From 1ae146a38b27ebe9a26ec72f9504edcb7bece982 Mon Sep 17 00:00:00 2001
From: stumpylog <797416+stumpylog@users.noreply.github.com>
Date: Wed, 15 Apr 2026 13:59:01 -0700
Subject: [PATCH] fix(tasks): add read_only_fields to TaskSerializerV9, enforce
 admin via permission_classes on run action

---
 src/documents/serialisers.py | 1 +
 src/documents/views.py       | 8 +++-----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/documents/serialisers.py b/src/documents/serialisers.py
index e18ac52ac..79cef7a17 100644
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -2523,6 +2523,7 @@ class TaskSerializerV9(serializers.ModelSerializer):
             "duplicate_documents",
             "owner",
         )
+        read_only_fields = fields
 
     def get_task_file_name(self, obj: PaperlessTask) -> str | None:
         if not obj.input_data:
diff --git a/src/documents/views.py b/src/documents/views.py
index a08ce1f5b..9d236ab0d 100644
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -93,6 +93,7 @@ from rest_framework.mixins import DestroyModelMixin
 from rest_framework.mixins import ListModelMixin
 from rest_framework.mixins import RetrieveModelMixin
 from rest_framework.mixins import UpdateModelMixin
+from rest_framework.permissions import IsAdminUser
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -3901,16 +3902,13 @@ class TasksViewSet(ReadOnlyModelViewSet[PaperlessTask]):
         serializer = self.get_serializer(queryset, many=True)
         return Response(serializer.data)
 
-    @action(methods=["post"], detail=False)
+    @action(methods=["post"], detail=False, permission_classes=[IsAdminUser])
     def run(self, request):
-        """Manually dispatch a background task. Superuser only."""
+        """Manually dispatch a background task. Superuser (admin) only."""
         serializer = RunTaskSerializer(data=request.data)
         serializer.is_valid(raise_exception=True)
         task_type = serializer.validated_data.get("task_type")
 
-        if not request.user.is_superuser:
-            return HttpResponseForbidden("Insufficient permissions")
-
         task_func_map = {
             PaperlessTask.TaskType.INDEX_OPTIMIZE: (index_optimize, {}),
             PaperlessTask.TaskType.TRAIN_CLASSIFIER: (train_classifier, {}),