Merge branch 'main' into dev

2026-06-23 13:54:19 +00:00 · 2026-03-15 18:50:42 -07:00
parent 9d69705e26 1e00ad5f30
commit 48cd1cce6a
17 changed files with 322 additions and 12 deletions
@@ -932,6 +932,8 @@ def run_workflows(
            if not use_overrides:
                # limit title to 128 characters
                document.title = document.title[:128]
+                # Make sure the filename and archive filename are accurate
+                document.refresh_from_db(fields=["filename", "archive_filename"])
                # save first before setting tags
                document.save()
                document.tags.set(doc_tag_ids)
@@ -888,6 +888,19 @@ class TestApiUser(DirectoriesMixin, APITestCase):

        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

+        response = self.client.post(
+            f"{self.ENDPOINT}",
+            json.dumps(
+                {
+                    "username": "user4",
+                    "is_superuser": "true",
+                },
+            ),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
        self.client.force_authenticate(user2)

        response = self.client.patch(
@@ -920,6 +933,65 @@ class TestApiUser(DirectoriesMixin, APITestCase):
        returned_user1 = User.objects.get(pk=user1.pk)
        self.assertEqual(returned_user1.is_superuser, False)

+    def test_only_superusers_can_create_or_alter_staff_status(self):
+        """
+        GIVEN:
+            - Existing user account
+        WHEN:
+            - API request is made to add a user account with staff status
+            - API request is made to change staff status
+        THEN:
+            - Only superusers can change staff status
+        """
+
+        user1 = User.objects.create_user(username="user1")
+        user1.user_permissions.add(*Permission.objects.all())
+        user2 = User.objects.create_superuser(username="user2")
+
+        self.client.force_authenticate(user1)
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}{user1.pk}/",
+            json.dumps(
+                {
+                    "is_staff": "true",
+                },
+            ),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        response = self.client.post(
+            f"{self.ENDPOINT}",
+            json.dumps(
+                {
+                    "username": "user3",
+                    "is_staff": 1,
+                },
+            ),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        self.client.force_authenticate(user2)
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}{user1.pk}/",
+            json.dumps(
+                {
+                    "is_staff": True,
+                },
+            ),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        returned_user1 = User.objects.get(pk=user1.pk)
+        self.assertEqual(returned_user1.is_staff, True)
+

 class TestApiGroup(DirectoriesMixin, APITestCase):
    ENDPOINT = "/api/groups/"
@@ -28,6 +28,7 @@ from rest_framework.test import APIClient
 from rest_framework.test import APITestCase

 from documents.file_handling import create_source_path_directory
+from documents.file_handling import generate_filename
 from documents.file_handling import generate_unique_filename
 from documents.signals.handlers import run_workflows
 from documents.workflows.webhooks import send_webhook
@@ -905,6 +906,63 @@ class TestWorkflows(
        expected_str = f"Document matched {trigger} from {w}"
        self.assertIn(expected_str, cm.output[0])

+    def test_workflow_assign_custom_field_keeps_storage_filename_in_sync(self) -> None:
+        """
+        GIVEN:
+            - Existing document with a storage path template that depends on a custom field
+            - Existing workflow triggered on document update assigning that custom field
+        WHEN:
+            - Workflow runs for the document
+        THEN:
+            - The database filename remains aligned with the moved file on disk
+        """
+        storage_path = StoragePath.objects.create(
+            name="workflow-custom-field-path",
+            path="{{ custom_fields|get_cf_value('Custom Field 1', 'none') }}/{{ title }}",
+        )
+        doc = Document.objects.create(
+            title="workflow custom field sync",
+            mime_type="application/pdf",
+            checksum="workflow-custom-field-sync",
+            storage_path=storage_path,
+            original_filename="workflow-custom-field-sync.pdf",
+        )
+        CustomFieldInstance.objects.create(
+            document=doc,
+            field=self.cf1,
+            value_text="initial",
+        )
+
+        generated = generate_unique_filename(doc)
+        destination = (settings.ORIGINALS_DIR / generated).resolve()
+        create_source_path_directory(destination)
+        shutil.copy(self.SAMPLE_DIR / "simple.pdf", destination)
+        Document.objects.filter(pk=doc.pk).update(filename=generated.as_posix())
+        doc.refresh_from_db()
+
+        trigger = WorkflowTrigger.objects.create(
+            type=WorkflowTrigger.WorkflowTriggerType.DOCUMENT_UPDATED,
+        )
+        action = WorkflowAction.objects.create(
+            type=WorkflowAction.WorkflowActionType.ASSIGNMENT,
+            assign_custom_fields_values={self.cf1.pk: "cars"},
+        )
+        action.assign_custom_fields.add(self.cf1.pk)
+        workflow = Workflow.objects.create(
+            name="Workflow custom field filename sync",
+            order=0,
+        )
+        workflow.triggers.add(trigger)
+        workflow.actions.add(action)
+        workflow.save()
+
+        run_workflows(WorkflowTrigger.WorkflowTriggerType.DOCUMENT_UPDATED, doc)
+
+        doc.refresh_from_db()
+        expected_filename = generate_filename(doc)
+        self.assertEqual(Path(doc.filename), expected_filename)
+        self.assertTrue(doc.source_path.is_file())
+
    def test_document_added_workflow(self) -> None:
        trigger = WorkflowTrigger.objects.create(
            type=WorkflowTrigger.WorkflowTriggerType.DOCUMENT_ADDED,
@@ -1,6 +1,6 @@
 from typing import Final

-__version__: Final[tuple[int, int, int]] = (2, 20, 10)
+__version__: Final[tuple[int, int, int]] = (2, 20, 11)
 # Version string like X.Y.Z
 __full_version_str__: Final[str] = ".".join(map(str, __version__))
 # Version string like X.Y
@@ -25,6 +25,8 @@ from drf_spectacular.utils import extend_schema_view
 from rest_framework.authtoken.models import Token
 from rest_framework.authtoken.views import ObtainAuthToken
 from rest_framework.decorators import action
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import BooleanField
 from rest_framework.filters import OrderingFilter
 from rest_framework.generics import GenericAPIView
 from rest_framework.pagination import PageNumberPagination
@@ -105,6 +107,7 @@ class FaviconView(View):


 class UserViewSet(ModelViewSet):
+    _BOOL_NOT_PROVIDED = object()
    model = User

    queryset = User.objects.exclude(
@@ -118,27 +121,65 @@ class UserViewSet(ModelViewSet):
    filterset_class = UserFilterSet
    ordering_fields = ("username",)

+    @staticmethod
+    def _parse_requested_bool(data, key: str):
+        if key not in data:
+            return UserViewSet._BOOL_NOT_PROVIDED
+        try:
+            return BooleanField().to_internal_value(data.get(key))
+        except ValidationError:
+            # Let serializer validation report invalid values as 400 responses
+            return UserViewSet._BOOL_NOT_PROVIDED
+
    def create(self, request, *args, **kwargs):
-        if not request.user.is_superuser and request.data.get("is_superuser") is True:
-            return HttpResponseForbidden(
-                "Superuser status can only be granted by a superuser",
-            )
+        requested_is_superuser = self._parse_requested_bool(
+            request.data,
+            "is_superuser",
+        )
+        requested_is_staff = self._parse_requested_bool(request.data, "is_staff")
+
+        if not request.user.is_superuser:
+            if requested_is_superuser is True:
+                return HttpResponseForbidden(
+                    "Superuser status can only be granted by a superuser",
+                )
+            if requested_is_staff is True:
+                return HttpResponseForbidden(
+                    "Staff status can only be granted by a superuser",
+                )
+
        return super().create(request, *args, **kwargs)

    def update(self, request, *args, **kwargs):
        user_to_update: User = self.get_object()
+
        if not request.user.is_superuser and user_to_update.is_superuser:
            return HttpResponseForbidden(
                "Superusers can only be modified by other superusers",
            )
+
+        requested_is_superuser = self._parse_requested_bool(
+            request.data,
+            "is_superuser",
+        )
+        requested_is_staff = self._parse_requested_bool(request.data, "is_staff")
+
        if (
            not request.user.is_superuser
-            and request.data.get("is_superuser") is not None
-            and request.data.get("is_superuser") != user_to_update.is_superuser
+            and requested_is_superuser is not self._BOOL_NOT_PROVIDED
+            and requested_is_superuser != user_to_update.is_superuser
        ):
            return HttpResponseForbidden(
                "Superuser status can only be changed by a superuser",
            )
+        if (
+            not request.user.is_superuser
+            and requested_is_staff is not self._BOOL_NOT_PROVIDED
+            and requested_is_staff != user_to_update.is_staff
+        ):
+            return HttpResponseForbidden(
+                "Staff status can only be changed by a superuser",
+            )
        return super().update(request, *args, **kwargs)

    @extend_schema(