From f526ee2dfc69feeb674f6549915171af296e3aa8 Mon Sep 17 00:00:00 2001
From: stumpylog <797416+stumpylog@users.noreply.github.com>
Date: Fri, 17 Apr 2026 13:17:07 -0700
Subject: [PATCH] Aligns v10 and v9 task permissions with each other

---
 src/documents/tests/test_api_tasks.py | 13 +++++++------
 src/documents/views.py                |  9 +++------
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/src/documents/tests/test_api_tasks.py b/src/documents/tests/test_api_tasks.py
index d4fead7e9..aee080900 100644
--- a/src/documents/tests/test_api_tasks.py
+++ b/src/documents/tests/test_api_tasks.py
@@ -165,12 +165,12 @@ class TestGetTasksV10:
         ids = [t["task_id"] for t in response.data]
         assert ids == [t3.task_id, t2.task_id, t1.task_id]
 
-    def test_list_scoped_to_own_tasks_for_regular_user(
+    def test_list_scoped_to_own_and_unowned_tasks_for_regular_user(
         self,
         admin_user: User,
         regular_user: User,
     ) -> None:
-        """Regular users see only tasks they own; tasks owned by others or unowned are hidden."""
+        """Regular users see their own tasks and unowned (system) tasks; other users' tasks are hidden."""
         regular_user.user_permissions.add(
             Permission.objects.get(codename="view_paperlesstask"),
         )
@@ -180,14 +180,15 @@ class TestGetTasksV10:
         client.credentials(HTTP_ACCEPT=ACCEPT_V10)
 
         PaperlessTaskFactory(owner=admin_user)  # other user — not visible
-        PaperlessTaskFactory()  # unowned (system task) — not visible
+        unowned_task = PaperlessTaskFactory()  # unowned (system task) — visible
         own_task = PaperlessTaskFactory(owner=regular_user)
 
         response = client.get(ENDPOINT)
 
         assert response.status_code == status.HTTP_200_OK
-        assert len(response.data) == 1
-        assert response.data[0]["task_id"] == own_task.task_id
+        assert len(response.data) == 2
+        visible_ids = {t["task_id"] for t in response.data}
+        assert visible_ids == {own_task.task_id, unowned_task.task_id}
 
     def test_list_admin_sees_all_tasks(
         self,
@@ -401,7 +402,7 @@ class TestGetTasksV9:
         admin_user: User,
         regular_user: User,
     ) -> None:
-        """v9 non-staff users see their own tasks plus unowned tasks."""
+        """Non-staff users see their own tasks plus unowned tasks via v9 API."""
         regular_user.user_permissions.add(
             Permission.objects.get(codename="view_paperlesstask"),
         )
diff --git a/src/documents/views.py b/src/documents/views.py
index 1202c9539..d13760d38 100644
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -3841,18 +3841,15 @@ class TasksViewSet(ReadOnlyModelViewSet[PaperlessTask]):
         return TaskSerializerV10
 
     def get_queryset(self):
-        # Staff see all tasks.
-        # v9 non-staff: own tasks + unowned tasks (preserves old behavior).
-        # v10 non-staff: own tasks only.
         is_v9 = self.request.version and int(self.request.version) < 10
         if self.request.user.is_staff:
             queryset = PaperlessTask.objects.all()
-        elif is_v9:
+        else:
+            # Own tasks + unowned (system/scheduled) tasks. Tasks owned by other
+            # users are never visible to non-staff regardless of API version.
             queryset = PaperlessTask.objects.filter(
                 Q(owner=self.request.user) | Q(owner__isnull=True),
             )
-        else:
-            queryset = PaperlessTask.objects.filter(owner=self.request.user)
         # v9 backwards compat: map old query params to new field names
         if is_v9:
             task_name = self.request.query_params.get("task_name")