.py
  appTitle: 'Paperless-ngx',
  tag: 'prod',
-  version: '2.20.5',
+  version: '2.20.6',
  webSocketHost: window.location.host,
  webSocketProtocol: window.location.protocol == 'https:' ? 'wss:' : 'ws:',
  webSocketBaseUrl: base_url.pathname + 'ws/',
--- a/src/documents/data_models.py
+++ b/src/documents/data_models.py
@@ -115,7 +115,7 @@ class DocumentMetadataOverrides:
            ).values_list("id", flat=True),
        )
        overrides.custom_fields = {
-            custom_field.id: custom_field.value
+            custom_field.field.id: custom_field.value
            for custom_field in doc.custom_fields.all()
        }

--- a/src/documents/index.py
+++ b/src/documents/index.py
@@ -602,7 +602,7 @@ def rewrite_natural_date_keywords(query_string: str) -> str:

            case "this year":
                start = datetime(local_now.year, 1, 1, 0, 0, 0, tzinfo=tz)
-                end = datetime.combine(today, time.max, tzinfo=tz)
+                end = datetime(local_now.year, 12, 31, 23, 59, 59, tzinfo=tz)

            case "previous week":
                days_since_monday = local_now.weekday()
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -40,6 +40,7 @@ from guardian.utils import get_group_obj_perms_model
 from guardian.utils import get_user_obj_perms_model
 from rest_framework import fields
 from rest_framework import serializers
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter

@@ -436,6 +437,19 @@ class OwnedObjectSerializer(
        return instance

    def update(self, instance, validated_data):
+        user = getattr(self, "user", None)
+        is_superuser = user.is_superuser if user is not None else False
+        is_owner = instance.owner == user if user is not None else False
+        is_unowned = instance.owner is None
+
+        if (
+            ("owner" in validated_data and validated_data["owner"] != instance.owner)
+            or "set_permissions" in validated_data
+        ) and not (is_superuser or is_owner or is_unowned):
+            raise PermissionDenied(
+                _("Insufficient permissions."),
+            )
+
        if "set_permissions" in validated_data:
            self._set_permissions(validated_data["set_permissions"], instance)
        self.validate_unique_together(validated_data, instance)
@@ -580,6 +594,10 @@ class TagSerializer(MatchingModelSerializer, OwnedObjectSerializer):
        ),
    )
    def get_children(self, obj):
+        children_map = self.context.get("children_map")
+        if children_map is not None:
+            children = children_map.get(obj.pk, [])
+        else:
            filter_q = self.context.get("document_count_filter")
            request = self.context.get("request")
            if filter_q is None:
@@ -587,7 +605,7 @@ class TagSerializer(MatchingModelSerializer, OwnedObjectSerializer):
                filter_q = get_document_count_filter_for_user(user)
                self.context["document_count_filter"] = filter_q

-        children_queryset = (
+            children = (
                obj.get_children_queryset()
                .select_related("owner")
                .annotate(document_count=Count("documents", filter=filter_q))
@@ -595,15 +613,15 @@ class TagSerializer(MatchingModelSerializer, OwnedObjectSerializer):

            view = self.context.get("view")
            ordering = (
-            OrderingFilter().get_ordering(request, children_queryset, view)
+                OrderingFilter().get_ordering(request, children, view)
                if request and view
                else None
            )
            ordering = ordering or (Lower("name"),)
-        children_queryset = children_queryset.order_by(*ordering)
+            children = children.order_by(*ordering)

        serializer = TagSerializer(
-            children_queryset,
+            children,
            many=True,
            user=self.user,
            full_perms=self.full_perms,
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@@ -1216,6 +1216,17 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):

        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)

+    def test_upload_insufficient_permissions(self):
+        self.client.force_authenticate(user=User.objects.create_user("testuser2"))
+
+        with (Path(__file__).parent / "samples" / "simple.pdf").open("rb") as f:
+            response = self.client.post(
+                "/api/documents/post_document/",
+                {"document": f},
+            )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
    def test_upload_empty_metadata(self):
        self.consume_file_mock.return_value = celery.result.AsyncResult(
            id=str(uuid.uuid4()),
--- a/src/documents/tests/test_api_permissions.py
+++ b/src/documents/tests/test_api_permissions.py
@@ -441,6 +441,59 @@ class TestApiAuth(DirectoriesMixin, APITestCase):
        self.assertTrue(checker.has_perm("change_document", doc))
        self.assertIn("change_document", get_perms(group1, doc))

+    def test_document_permissions_change_requires_owner(self):
+        owner = User.objects.create_user(username="owner")
+        editor = User.objects.create_user(username="editor")
+        editor.user_permissions.add(
+            *Permission.objects.all(),
+        )
+
+        doc = Document.objects.create(
+            title="Ownered doc",
+            content="sensitive",
+            checksum="abc123",
+            mime_type="application/pdf",
+            owner=owner,
+        )
+
+        assign_perm("view_document", editor, doc)
+        assign_perm("change_document", editor, doc)
+
+        self.client.force_authenticate(editor)
+        response = self.client.patch(
+            f"/api/documents/{doc.pk}/",
+            json.dumps(
+                {
+                    "set_permissions": {
+                        "view": {
+                            "users": [editor.id],
+                            "groups": [],
+                        },
+                        "change": {
+                            "users": None,
+                            "groups": None,
+                        },
+                    },
+                },
+            ),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        self.client.force_authenticate(editor)
+        response = self.client.patch(
+            f"/api/documents/{doc.pk}/",
+            json.dumps(
+                {
+                    "owner": editor.id,
+                },
+            ),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
    def test_dynamic_permissions_fields(self):
        user1 = User.objects.create_user(username="user1")
        user1.user_permissions.add(*Permission.objects.filter(codename="view_document"))
--- a/src/documents/tests/test_index.py
+++ b/src/documents/tests/test_index.py
@@ -180,7 +180,7 @@ class TestRewriteNaturalDateKeywords(SimpleTestCase):
            (
                "added:this year",
                datetime(2025, 7, 15, 12, 0, 0, tzinfo=timezone.utc),
-                ("added:[20250101", "TO 20250715"),
+                ("added:[20250101", "TO 20251231"),
            ),
            (
                "added:previous year",
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -448,8 +448,47 @@ class TagViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
    def get_serializer_context(self):
        context = super().get_serializer_context()
        context["document_count_filter"] = self.get_document_count_filter()
+        if hasattr(self, "_children_map"):
+            context["children_map"] = self._children_map
        return context

+    def list(self, request, *args, **kwargs):
+        """
+        Build a children map once to avoid per-parent queries in the serializer.
+        """
+        queryset = self.filter_queryset(self.get_queryset())
+        ordering = OrderingFilter().get_ordering(request, queryset, self) or (
+            Lower("name"),
+        )
+        queryset = queryset.order_by(*ordering)
+
+        all_tags = list(queryset)
+        descendant_pks = {pk for tag in all_tags for pk in tag.get_descendants_pks()}
+
+        if descendant_pks:
+            filter_q = self.get_document_count_filter()
+            children_source = list(
+                Tag.objects.filter(pk__in=descendant_pks | {t.pk for t in all_tags})
+                .select_related("owner")
+                .annotate(document_count=Count("documents", filter=filter_q))
+                .order_by(*ordering),
+            )
+        else:
+            children_source = all_tags
+
+        children_map = {}
+        for tag in children_source:
+            children_map.setdefault(tag.tn_parent_id, []).append(tag)
+        self._children_map = children_map
+
+        page = self.paginate_queryset(queryset)
+        serializer = self.get_serializer(page, many=True)
+        response = self.get_paginated_response(serializer.data)
+        if descendant_pks:
+            # Include children in the "all" field, if needed
+            response.data["all"] = [tag.pk for tag in children_source]
+        return response
+
    def perform_update(self, serializer):
        old_parent = self.get_object().get_parent()
        tag = serializer.save()
@@ -1060,7 +1099,7 @@ class DocumentViewSet(
            ):
                return HttpResponseForbidden("Insufficient permissions to delete notes")

-            note = Note.objects.get(id=int(request.GET.get("id")))
+            note = Note.objects.get(id=int(request.GET.get("id")), document=doc)
            if settings.AUDIT_LOG_ENABLED:
                LogEntry.objects.log_create(
                    instance=doc,
@@ -1664,6 +1703,8 @@ class PostDocumentView(GenericAPIView):
    parser_classes = (parsers.MultiPartParser,)

    def post(self, request, *args, **kwargs):
+        if not request.user.has_perm("documents.add_document"):
+            return HttpResponseForbidden("Insufficient permissions")
        serializer = self.get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)

--- a/src/paperless/version.py
+++ b/src/paperless/version.py
@@ -1,6 +1,6 @@
 from typing import Final

-__version__: Final[tuple[int, int, int]] = (2, 20, 5)
+__version__: Final[tuple[int, int, int]] = (2, 20, 6)
 # Version string like X.Y.Z
 __full_version_str__: Final[str] = ".".join(map(str, __version__))
 # Version string like X.Y
--- a/uv.lock
+++ b/uv.lock
@@ -2115,7 +2115,7 @@ wheels = [

 [[package]]
 name = "paperless-ngx"
-version = "2.20.5"
+version = "2.20.6"
 source = { virtual = "." }
 dependencies = [
    { name = "babel", marker = "sys_platform == 'darwin' or sys_platform == 'linux'" },
Author	SHA1	Message	Date
shamoon	17275933ca	Remove commitish for now	2026-01-30 19:49:43 -08:00
shamoon	3e41d99a82	Bump version to 2.20.6	2026-01-30 17:59:55 -08:00
shamoon	5cc3c087d9	Security: enforce ownership for permission updates	2026-01-30 13:55:55 -08:00
shamoon	c8c4c7c749	Security: enforce permissions for post_document	2026-01-30 12:14:18 -08:00
shamoon	836c81e037	Chore: add note about ordering	2026-01-30 11:49:22 -08:00
shamoon	e4b861d76f	Fix: prevent note deletion outside doc	2026-01-29 13:35:01 -08:00
shamoon	6913f9d79c	Fix: fix user checks in management scripts (#11928 )	2026-01-28 13:45:12 -08:00
shamoon	891f4a2faf	Fix: correctly extract all ids for nested tags (#11888 )	2026-01-26 09:12:03 -08:00
shamoon	2312314aa7	Performance: improve treenode inefficiencies (#11606 )	2026-01-25 21:47:08 -08:00
shamoon	72e8b73108	Fix test	2026-01-25 17:08:15 -08:00
shamoon	5c9ff367e3	Fixhancement: change date calculation for 'this year' to include future documents (#11884 )	2026-01-25 16:56:51 -08:00
Trenton H	94f6b8d36d	Fixes the management scripts under a non-root install where the user ID is something besides 1000 (#11870 )	2026-01-23 16:08:28 -08:00
shamoon	32d04e1fd3	Fix: use correct field id for overrides (#11869 )	2026-01-23 15:49:22 -08:00
Trenton H	56c744fd56	Fixes the spelling of the commitish argument to the action	2026-01-23 15:49:00 -08:00