diff --git a/src/documents/tests/test_api_objects.py b/src/documents/tests/test_api_objects.py index 3b38f2b5f..9a0ccd598 100644 --- a/src/documents/tests/test_api_objects.py +++ b/src/documents/tests/test_api_objects.py @@ -1,6 +1,7 @@ import json from unittest import mock +from django.contrib.auth.models import Permission from django.contrib.auth.models import User from rest_framework import status from rest_framework.test import APITestCase @@ -310,17 +311,77 @@ class TestBulkEditObjects(APITestCase): self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(StoragePath.objects.count(), 0) - def test_bulk_edit_object_permissions_insufficient_perms(self): + def test_bulk_edit_object_permissions_insufficient_global_perms(self): """ GIVEN: - - Objects owned by user other than logged in user + - Existing objects, user does not have global delete permissions WHEN: - bulk_edit_objects API endpoint is called with delete operation THEN: - User is not able to delete objects """ - self.t1.owner = User.objects.get(username="temp_admin") - self.t1.save() + self.client.force_authenticate(user=self.user1) + + response = self.client.post( + "/api/bulk_edit_objects/", + json.dumps( + { + "objects": [self.t1.id, self.t2.id], + "object_type": "tags", + "operation": "delete", + }, + ), + content_type="application/json", + ) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(response.content, b"Insufficient permissions") + + def test_bulk_edit_object_permissions_sufficient_global_perms(self): + """ + GIVEN: + - Existing objects, user does have global delete permissions + WHEN: + - bulk_edit_objects API endpoint is called with delete operation + THEN: + - User is able to delete objects + """ + self.user1.user_permissions.add( + *Permission.objects.filter(codename="delete_tag"), + ) + self.user1.save() + self.client.force_authenticate(user=self.user1) + + response = self.client.post( + "/api/bulk_edit_objects/", + json.dumps( + { + "objects": [self.t1.id, self.t2.id], + "object_type": "tags", + "operation": "delete", + }, + ), + content_type="application/json", + ) + + self.assertEqual(response.status_code, status.HTTP_200_OK) + + def test_bulk_edit_object_permissions_insufficient_object_perms(self): + """ + GIVEN: + - Objects owned by user other than logged in user + WHEN: + - bulk_edit_objects API endpoint is called with delete operation + THEN: + - User is not able to delete objects + """ + self.t2.owner = User.objects.get(username="temp_admin") + self.t2.save() + + self.user1.user_permissions.add( + *Permission.objects.filter(codename="delete_tag"), + ) + self.user1.save() self.client.force_authenticate(user=self.user1) response = self.client.post( diff --git a/src/documents/views.py b/src/documents/views.py index c73a8050b..6169ac5bb 100644 --- a/src/documents/views.py +++ b/src/documents/views.py @@ -1419,7 +1419,15 @@ class BulkEditObjectsView(GenericAPIView, PassUserMixin): objs = object_class.objects.filter(pk__in=object_ids) if not user.is_superuser: - has_perms = all((obj.owner == user or obj.owner is None) for obj in objs) + model_name = object_class._meta.verbose_name + perm = ( + f"documents.change_{model_name}" + if operation == "set_permissions" + else f"documents.delete_{model_name}" + ) + has_perms = user.has_perm(perm) and all( + (obj.owner == user or obj.owner is None) for obj in objs + ) if not has_perms: return HttpResponseForbidden("Insufficient permissions")