From e269973209bbfa76f65d57d39e2592bf8e19d7f6 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Sun, 7 Apr 2024 07:35:09 -0700
Subject: [PATCH] Fix: dont enable create endpoint with PassUserMixin

---
 src/documents/tests/test_api_documents.py |  8 ++++++++
 src/documents/views.py                    | 10 +++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/documents/tests/test_api_documents.py b/src/documents/tests/test_api_documents.py
index 4798fef95..0a94a5677 100644
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@@ -815,6 +815,14 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
         self.assertIsNone(overrides.document_type_id)
         self.assertIsNone(overrides.tag_ids)
 
+    def test_create_wrong_endpoint(self):
+        response = self.client.post(
+            "/api/documents/",
+            {},
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
+
     def test_upload_empty_metadata(self):
         self.consume_file_mock.return_value = celery.result.AsyncResult(
             id=str(uuid.uuid4()),
diff --git a/src/documents/views.py b/src/documents/views.py
index 3fcc54023..40cce819b 100644
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -201,7 +201,7 @@ class IndexView(TemplateView):
         return context
 
 
-class PassUserMixin(CreateModelMixin):
+class PassUserMixin(GenericAPIView):
     """
     Pass a user object to serializer
     """
@@ -853,7 +853,7 @@ class LogViewSet(ViewSet):
         return Response(exist)
 
 
-class SavedViewViewSet(ModelViewSet, PassUserMixin):
+class SavedViewViewSet(ModelViewSet, PassUserMixin, CreateModelMixin):
     model = SavedView
 
     queryset = SavedView.objects.all()
@@ -873,7 +873,7 @@ class SavedViewViewSet(ModelViewSet, PassUserMixin):
         serializer.save(owner=self.request.user)
 
 
-class BulkEditView(GenericAPIView, PassUserMixin):
+class BulkEditView(PassUserMixin, CreateModelMixin):
     permission_classes = (IsAuthenticated,)
     serializer_class = BulkEditSerializer
     parser_classes = (parsers.JSONParser,)
@@ -1450,7 +1450,7 @@ def serve_file(doc: Document, use_archive: bool, disposition: str):
     return response
 
 
-class BulkEditObjectsView(GenericAPIView, PassUserMixin):
+class BulkEditObjectsView(PassUserMixin, CreateModelMixin):
     permission_classes = (IsAuthenticated,)
     serializer_class = BulkEditObjectsSerializer
     parser_classes = (parsers.JSONParser,)
@@ -1582,7 +1582,7 @@ class CustomFieldViewSet(ModelViewSet):
     queryset = CustomField.objects.all().order_by("-created")
 
 
-class SystemStatusView(GenericAPIView, PassUserMixin):
+class SystemStatusView(PassUserMixin):
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, format=None):