diff --git a/src/documents/tests/test_api_bulk_edit.py b/src/documents/tests/test_api_bulk_edit.py index 945f06b67..be7a81cd4 100644 --- a/src/documents/tests/test_api_bulk_edit.py +++ b/src/documents/tests/test_api_bulk_edit.py @@ -773,6 +773,22 @@ class TestBulkEditAPI(DirectoriesMixin, APITestCase): ], ) + def test_api_selection_data_requires_view_permission(self): + self.doc2.owner = self.user + self.doc2.save() + + user1 = User.objects.create(username="user1") + self.client.force_authenticate(user=user1) + + response = self.client.post( + "/api/documents/selection_data/", + json.dumps({"documents": [self.doc2.id]}), + content_type="application/json", + ) + + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(response.content, b"Insufficient permissions") + @mock.patch("documents.serialisers.bulk_edit.set_permissions") def test_set_permissions(self, m): self.setup_mock(m, "set_permissions") diff --git a/src/documents/views.py b/src/documents/views.py index 2ce12c330..52687d135 100644 --- a/src/documents/views.py +++ b/src/documents/views.py @@ -1850,6 +1850,13 @@ class SelectionDataView(GenericAPIView): serializer.is_valid(raise_exception=True) ids = serializer.validated_data.get("documents") + permitted_documents = get_objects_for_user_owner_aware( + request.user, + "documents.view_document", + Document, + ) + if permitted_documents.filter(pk__in=ids).count() != len(ids): + return HttpResponseForbidden("Insufficient permissions") correspondents = Correspondent.objects.annotate( document_count=Count(