Add permission filtering in files & folders query logic

2023-09-03 20:08:46 +08:00 · 2023-09-03 20:08:46 +08:00 · a58c96a51e
commit a58c96a51e
parent 9c66c41436
1 changed files with 5 additions and 1 deletions
--- a/src/documents/views.py
+++ b/src/documents/views.py
@ -1010,7 +1010,11 @@ class FilesAndFoldersViewSet(ReadOnlyModelViewSet):
            folders = list(StoragePath.objects.exclude(path__contains='/'))
            files = list(Document.objects.all().filter(storage_path=None).order_by(ordering))

-        combined = folders + files
+        # Filter objects by object-level permissions
+        visible_folders = [f for f in folders if request.user.has_perm(f'view_{StoragePath._meta.model_name}', f)]
+        visible_files = [f for f in files if request.user.has_perm(f'view_{Document._meta.model_name}', f)]
+
+        combined = visible_folders + visible_files
        
        start = (page - 1) * page_size
        end = page * page_size