Aligns v10 and v9 task permissions with each other

2026-04-18 05:58:52 +00:00 · 2026-04-17 13:17:07 -07:00
parent 3467541de1
commit f526ee2dfc
2 changed files with 10 additions and 12 deletions
--- a/src/documents/tests/test_api_tasks.py
+++ b/src/documents/tests/test_api_tasks.py
@@ -165,12 +165,12 @@ class TestGetTasksV10:
        ids = [t["task_id"] for t in response.data]
        assert ids == [t3.task_id, t2.task_id, t1.task_id]

-    def test_list_scoped_to_own_tasks_for_regular_user(
+    def test_list_scoped_to_own_and_unowned_tasks_for_regular_user(
        self,
        admin_user: User,
        regular_user: User,
    ) -> None:
-        """Regular users see only tasks they own; tasks owned by others or unowned are hidden."""
+        """Regular users see their own tasks and unowned (system) tasks; other users' tasks are hidden."""
        regular_user.user_permissions.add(
            Permission.objects.get(codename="view_paperlesstask"),
        )
@@ -180,14 +180,15 @@ class TestGetTasksV10:
        client.credentials(HTTP_ACCEPT=ACCEPT_V10)

        PaperlessTaskFactory(owner=admin_user)  # other user — not visible
-        PaperlessTaskFactory()  # unowned (system task) — not visible
+        unowned_task = PaperlessTaskFactory()  # unowned (system task) — visible
        own_task = PaperlessTaskFactory(owner=regular_user)

        response = client.get(ENDPOINT)

        assert response.status_code == status.HTTP_200_OK
-        assert len(response.data) == 1
-        assert response.data[0]["task_id"] == own_task.task_id
+        assert len(response.data) == 2
+        visible_ids = {t["task_id"] for t in response.data}
+        assert visible_ids == {own_task.task_id, unowned_task.task_id}

    def test_list_admin_sees_all_tasks(
        self,
@@ -401,7 +402,7 @@ class TestGetTasksV9:
        admin_user: User,
        regular_user: User,
    ) -> None:
-        """v9 non-staff users see their own tasks plus unowned tasks."""
+        """Non-staff users see their own tasks plus unowned tasks via v9 API."""
        regular_user.user_permissions.add(
            Permission.objects.get(codename="view_paperlesstask"),
        )
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -3841,18 +3841,15 @@ class TasksViewSet(ReadOnlyModelViewSet[PaperlessTask]):
        return TaskSerializerV10

    def get_queryset(self):
-        # Staff see all tasks.
-        # v9 non-staff: own tasks + unowned tasks (preserves old behavior).
-        # v10 non-staff: own tasks only.
        is_v9 = self.request.version and int(self.request.version) < 10
        if self.request.user.is_staff:
            queryset = PaperlessTask.objects.all()
-        elif is_v9:
+        else:
+            # Own tasks + unowned (system/scheduled) tasks. Tasks owned by other
+            # users are never visible to non-staff regardless of API version.
            queryset = PaperlessTask.objects.filter(
                Q(owner=self.request.user) | Q(owner__isnull=True),
            )
-        else:
-            queryset = PaperlessTask.objects.filter(owner=self.request.user)
        # v9 backwards compat: map old query params to new field names
        if is_v9:
            task_name = self.request.query_params.get("task_name")