paperless-ngx/src/documents/permissions.py

from rest_framework.permissions import BasePermission
from rest_framework.permissions import DjangoObjectPermissions


class PaperlessObjectPermissions(DjangoObjectPermissions):
    """
    A permissions backend that checks for object-level permissions
    or for ownership.
    """

    perms_map = {
        "GET": ["%(app_label)s.view_%(model_name)s"],
        "OPTIONS": ["%(app_label)s.view_%(model_name)s"],
        "HEAD": ["%(app_label)s.view_%(model_name)s"],
        "POST": ["%(app_label)s.add_%(model_name)s"],
        "PUT": ["%(app_label)s.change_%(model_name)s"],
        "PATCH": ["%(app_label)s.change_%(model_name)s"],
        "DELETE": ["%(app_label)s.delete_%(model_name)s"],
    }

    def has_object_permission(self, request, view, obj):
        if hasattr(obj, "owner") and obj.owner is not None:
            if request.user == obj.owner:
                return True
            else:
                return super().has_object_permission(request, view, obj)
        else:
            return True  # no owner


class PaperlessAdminPermissions(BasePermission):
    def has_permission(self, request, view):
        return request.user.has_perm("admin.view_logentry")
add api permissions test 2022-11-24 14:26:32 -08:00			`from rest_framework.permissions import BasePermission`
Object-level permissions + filtering 2022-12-05 22:56:03 -08:00			`from rest_framework.permissions import DjangoObjectPermissions`
Add Django model permissions to API endpoints 2022-11-14 01:32:50 -08:00

Object-level permissions + filtering 2022-12-05 22:56:03 -08:00			`class PaperlessObjectPermissions(DjangoObjectPermissions):`
			`"""`
			`A permissions backend that checks for object-level permissions`
			`or for ownership.`
			`"""`

Add Django model permissions to API endpoints 2022-11-14 01:32:50 -08:00			`perms_map = {`
			`"GET": ["%(app_label)s.view_%(model_name)s"],`
Object-level permissions + filtering 2022-12-05 22:56:03 -08:00			`"OPTIONS": ["%(app_label)s.view_%(model_name)s"],`
			`"HEAD": ["%(app_label)s.view_%(model_name)s"],`
Add Django model permissions to API endpoints 2022-11-14 01:32:50 -08:00			`"POST": ["%(app_label)s.add_%(model_name)s"],`
			`"PUT": ["%(app_label)s.change_%(model_name)s"],`
			`"PATCH": ["%(app_label)s.change_%(model_name)s"],`
			`"DELETE": ["%(app_label)s.delete_%(model_name)s"],`
			`}`
add api permissions test 2022-11-24 14:26:32 -08:00
Object-level permissions + filtering 2022-12-05 22:56:03 -08:00			`def has_object_permission(self, request, view, obj):`
fix python tests for user object perms 2022-12-06 20:14:33 -08:00			`if hasattr(obj, "owner") and obj.owner is not None:`
			`if request.user == obj.owner:`
			`return True`
			`else:`
			`return super().has_object_permission(request, view, obj)`
Object-level permissions + filtering 2022-12-05 22:56:03 -08:00			`else:`
fix python tests for user object perms 2022-12-06 20:14:33 -08:00			`return True # no owner`
Object-level permissions + filtering 2022-12-05 22:56:03 -08:00
add api permissions test 2022-11-24 14:26:32 -08:00
			`class PaperlessAdminPermissions(BasePermission):`
			`def has_permission(self, request, view):`
			`return request.user.has_perm("admin.view_logentry")`