Cutlery/paperless-ngx
1
0
Fork 0
mirror of https://github.com/paperless-ngx/paperless-ngx.git synced 2025-11-03 19:17:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix: check permissions for all documents via bulk download (#8631)

Browse Source
This commit is contained in:
shamoon 2025-01-07 00:10:11 -08:00 committed by GitHub
parent 9181aebc8c
commit 485237caf1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/documents/tests/test_api_bulk_download.py
View File

@ -23,8 +23,8 @@ class TestBulkDownload(DirectoriesMixin, APITestCase):
def setUp(self): def setUp(self):
super().setUp() super().setUp()
user = User.objects.create_superuser(username="temp_admin") self.user = User.objects.create_superuser(username="temp_admin")
self.client.force_authenticate(user=user) self.client.force_authenticate(user=self.user)
self.doc1 = Document.objects.create(title="unrelated", checksum="A") self.doc1 = Document.objects.create(title="unrelated", checksum="A")
self.doc2 = Document.objects.create( self.doc2 = Document.objects.create(
@ -333,3 +333,19 @@ class TestBulkDownload(DirectoriesMixin, APITestCase):
f.read(), f.read(),
zipf.read("originals/statement/Title 2 - Doc 3.jpg"), zipf.read("originals/statement/Title 2 - Doc 3.jpg"),
) )
def test_download_insufficient_permissions(self):
user = User.objects.create_user(username="temp_user")
self.client.force_authenticate(user=user)
self.doc2.owner = self.user
self.doc2.save()
response = self.client.post(
self.ENDPOINT,
json.dumps({"documents": [self.doc2.id, self.doc3.id]}),
content_type="application/json",
)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
self.assertEqual(response.content, b"Insufficient permissions")

7
src/documents/views.py
View File

@ -1584,10 +1584,15 @@ class BulkDownloadView(GenericAPIView):
serializer.is_valid(raise_exception=True) serializer.is_valid(raise_exception=True)
ids = serializer.validated_data.get("documents") ids = serializer.validated_data.get("documents")
documents = Document.objects.filter(pk__in=ids)
compression = serializer.validated_data.get("compression") compression = serializer.validated_data.get("compression")
content = serializer.validated_data.get("content") content = serializer.validated_data.get("content")
follow_filename_format = serializer.validated_data.get("follow_formatting") follow_filename_format = serializer.validated_data.get("follow_formatting")
for document in documents:
if not has_perms_owner_aware(request.user, "view_document", document):
return HttpResponseForbidden("Insufficient permissions")
settings.SCRATCH_DIR.mkdir(parents=True, exist_ok=True) settings.SCRATCH_DIR.mkdir(parents=True, exist_ok=True)
temp = tempfile.NamedTemporaryFile( # noqa: SIM115 temp = tempfile.NamedTemporaryFile( # noqa: SIM115
dir=settings.SCRATCH_DIR, dir=settings.SCRATCH_DIR,
@ -1604,7 +1609,7 @@ class BulkDownloadView(GenericAPIView):
with zipfile.ZipFile(temp.name, "w", compression) as zipf: with zipfile.ZipFile(temp.name, "w", compression) as zipf:
strategy = strategy_class(zipf, follow_filename_format) strategy = strategy_class(zipf, follow_filename_format)
for document in Document.objects.filter(pk__in=ids): for document in documents:
strategy.add_document(document) strategy.add_document(document)
# TODO(stumpylog): Investigate using FileResponse here # TODO(stumpylog): Investigate using FileResponse here