Bump version to 2.20.9

Merge branch 'release/v2.20.x'
Enforce on selection_data too
2026-02-28 14:26:24 +00:00 · 2026-02-28 01:35:26 -08:00 · 2026-02-28 01:34:33 -08:00 · 2026-02-28 01:27:40 -08:00 · 2026-02-28 01:16:53 -08:00 · 2026-02-26 23:26:35 -08:00
31 changed files with 1062 additions and 398 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -79,13 +79,10 @@ jobs:
      - name: Check files
        uses: pre-commit/action@v3.0.1
  documentation:
-    name: "Build & Deploy Documentation"
+    name: "Build Documentation"
    runs-on: ubuntu-24.04
    needs:
      - pre-commit
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
    steps:
      - uses: actions/configure-pages@v5
      - name: Checkout
@@ -111,12 +108,26 @@ jobs:
            --dev \
            --frozen \
            zensical build --clean
+      - name: Upload documentation artifact
+        uses: actions/upload-artifact@v5
+        with:
+          name: documentation
+          path: site/
      - uses: actions/upload-pages-artifact@v4
        with:
          path: site
          name: github-pages-${{ github.run_id }}-${{ github.run_attempt }}
+  deploy-documentation:
+    name: "Deploy Documentation"
+    runs-on: ubuntu-24.04
+    needs:
+      - documentation
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
      - uses: actions/deploy-pages@v4
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        id: deployment
        with:
          artifact_name: github-pages-${{ github.run_id }}-${{ github.run_attempt }}
@@ -348,6 +359,9 @@ jobs:
  build-docker-image:
    name: Build Docker image for ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
    if: (github.event_name == 'push' && (startsWith(github.ref, 'refs/heads/feature-') || startsWith(github.ref, 'refs/heads/fix-') || github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/beta' || contains(github.ref, 'beta.rc') || startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/l10n_'))) || (github.event_name == 'pull_request' && (startsWith(github.head_ref, 'feature-') || startsWith(github.head_ref, 'fix-') || github.head_ref == 'dev' || github.head_ref == 'beta' || contains(github.head_ref, 'beta.rc') || startsWith(github.head_ref, 'l10n_')))
    concurrency:
      group: ${{ github.workflow }}-build-docker-image-${{ github.ref_name }}
@@ -586,6 +600,8 @@ jobs:
  publish-release:
    name: "Publish Release"
    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
    outputs:
      prerelease: ${{ steps.get_version.outputs.prerelease }}
      changelog: ${{ steps.create-release.outputs.body }}
@@ -632,6 +648,10 @@ jobs:
  append-changelog:
    name: "Append Changelog"
    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
    needs:
      - publish-release
    if: needs.publish-release.outputs.prerelease == 'false'
--- a/docker/rootfs/usr/local/bin/document_create_classifier
+++ b/docker/rootfs/usr/local/bin/document_create_classifier
@@ -15,7 +15,3 @@ else
 	echo "Unknown user."
 	exit 1
 fi
-er "$@"
-elif [[ $(id -un) == "paperless" ]]; then
-	s6-setuidgid paperless python3 manage.py document_create_classifier "$@"
-fi
--- a/docs/advanced_usage.md
+++ b/docs/advanced_usage.md
@@ -431,8 +431,10 @@ This allows for complex logic to be included in the format, including [logical s
 and [filters](https://jinja.palletsprojects.com/en/3.1.x/templates/#id11) to manipulate the [variables](#filename-format-variables)
 provided. The template is provided as a string, potentially multiline, and rendered into a single line.

-In addition, the entire Document instance is available to be utilized in a more advanced way, as well as some variables which only make sense to be accessed
-with more complex logic.
+In addition, a limited `document` object is available for advanced templates.
+This object includes common metadata fields such as `id`, `pk`, `title`, `content`, `page_count`, `created`, `added`, `modified`, `mime_type`,
+`checksum`, `archive_checksum`, `archive_serial_number`, `filename`, `archive_filename`, and `original_filename`.
+Related values are available as nested objects with limited fields, for example document.correspondent.name, etc.

 #### Custom Jinja2 Filters

--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,7 +1,39 @@
 # Changelog

+## paperless-ngx 2.20.8
+
+### Security
+
+-   Resolve [GHSA-7qqc-wrcw-2fj9](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-7qqc-wrcw-2fj9)
+
+## paperless-ngx 2.20.7
+
+### Security
+
+-   Resolve [GHSA-x395-6h48-wr8v](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-x395-6h48-wr8v)
+
+### Bug Fixes
+
+-   Performance fix: use subqueries to improve object retrieval in large installs [@shamoon](https://github.com/shamoon) ([#11950](https://github.com/paperless-ngx/paperless-ngx/pull/11950))
+-   Fix: correct user dropdown button icon styling [@shamoon](https://github.com/shamoon) ([#12092](https://github.com/paperless-ngx/paperless-ngx/issues/12092))
+-   Fix: fix broken docker create_classifier command in 2.20.6 [@shamoon](https://github.com/shamoon) ([#11965](https://github.com/paperless-ngx/paperless-ngx/issues/11965))
+
+### All App Changes
+
+<details>
+<summary>3 changes</summary>
+
+-   Performance fix: use subqueries to improve object retrieval in large installs [@shamoon](https://github.com/shamoon) ([#11950](https://github.com/paperless-ngx/paperless-ngx/pull/11950))
+-   Fix: correct user dropdown button icon styling [@shamoon](https://github.com/shamoon) ([#12092](https://github.com/paperless-ngx/paperless-ngx/issues/12092))
+-   Fix: fix broken docker create_classifier command in 2.20.6 [@shamoon](https://github.com/shamoon) ([#11965](https://github.com/paperless-ngx/paperless-ngx/issues/11965))
+</details>
+
 ## paperless-ngx 2.20.6

+### Security
+
+-   Resolve [GHSA-jqwv-hx7q-fxh3](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-jqwv-hx7q-fxh3) and [GHSA-w47q-3m69-84v8](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-w47q-3m69-84v8)
+
 ### Bug Fixes

 -   Fix: extract all ids for nested tags [@shamoon](https://github.com/shamoon) ([#11888](https://github.com/paperless-ngx/paperless-ngx/pull/11888))
--- a/docs/development.md
+++ b/docs/development.md
@@ -358,7 +358,7 @@ If you want to build the documentation locally, this is how you do it:
    $ uv run zensical serve
    ```

-## Building the Docker image
+## Building the Docker image {#docker_build}

 The docker image is primarily built by the GitHub actions workflow, but
 it can be faster when developing to build and tag an image locally.
--- a/docs/setup.md
+++ b/docs/setup.md
@@ -4,53 +4,74 @@ title: Setup

 # Installation

-You can go multiple routes to setup and run Paperless:
-
-   [Use the script to setup a Docker install](#docker_script)
-   [Use the Docker compose templates](#docker)
-   [Build the Docker image yourself](#docker_build)
-   [Install Paperless-ngx directly on your system manually ("bare metal")](#bare_metal)
-   A user-maintained list of commercial hosting providers can be found [in the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Related-Projects)
-
-The Docker routes are quick & easy. These are the recommended routes.
-This configures all the stuff from the above automatically so that it
-just works and uses sensible defaults for all configuration options.
-Here you find a cheat-sheet for docker beginners: [CLI
-Basics](https://www.sehn.tech/refs/devops-with-docker/)
-
-The bare metal route is complicated to setup but makes it easier should
-you want to contribute some code back. You need to configure and run the
-above mentioned components yourself.
-
-### Use the Installation Script {#docker_script}
-
-Paperless provides an interactive installation script to setup a Docker Compose
-installation. The script asks for a couple configuration options, and will then create the
-necessary configuration files, pull the docker image, start Paperless-ngx and create your superuser
-account. The script essentially automatically performs the steps described in [Docker setup](#docker).
-
-1.  Make sure that Docker and Docker Compose are [installed](https://docs.docker.com/engine/install/){:target="\_blank"}.
-
-2.  Download and run the installation script:
+!!! tip "Quick Start"

+    If you just want Paperless-ngx running quickly, use our installation script:
    ```shell-session
    bash -c "$(curl --location --silent --show-error https://raw.githubusercontent.com/paperless-ngx/paperless-ngx/main/install-paperless-ngx.sh)"
    ```
+    _If piping into a shell directly from the internet makes you nervous, inspect [the script](https://github.com/paperless-ngx/paperless-ngx/blob/main/install-paperless-ngx.sh) first!_

-    !!! note
+## Overview

-        macOS users will need to install [gnu-sed](https://formulae.brew.sh/formula/gnu-sed) with support
-        for running as `sed` as well as [wget](https://formulae.brew.sh/formula/wget).
+Choose the installation route that best fits your setup:

-### Use Docker Compose {#docker}
+| Route                                                                                                             | Best for                                                                            | Effort |
+| ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------ |
+| [Installation script](#docker_script)                                                                             | Fastest first-time setup with guided prompts (recommended for most users)           | Low    |
+| [Docker Compose templates](#docker)                                                                               | Manual control over compose files and settings                                      | Medium |
+| [Bare metal](#bare_metal)                                                                                         | Advanced setups, packaging, and development-adjacent workflows                      | High   |
+| [Hosted providers (wiki)](https://github.com/paperless-ngx/paperless-ngx/wiki/Related-Projects#hosting-providers) | Managed hosting options maintained by the community &mdash; check details carefully | Varies |

-1.  Make sure that Docker and Docker Compose are [installed](https://docs.docker.com/engine/install/){:target="\_blank"}.
+For most users, Docker is the best option. It is faster to set up,
+easier to maintain, and ships with sensible defaults.

-2.  Go to the [/docker/compose directory on the project
+The bare-metal route gives you more control, but it requires manual
+installation and operation of all components. It is usually best suited
+for advanced users and contributors.
+
+!!! info
+
+    Because [superuser](usage.md#superusers) accounts have full access to all objects and documents, you may want to create a separate user account for daily use,
+    or "downgrade" your superuser account to a normal user account after setup.
+
+## Installation Script {#docker_script}
+
+Paperless-ngx provides an interactive script for Docker Compose setups.
+It asks a few configuration questions, then creates the required files,
+pulls the image, starts the containers, and creates your [superuser](usage.md#superusers)
+account. In short, it automates the [Docker Compose setup](#docker) described below.
+
+#### Prerequisites
+
+-   Docker and Docker Compose must be [installed](https://docs.docker.com/engine/install/){:target="\_blank"}.
+-   macOS users will need [GNU sed](https://formulae.brew.sh/formula/gnu-sed) with support for running as `sed` as well as [wget](https://formulae.brew.sh/formula/wget).
+
+#### Run the installation script
+
+```shell-session
+bash -c "$(curl --location --silent --show-error https://raw.githubusercontent.com/paperless-ngx/paperless-ngx/main/install-paperless-ngx.sh)"
+```
+
+#### After installation
+
+Paperless-ngx should be available at `http://127.0.0.1:8000` (or similar,
+depending on your configuration) and you will be able to login with the
+credentials you provided during the installation script.
+
+## Docker Compose Install {#docker}
+
+#### Prerequisites
+
+-   Docker and Docker Compose must be [installed](https://docs.docker.com/engine/install/){:target="\_blank"}.
+
+#### Installation
+
+1.  Go to the [/docker/compose directory on the project
    page](https://github.com/paperless-ngx/paperless-ngx/tree/main/docker/compose){:target="\_blank"}
-    and download one of the `docker-compose.*.yml` files, depending on which database backend
-    you want to use. Place the files in a local directory and rename it `docker-compose.yml`. Download the
-    `docker-compose.env` file and the `.env` file as well in the same directory.
+    and download one `docker-compose.*.yml` file for your preferred
+    database backend. Save it in a local directory as `docker-compose.yml`.
+    Also download `docker-compose.env` and `.env` into that same directory.

    If you want to enable optional support for Office and other documents, download a
    file with `-tika` in the file name.
@@ -60,15 +81,16 @@ account. The script essentially automatically performs the steps described in [D
        For new installations, it is recommended to use PostgreSQL as the
        database backend.

-3.  Modify `docker-compose.yml` as needed. For example, you may want to change the paths to the
-    consumption, media etc. directories to use 'bind mounts'.
+2.  Modify `docker-compose.yml` as needed. For example, you may want to
+    change the paths for `consume`, `media`, and other directories to
+    use bind mounts.
    Find the line that specifies where to mount the directory, e.g.:

    ```yaml
    - ./consume:/usr/src/paperless/consume
    ```

-    Replace the part _before_ the colon with a local directory of your choice:
+    Replace the part _before_ the colon with your local directory:

    ```yaml
    - /home/jonaswinkler/paperless-inbox:/usr/src/paperless/consume
@@ -82,38 +104,15 @@ account. The script essentially automatically performs the steps described in [D
        - 8010:8000
    ```

-    **Rootless**
-
-    !!! warning
-
-        It is currently not possible to run the container rootless if additional languages are specified via `PAPERLESS_OCR_LANGUAGES`.
-
-    If you want to run Paperless as a rootless container, you will need
-    to do the following in your `docker-compose.yml`:
-
-    -   set the `user` running the container to map to the `paperless`
-        user in the container. This value (`user_id` below), should be
-        the same id that `USERMAP_UID` and `USERMAP_GID` are set to in
-        the next step. See `USERMAP_UID` and `USERMAP_GID`
-        [here](configuration.md#docker).
-
-    Your entry for Paperless should contain something like:
-
-    > ```
-    > webserver:
-    >   image: ghcr.io/paperless-ngx/paperless-ngx:latest
-    >   user: <user_id>
-    > ```
-
-4.  Modify `docker-compose.env` with any configuration options you'd like.
+3.  Modify `docker-compose.env` with any configuration options you need.
    See the [configuration documentation](configuration.md) for all options.

    You may also need to set `USERMAP_UID` and `USERMAP_GID` to
-    the uid and gid of your user on the host system. Use `id -u` and
-    `id -g` to get these. This ensures that both the container and the host
-    user have write access to the consumption directory. If your UID
-    and GID on the host system is 1000 (the default for the first normal
-    user on most systems), it will work out of the box without any
+    the UID and GID of your user on the host system. Use `id -u` and
+    `id -g` to get these values. This ensures both the container and the
+    host user can write to the consumption directory. If your UID and
+    GID are `1000` (the default for the first normal user on many
+    systems), this usually works out of the box without
    modifications. Run `id "username"` to check.

    !!! note
@@ -122,79 +121,62 @@ account. The script essentially automatically performs the steps described in [D
        appending `_FILE` to configuration values. For example [`PAPERLESS_DBUSER`](configuration.md#PAPERLESS_DBUSER)
        can be set using `PAPERLESS_DBUSER_FILE=/var/run/secrets/password.txt`.

-    !!! warning
-
-        Some file systems such as NFS network shares don't support file
-        system notifications with `inotify`. When storing the consumption
-        directory on such a file system, paperless will not pick up new
-        files with the default configuration. You will need to use
-        [`PAPERLESS_CONSUMER_POLLING`](configuration.md#PAPERLESS_CONSUMER_POLLING), which will disable inotify. See
-        [here](configuration.md#polling).
-
-5.  Run `docker compose pull`. This will pull the image from the GitHub container registry
-    by default but you can change the image to pull from Docker Hub by changing the `image`
+4.  Run `docker compose pull`. This pulls the image from the GitHub container registry
+    by default, but you can pull from Docker Hub by changing the `image`
    line to `image: paperlessngx/paperless-ngx:latest`.

-6.  Run `docker compose up -d`. This will create and start the necessary containers.
+5.  Run `docker compose up -d`. This will create and start the necessary containers.

-7.  Congratulations! Your Paperless-ngx instance should now be accessible at `http://127.0.0.1:8000`
-    (or similar, depending on your configuration). When you first access the web interface, you will be
-    prompted to create a superuser account.
+#### After installation

-### Build the Docker image yourself {#docker_build}
+Your Paperless-ngx instance should now be accessible at
+`http://127.0.0.1:8000` (or similar, depending on your configuration).
+When you first access the web interface, you will be prompted to create
+a [superuser](usage.md#superusers) account.

-1.  Clone the entire repository of paperless:
+#### Optional Advanced Compose Configurations {#advanced_compose data-toc-label="Advanced Compose Configurations"}

-    ```shell-session
-    git clone https://github.com/paperless-ngx/paperless-ngx
-    ```
+**Rootless**

-    The main branch always reflects the latest stable version.
+!!! warning

-2.  Copy one of the `docker/compose/docker-compose.*.yml` to
-    `docker-compose.yml` in the root folder, depending on which database
-    backend you want to use. Copy `docker-compose.env` into the project
-    root as well.
+    It is currently not possible to run the container rootless if additional languages are specified via `PAPERLESS_OCR_LANGUAGES`.

-3.  In the `docker-compose.yml` file, find the line that instructs
-    Docker Compose to pull the paperless image from Docker Hub:
+If you want to run Paperless as a rootless container, make this
+change in `docker-compose.yml`:

-    ```yaml
-    webserver:
-        image: ghcr.io/paperless-ngx/paperless-ngx:latest
-    ```
+-   Set the `user` running the container to map to the `paperless`
+    user in the container. This value (`user_id` below) should be
+    the same ID that `USERMAP_UID` and `USERMAP_GID` are set to in
+    `docker-compose.env`. See `USERMAP_UID` and `USERMAP_GID`
+    [here](configuration.md#docker).

-    and replace it with a line that instructs Docker Compose to build
-    the image from the current working directory instead:
+Your entry for Paperless should contain something like:

-    ```yaml
-    webserver:
-        build:
-            context: .
-    ```
+> ```
+> webserver:
+>   image: ghcr.io/paperless-ngx/paperless-ngx:latest
+>   user: <user_id>
+> ```

-4.  Follow the [Docker setup](#docker) above except when asked to run
-    `docker compose pull` to pull the image, run
+**File systems without inotify support (e.g. NFS)**

-    ```shell-session
-    docker compose build
-    ```
+Some file systems, such as NFS network shares, don't support file system
+notifications with `inotify`. When the consumption directory is on such a
+file system, Paperless-ngx will not pick up new files with the default
+configuration. Use [`PAPERLESS_CONSUMER_POLLING`](configuration.md#PAPERLESS_CONSUMER_POLLING)
+to enable polling and disable inotify. See [here](configuration.md#polling).

-    instead to build the image.
+## Bare Metal Install {#bare_metal}

-### Bare Metal Route {#bare_metal}
+#### Prerequisites

-Paperless runs on linux only. The following procedure has been tested on
-a minimal installation of Debian/Buster, which is the current stable
-release at the time of writing. Windows is not and will never be
-supported.
+-   Paperless runs on Linux only, Windows is not supported.
+-   Python 3 is required with versions 3.10 - 3.12 currently supported. Newer versions may work, but some dependencies may not be fully compatible.

-Paperless requires Python 3. At this time, 3.10 - 3.12 are tested versions.
-Newer versions may work, but some dependencies may not fully support newer versions.
-Support for older Python versions may be dropped as they reach end of life or as newer versions
-are released, dependency support is confirmed, etc.
+#### Installation

-1.  Install dependencies. Paperless requires the following packages.
+1.  Install dependencies. Paperless requires the following packages:

    -   `python3`
    -   `python3-pip`
@@ -258,8 +240,8 @@ are released, dependency support is confirmed, etc.

 2.  Install `redis` >= 6.0 and configure it to start automatically.

-3.  Optional. Install `postgresql` and configure a database, user and
-    password for paperless. If you do not wish to use PostgreSQL,
+3.  Optional: Install `postgresql` and configure a database, user, and
+    password for Paperless-ngx. If you do not wish to use PostgreSQL,
    MariaDB and SQLite are available as well.

    !!! note
@@ -268,61 +250,60 @@ are released, dependency support is confirmed, etc.
        extension](https://code.djangoproject.com/wiki/JSON1Extension) is
        enabled. This is usually the case, but not always.

-4.  Create a system user with a new home folder under which you wish
-    to run paperless.
+4.  Create a system user with a new home folder in which you want
+    to run Paperless-ngx.

    ```shell-session
    adduser paperless --system --home /opt/paperless --group
    ```

-5.  Get the release archive from
-    <https://github.com/paperless-ngx/paperless-ngx/releases> for example with
+5.  Download a release archive from
+    <https://github.com/paperless-ngx/paperless-ngx/releases>. For example:

    ```shell-session
-    curl -O -L https://github.com/paperless-ngx/paperless-ngx/releases/download/v1.10.2/paperless-ngx-v1.10.2.tar.xz
+    curl -O -L https://github.com/paperless-ngx/paperless-ngx/releases/download/vX.Y.Z/paperless-ngx-vX.Y.Z.tar.xz
    ```

    Extract the archive with

    ```shell-session
-    tar -xf paperless-ngx-v1.10.2.tar.xz
+    tar -xf paperless-ngx-vX.Y.Z.tar.xz
    ```

-    and copy the contents to the
-    home folder of the user you created before (`/opt/paperless`).
+    and copy the contents to the home directory of the user you created
+    earlier (`/opt/paperless`).

-    Optional: If you cloned the git repo, you will have to
-    compile the frontend yourself, see [here](development.md#front-end-development)
+    Optional: If you cloned the Git repository, you will need to
+    compile the frontend yourself. See [here](development.md#front-end-development)
    and use the `build` step, not `serve`.

-6.  Configure paperless. See [configuration](configuration.md) for details.
+6.  Configure Paperless-ngx. See [configuration](configuration.md) for details.
    Edit the included `paperless.conf` and adjust the settings to your
-    needs. Required settings for getting
-    paperless running are:
+    needs. Required settings for getting Paperless-ngx running are:

-    -   [`PAPERLESS_REDIS`](configuration.md#PAPERLESS_REDIS) should point to your redis server, such as
-        <redis://localhost:6379>.
-    -   [`PAPERLESS_DBENGINE`](configuration.md#PAPERLESS_DBENGINE) optional, and should be one of `postgres`,
+    -   [`PAPERLESS_REDIS`](configuration.md#PAPERLESS_REDIS) should point to your Redis server, such as
+        `redis://localhost:6379`.
+    -   [`PAPERLESS_DBENGINE`](configuration.md#PAPERLESS_DBENGINE) is optional, and should be one of `postgres`,
        `mariadb`, or `sqlite`
    -   [`PAPERLESS_DBHOST`](configuration.md#PAPERLESS_DBHOST) should be the hostname on which your
        PostgreSQL server is running. Do not configure this to use
        SQLite instead. Also configure port, database name, user and
        password as necessary.
-    -   [`PAPERLESS_CONSUMPTION_DIR`](configuration.md#PAPERLESS_CONSUMPTION_DIR) should point to a folder which
-        paperless should watch for documents. You might want to have
-        this somewhere else. Likewise, [`PAPERLESS_DATA_DIR`](configuration.md#PAPERLESS_DATA_DIR) and
-        [`PAPERLESS_MEDIA_ROOT`](configuration.md#PAPERLESS_MEDIA_ROOT) define where paperless stores its data.
-        If you like, you can point both to the same directory.
+    -   [`PAPERLESS_CONSUMPTION_DIR`](configuration.md#PAPERLESS_CONSUMPTION_DIR) should point to the folder
+        that Paperless-ngx should watch for incoming documents.
+        Likewise, [`PAPERLESS_DATA_DIR`](configuration.md#PAPERLESS_DATA_DIR) and
+        [`PAPERLESS_MEDIA_ROOT`](configuration.md#PAPERLESS_MEDIA_ROOT) define where Paperless-ngx stores its data.
+        If needed, these can point to the same directory.
    -   [`PAPERLESS_SECRET_KEY`](configuration.md#PAPERLESS_SECRET_KEY) should be a random sequence of
        characters. It's used for authentication. Failure to do so
        allows third parties to forge authentication credentials.
-    -   [`PAPERLESS_URL`](configuration.md#PAPERLESS_URL) if you are behind a reverse proxy. This should
+    -   Set [`PAPERLESS_URL`](configuration.md#PAPERLESS_URL) if you are behind a reverse proxy. This should
        point to your domain. Please see
        [configuration](configuration.md) for more
        information.

-    Many more adjustments can be made to paperless, especially the OCR
-    part. The following options are recommended for everyone:
+    You can make many more adjustments, especially for OCR.
+    The following options are recommended for most users:

    -   Set [`PAPERLESS_OCR_LANGUAGE`](configuration.md#PAPERLESS_OCR_LANGUAGE) to the language most of your
        documents are written in.
@@ -332,15 +313,14 @@ are released, dependency support is confirmed, etc.

        Ensure your Redis instance [is secured](https://redis.io/docs/latest/operate/oss_and_stack/management/security/).

-7.  Create the following directories if they are missing:
+7.  Create the following directories if they do not already exist:

    -   `/opt/paperless/media`
    -   `/opt/paperless/data`
    -   `/opt/paperless/consume`

-    Adjust as necessary if you configured different folders.
-    Ensure that the paperless user has write permissions for every one
-    of these folders with
+    Adjust these paths if you configured different folders.
+    Then verify that the `paperless` user has write permissions:

    ```shell-session
    ls -l -d /opt/paperless/media
@@ -354,45 +334,44 @@ are released, dependency support is confirmed, etc.
    sudo chown paperless:paperless /opt/paperless/consume
    ```

-8.  Install python requirements from the `requirements.txt` file.
+8.  Install Python dependencies from `requirements.txt`.

    ```shell-session
    sudo -Hu paperless pip3 install -r requirements.txt
    ```

-    This will install all python dependencies in the home directory of
+    This will install all Python dependencies in the home directory of
    the new paperless user.

    !!! tip

-        It is up to you if you wish to use a virtual environment or not for the Python
-        dependencies.  This is an alternative to the above and may require adjusting
-        the example scripts to utilize the virtual environment paths
+        You can use a virtual environment if you prefer. If you do,
+        you may need to adjust the example scripts for your virtual
+        environment paths.

    !!! tip

        If you use modern Python tooling, such as `uv`, installation will not include
-        dependencies for Postgres or Mariadb.  You can select those extras with `--extra <EXTRA>`
-        or all with `--all-extras`
+        dependencies for PostgreSQL or MariaDB. You can select those
+        extras with `--extra <EXTRA>`, or install all extras with
+        `--all-extras`.

-9.  Go to `/opt/paperless/src`, and execute the following command:
+9.  Go to `/opt/paperless/src` and execute the following command:

    ```bash
    # This creates the database schema.
    sudo -Hu paperless python3 manage.py migrate
    ```

-    When you first access the web interface you will be prompted to create a superuser account.
-
-10. Optional: Test that paperless is working by executing
+10. Optional: Test that Paperless-ngx is working by running

    ```bash
    # Manually starts the webserver
    sudo -Hu paperless python3 manage.py runserver
    ```

-    and pointing your browser to http://localhost:8000 if
-    accessing from the same devices on which paperless is installed.
+    Then point your browser to `http://localhost:8000` if
+    accessing from the same device on which Paperless-ngx is installed.
    If accessing from another machine, set up systemd services. You may need
    to set `PAPERLESS_DEBUG=true` in order for the development server to work
    normally in your browser.
@@ -400,23 +379,24 @@ are released, dependency support is confirmed, etc.
    !!! warning

        This is a development server which should not be used in production.
-        It is not audited for security and performance is inferior to
-        production ready web servers.
+        It is not audited for security, and performance is inferior to
+        production-ready web servers.

    !!! tip

        This will not start the consumer. Paperless does this in a separate
        process.

-11. Setup systemd services to run paperless automatically. You may use
+11. Set up systemd services to run Paperless-ngx automatically. You may use
    the service definition files included in the `scripts` folder as a
    starting point.

-    Paperless needs the `webserver` script to run the webserver, the
-    `consumer` script to watch the input folder, `taskqueue` for the
-    background workers used to handle things like document consumption
-    and the `scheduler` script to run tasks such as email checking at
-    certain times .
+    Paperless needs:
+
+    -   The `webserver` script to run the webserver.
+    -   The `consumer` script to watch the input folder.
+    -   The `taskqueue` script for background workers (document consumption, etc.).
+    -   The `scheduler` script for periodic tasks such as email checking.

    !!! note

@@ -425,9 +405,9 @@ are released, dependency support is confirmed, etc.
        `Require=paperless-webserver.socket` in the `webserver` script
        and configure `granian` to listen on port 80 (set `GRANIAN_PORT`).

-    These services rely on redis and optionally the database server, but
+    These services rely on Redis and optionally the database server, but
    don't need to be started in any particular order. The example files
-    depend on redis being started. If you use a database server, you
+    depend on Redis being started. If you use a database server, you
    should add additional dependencies.

    !!! note
@@ -437,18 +417,15 @@ are released, dependency support is confirmed, etc.

    !!! warning

-        If celery won't start (check with
+        If Celery won't start, check
        `sudo systemctl status paperless-task-queue.service` for
-        paperless-task-queue.service and paperless-scheduler.service
-        ) you need to change the path in the files. Example:
+        `paperless-task-queue.service` and `paperless-scheduler.service`.
+        You may need to change the path in the files. Example:
        `ExecStart=/opt/paperless/.local/bin/celery --app paperless worker --loglevel INFO`

-12. Optional: Install a samba server and make the consumption folder
-    available as a network share.
-
-13. Configure ImageMagick to allow processing of PDF documents. Most
+12. Configure ImageMagick to allow processing of PDF documents. Most
    distributions have this disabled by default, since PDF documents can
-    contain malware. If you don't do this, paperless will fall back to
+    contain malware. If you don't do this, Paperless-ngx will fall back to
    Ghostscript for certain steps such as thumbnail generation.

    Edit `/etc/ImageMagick-6/policy.xml` and adjust
@@ -463,32 +440,38 @@ are released, dependency support is confirmed, etc.
    <policy domain="coder" rights="read|write" pattern="PDF" />
    ```

-14. Optional: Install the
-    [jbig2enc](https://ocrmypdf.readthedocs.io/en/latest/jbig2.html)
-    encoder. This will reduce the size of generated PDF documents.
-    You'll most likely need to compile this by yourself, because this
-    software has been patented until around 2017 and binary packages are
-    not available for most distributions.
+**Optional: Install the [jbig2enc](https://ocrmypdf.readthedocs.io/en/latest/jbig2.html) encoder.**
+This will reduce the size of generated PDF documents. You'll most likely need to compile this yourself, because this
+software has been patented until around 2017 and binary packages are not available for most distributions.

-15. Optional: If using the NLTK machine learning processing (see
-    [`PAPERLESS_ENABLE_NLTK`](configuration.md#PAPERLESS_ENABLE_NLTK) for details),
-    download the NLTK data for the Snowball
-    Stemmer, Stopwords and Punkt tokenizer to `/usr/share/nltk_data`. Refer to the [NLTK
-    instructions](https://www.nltk.org/data.html) for details on how to
-    download the data.
+**Optional: download the NLTK data**
+If using the NLTK machine-learning processing (see [`PAPERLESS_ENABLE_NLTK`](configuration.md#PAPERLESS_ENABLE_NLTK) for details),
+download the NLTK data for the Snowball Stemmer, Stopwords and Punkt tokenizer to `/usr/share/nltk_data`. Refer to the [NLTK
+instructions](https://www.nltk.org/data.html) for details on how to download the data.

-# Migrating to Paperless-ngx
+#### After installation

-Migration is possible both from Paperless-ng or directly from the
-'original' Paperless.
+Your Paperless-ngx instance should now be accessible at `http://localhost:8000` (or similar, depending on your configuration).
+When you first access the web interface you will be prompted to create a [superuser](usage.md#superusers) account.

-## Migrating from Paperless-ng
+## Build the Docker image yourself {#docker_build data-toc-label="Building the Docker image"}

-Paperless-ngx is meant to be a drop-in replacement for Paperless-ng and
-thus upgrading should be trivial for most users, especially when using
-docker. However, as with any major change, it is recommended to take a
+Building the Docker image yourself is typically used for development, but it can also be used for production
+if you want to customize the image. See [Building the Docker image](development.md#docker_build) in the
+development documentation.
+
+## Migrating to Paperless-ngx
+
+You can migrate to Paperless-ngx from Paperless-ng or from the original
+Paperless project.
+
+<h3 id="migration_ng">Migrating from Paperless-ng</h3>
+
+Paperless-ngx is meant to be a drop-in replacement for Paperless-ng, and
+upgrading should be trivial for most users, especially when using
+Docker. However, as with any major change, it is recommended to take a
 full backup first. Once you are ready, simply change the docker image to
-point to the new source. E.g. if using Docker Compose, edit
+point to the new source. For example, if using Docker Compose, edit
 `docker-compose.yml` and change:

 ```
@@ -501,66 +484,65 @@ to
 image: ghcr.io/paperless-ngx/paperless-ngx:latest
 ```

-and then run `docker compose up -d` which will pull the new image
-recreate the container. That's it!
+and then run `docker compose up -d`, which will pull the new image and
+recreate the container. That's it.

 Users who installed with the bare-metal route should also update their
 Git clone to point to `https://github.com/paperless-ngx/paperless-ngx`,
-e.g. using the command
+for example using:
 `git remote set-url origin https://github.com/paperless-ngx/paperless-ngx`
 and then pull the latest version.

-## Migrating from Paperless
+<h3 id="migration_paperless">Migrating from Paperless</h3>

-At its core, paperless-ngx is still paperless and fully compatible.
+At its core, Paperless-ngx is still Paperless and fully compatible.
 However, some things have changed under the hood, so you need to adapt
-your setup depending on how you installed paperless.
+your setup depending on how you installed Paperless.

-This setup describes how to update an existing paperless Docker
-installation. The important things to keep in mind are as follows:
+This section describes how to update an existing Paperless Docker
+installation. Keep these points in mind:

 -   Read the [changelog](changelog.md) and
    take note of breaking changes.
-   You should decide if you want to stick with SQLite or want to
-    migrate your database to PostgreSQL. See [documentation](#sqlite_to_psql)
-    for details on
-    how to move your data from SQLite to PostgreSQL. Both work fine with
-    paperless. However, if you already have a database server running
-    for other services, you might as well use it for paperless as well.
-   The task scheduler of paperless, which is used to execute periodic
+-   Decide whether to stay on SQLite or migrate to PostgreSQL.
+    See [documentation](#sqlite_to_psql) for details on moving data
+    from SQLite to PostgreSQL. Both work fine with
+    Paperless. However, if you already have a database server running
+    for other services, you might as well use it for Paperless as well.
+-   The task scheduler of Paperless, which is used to execute periodic
    tasks such as email checking and maintenance, requires a
-    [redis](https://redis.io/) message broker instance. The
+    [Redis](https://redis.io/) message broker instance. The
    Docker Compose route takes care of that.
 -   The layout of the folder structure for your documents and data
-    remains the same, so you can just plug your old docker volumes into
+    remains the same, so you can plug your old Docker volumes into
    paperless-ngx and expect it to find everything where it should be.

-Migration to paperless-ngx is then performed in a few simple steps:
+Migration to Paperless-ngx is then performed in a few simple steps:

-1.  Stop paperless.
+1.  Stop Paperless.

    ```bash
    cd /path/to/current/paperless
    docker compose down
    ```

-2.  Do a backup for two purposes: If something goes wrong, you still
-    have your data. Second, if you don't like paperless-ngx, you can
-    switch back to paperless.
+2.  Create a backup for two reasons: if something goes wrong, you still
+    have your data; and if you don't like paperless-ngx, you can
+    switch back to Paperless.

-3.  Download the latest release of paperless-ngx. You can either go with
+3.  Download the latest release of Paperless-ngx. You can either use
    the Docker Compose files from
    [here](https://github.com/paperless-ngx/paperless-ngx/tree/main/docker/compose)
    or clone the repository to build the image yourself (see
-    [above](#docker_build)). You can
-    either replace your current paperless folder or put paperless-ngx in
+    [development docs](development.md#docker_build)). You can either replace your current paperless
+    folder or put Paperless-ngx in
    a different location.

    !!! warning

        Paperless-ngx includes a `.env` file. This will set the project name
-        for docker compose to `paperless`, which will also define the name
-        of the volumes by paperless-ngx. However, if you experience that
+        for Docker Compose to `paperless`, which will also define the
+        volume names created by Paperless-ngx. However, if you notice that
        paperless-ngx is not using your old paperless volumes, verify the
        names of your volumes with

@@ -576,10 +558,10 @@ Migration to paperless-ngx is then performed in a few simple steps:
    after you migrated your existing SQLite database.

 5.  Adjust `docker-compose.yml` and `docker-compose.env` to your needs.
-    See [Docker setup](#docker) details on
-    which edits are advised.
+    See [Docker setup](#docker) for details on
+    which edits are recommended.

-6.  [Update paperless.](administration.md#updating)
+6.  Follow the update procedure in [Update paperless](administration.md#updating).

 7.  In order to find your existing documents with the new search
    feature, you need to invoke a one-time operation that will create
@@ -590,136 +572,99 @@ Migration to paperless-ngx is then performed in a few simple steps:
    ```

    This will migrate your database and create the search index. After
-    that, paperless will take care of maintaining the index by itself.
+    that, Paperless-ngx will maintain the index automatically.

-8.  Start paperless-ngx.
+8.  Start Paperless-ngx.

    ```bash
    docker compose up -d
    ```

-    This will run paperless in the background and automatically start it
+    This will run Paperless-ngx in the background and automatically start it
    on system boot.

-9.  Paperless installed a permanent redirect to `admin/` in your
+9.  Paperless may have installed a permanent redirect to `admin/` in your
    browser. This redirect is still in place and prevents access to the
-    new UI. Clear your browsing cache in order to fix this.
+    new UI. Clear your browser cache to fix this.

 10. Optionally, follow the instructions below to migrate your existing
    data to PostgreSQL.

-## Migrating from LinuxServer.io Docker Image
+<h3 id="migration_lsio">Migrating from LinuxServer.io Docker Image</h3>

-As with any upgrades and large changes, it is highly recommended to
+As with any upgrade or large change, it is highly recommended to
 create a backup before starting. This assumes the image was running
 using Docker Compose, but the instructions are translatable to Docker
 commands as well.

-1.  Stop and remove the paperless container
-2.  If using an external database, stop the container
-3.  Update Redis configuration
+1.  Stop and remove the Paperless container.
+2.  If using an external database, stop that container.
+3.  Update Redis configuration.

    1. If `REDIS_URL` is already set, change it to [`PAPERLESS_REDIS`](configuration.md#PAPERLESS_REDIS)
       and continue to step 4.

-    1. Otherwise, in the `docker-compose.yml` add a new service for
-       Redis, following [the example compose
+    1. Otherwise, add a new Redis service in `docker-compose.yml`,
+       following [the example compose
       files](https://github.com/paperless-ngx/paperless-ngx/tree/main/docker/compose)

    1. Set the environment variable [`PAPERLESS_REDIS`](configuration.md#PAPERLESS_REDIS) so it points to
-       the new Redis container
+       the new Redis container.

-4.  Update user mapping
+4.  Update user mapping.

-    1. If set, change the environment variable `PUID` to `USERMAP_UID`
+    1. If set, change the environment variable `PUID` to `USERMAP_UID`.

-    1. If set, change the environment variable `PGID` to `USERMAP_GID`
+    1. If set, change the environment variable `PGID` to `USERMAP_GID`.

-5.  Update configuration paths
+5.  Update configuration paths.

-    1. Set the environment variable [`PAPERLESS_DATA_DIR`](configuration.md#PAPERLESS_DATA_DIR) to `/config`
+    1. Set the environment variable [`PAPERLESS_DATA_DIR`](configuration.md#PAPERLESS_DATA_DIR) to `/config`.

-6.  Update media paths
+6.  Update media paths.

    1. Set the environment variable [`PAPERLESS_MEDIA_ROOT`](configuration.md#PAPERLESS_MEDIA_ROOT) to
-       `/data/media`
+       `/data/media`.

-7.  Update timezone
+7.  Update timezone.

    1. Set the environment variable [`PAPERLESS_TIME_ZONE`](configuration.md#PAPERLESS_TIME_ZONE) to the same
-       value as `TZ`
+       value as `TZ`.

-8.  Modify the `image:` to point to
+8.  Modify `image:` to point to
    `ghcr.io/paperless-ngx/paperless-ngx:latest` or a specific version
    if preferred.
 9.  Start the containers as before, using `docker compose`.

-## Moving data from SQLite to PostgreSQL or MySQL/MariaDB {#sqlite_to_psql}
+## Running Paperless-ngx on less powerful devices {#less-powerful-devices data-toc-label="Less Powerful Devices"}

-The best way to migrate between database types is to perform an [export](administration.md#exporter) and then
-[import](administration.md#importer) into a clean installation of Paperless-ngx.
-
-## Moving back to Paperless
-
-Lets say you migrated to Paperless-ngx and used it for a while, but
-decided that you don't like it and want to move back (If you do, send
-me a mail about what part you didn't like!), you can totally do that
-with a few simple steps.
-
-Paperless-ngx modified the database schema slightly, however, these
-changes can be reverted while keeping your current data, so that your
-current data will be compatible with original Paperless. Thumbnails
-were also changed from PNG to WEBP format and will need to be
-re-generated.
-
-Execute this:
-
-```shell-session
-$ cd /path/to/paperless
-$ docker compose run --rm webserver migrate documents 0023
-```
-
-Or without docker:
-
-```shell-session
-$ cd /path/to/paperless/src
-$ python3 manage.py migrate documents 0023
-```
-
-After regenerating thumbnails, you'll need to clear your cookies
-(Paperless-ngx comes with updated dependencies that do cookie-processing
-differently) and probably your cache as well.
-
-# Considerations for less powerful devices {#less-powerful-devices}
-
-Paperless runs on Raspberry Pi. However, some things are rather slow on
-the Pi and configuring some options in paperless can help improve
-performance immensely:
+Paperless runs on Raspberry Pi. Some tasks can be slow on lower-powered
+hardware, but a few settings can improve performance:

 -   Stick with SQLite to save some resources. See [troubleshooting](troubleshooting.md#log-reports-creating-paperlesstask-failed)
    if you encounter issues with SQLite locking.
 -   If you do not need the filesystem-based consumer, consider disabling it
    entirely by setting [`PAPERLESS_CONSUMER_DISABLE`](configuration.md#PAPERLESS_CONSUMER_DISABLE) to `true`.
-   Consider setting [`PAPERLESS_OCR_PAGES`](configuration.md#PAPERLESS_OCR_PAGES) to 1, so that paperless will
-    only OCR the first page of your documents. In most cases, this page
+-   Consider setting [`PAPERLESS_OCR_PAGES`](configuration.md#PAPERLESS_OCR_PAGES) to 1, so that Paperless
+    OCRs only the first page of your documents. In most cases, this page
    contains enough information to be able to find it.
 -   [`PAPERLESS_TASK_WORKERS`](configuration.md#PAPERLESS_TASK_WORKERS) and [`PAPERLESS_THREADS_PER_WORKER`](configuration.md#PAPERLESS_THREADS_PER_WORKER) are
    configured to use all cores. The Raspberry Pi models 3 and up have 4
-    cores, meaning that paperless will use 2 workers and 2 threads per
+    cores, meaning that Paperless will use 2 workers and 2 threads per
    worker. This may result in sluggish response times during
    consumption, so you might want to lower these settings (example: 2
    workers and 1 thread to always have some computing power left for
    other tasks).
 -   Keep [`PAPERLESS_OCR_MODE`](configuration.md#PAPERLESS_OCR_MODE) at its default value `skip` and consider
-    OCR'ing your documents before feeding them into paperless. Some
+    OCRing your documents before feeding them into Paperless. Some
    scanners are able to do this!
 -   Set [`PAPERLESS_OCR_SKIP_ARCHIVE_FILE`](configuration.md#PAPERLESS_OCR_SKIP_ARCHIVE_FILE) to `with_text` to skip archive
-    file generation for already ocr'ed documents, or `always` to skip it
+    file generation for already OCRed documents, or `always` to skip it
    for all documents.
 -   If you want to perform OCR on the device, consider using
    `PAPERLESS_OCR_CLEAN=none`. This will speed up OCR times and use
    less memory at the expense of slightly worse OCR results.
-   If using docker, consider setting [`PAPERLESS_WEBSERVER_WORKERS`](configuration.md#PAPERLESS_WEBSERVER_WORKERS) to 1. This will save some memory.
+-   If using Docker, consider setting [`PAPERLESS_WEBSERVER_WORKERS`](configuration.md#PAPERLESS_WEBSERVER_WORKERS) to 1. This will save some memory.
 -   Consider setting [`PAPERLESS_ENABLE_NLTK`](configuration.md#PAPERLESS_ENABLE_NLTK) to false, to disable the
    more advanced language processing, which can take more memory and
    processing time.
@@ -731,17 +676,19 @@ For details, refer to [configuration](configuration.md).
    Updating the
    [automatic matching algorithm](advanced_usage.md#automatic-matching) takes quite a bit of time. However, the update mechanism
    checks if your data has changed before doing the heavy lifting. If you
-    experience the algorithm taking too much cpu time, consider changing the
+    experience the algorithm taking too much CPU time, consider changing the
    schedule in the admin interface to daily. You can also manually invoke
    the task by changing the date and time of the next run to today/now.

    The actual matching of the algorithm is fast and works on Raspberry Pi
    as well as on any other device.

-# Using nginx as a reverse proxy {#nginx}
+## Additional considerations

-Please see [the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-a-Reverse-Proxy-with-Paperless-ngx#nginx) for user-maintained documentation of using nginx with Paperless-ngx.
+**Using a reverse proxy with Paperless-ngx**

-# Enhancing security {#security}
+Please see [the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-a-Reverse-Proxy-with-Paperless-ngx#nginx) for user-maintained documentation on using nginx with Paperless-ngx.

-Please see [the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-Security-Tools-with-Paperless-ngx) for user-maintained documentation of how to configure security tools like Fail2ban with Paperless-ngx.
+**Enhancing security**
+
+Please see [the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-Security-Tools-with-Paperless-ngx) for user-maintained documentation on configuring security tools like Fail2ban with Paperless-ngx.
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -348,6 +348,11 @@ permissions can be granted to limit access to certain parts of the UI (and corre

 Superusers can access all parts of the front and backend application as well as any and all objects. Superuser status can only be granted by another superuser.

+!!! tip
+
+    Because superuser accounts can see all objects and documents, you may want to use a regular account for day-to-day use. Additional superuser accounts can
+    be created via [cli](administration.md#create-superuser) or granted superuser status from an existing superuser account.
+
 #### Admin Status

 Admin status (Django 'staff status') grants access to viewing the paperless logs and the system status dialog
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "paperless-ngx"
-version = "2.20.6"
+version = "2.20.9"
 description = "A community-supported supercharged document management system: scan, index and archive all your physical documents"
 readme = "README.md"
 requires-python = ">=3.10"
--- a/src-ui/package.json
+++ b/src-ui/package.json
@@ -1,6 +1,6 @@
 {
  "name": "paperless-ngx-ui",
-  "version": "2.20.6",
+  "version": "2.20.9",
  "scripts": {
    "preinstall": "npx only-allow pnpm",
    "ng": "ng",
--- a/src-ui/src/app/components/admin/config/config.component.html
+++ b/src-ui/src/app/components/admin/config/config.component.html
@@ -19,13 +19,18 @@
                                <div class="col">
                                    <div class="card bg-light">
                                        <div class="card-body">
-                                            <div class="card-title">
-                                                <h6>
-                                                    {{option.title}}
-                                                    <a class="btn btn-sm btn-link" title="Read the documentation about this setting" i18n-title [href]="getDocsUrl(option.config_key)" target="_blank" referrerpolicy="no-referrer">
-                                                        <i-bs  name="info-circle"></i-bs>
-                                                    </a>
+                                            <div class="card-title d-flex align-items-center">
+                                                <h6 class="mb-0">
+                                                  {{option.title}}
                                                </h6>
+                                                <a class="btn btn-sm btn-link" title="Read the documentation about this setting" i18n-title [href]="getDocsUrl(option.config_key)" target="_blank" referrerpolicy="no-referrer">
+                                                    <i-bs name="info-circle"></i-bs>
+                                                </a>
+                                                @if (isSet(option.key)) {
+                                                  <button type="button" class="btn btn-sm btn-link text-danger ms-auto pe-0" title="Reset" i18n-title (click)="resetOption(option.key)">
+                                                      <i-bs class="me-1" name="x"></i-bs><ng-container i18n>Reset</ng-container>
+                                                  </button>
+                                                }
                                            </div>
                                            <div class="mb-n3">
                                                @switch (option.type) {
--- a/src-ui/src/app/components/admin/config/config.component.spec.ts
+++ b/src-ui/src/app/components/admin/config/config.component.spec.ts
@@ -144,4 +144,18 @@ describe('ConfigComponent', () => {
    component.uploadFile(new File([], 'test.png'), 'app_logo')
    expect(initSpy).toHaveBeenCalled()
  })
+
+  it('should reset option to null', () => {
+    component.configForm.patchValue({ output_type: OutputTypeConfig.PDF_A })
+    expect(component.isSet('output_type')).toBeTruthy()
+    component.resetOption('output_type')
+    expect(component.configForm.get('output_type').value).toBeNull()
+    expect(component.isSet('output_type')).toBeFalsy()
+    component.configForm.patchValue({ app_title: 'Test Title' })
+    component.resetOption('app_title')
+    expect(component.configForm.get('app_title').value).toBeNull()
+    component.configForm.patchValue({ barcodes_enabled: true })
+    component.resetOption('barcodes_enabled')
+    expect(component.configForm.get('barcodes_enabled').value).toBeNull()
+  })
 })
--- a/src-ui/src/app/components/admin/config/config.component.ts
+++ b/src-ui/src/app/components/admin/config/config.component.ts
@@ -208,4 +208,12 @@ export class ConfigComponent
        },
      })
  }
+
+  public isSet(key: string): boolean {
+    return this.configForm.get(key).value != null
+  }
+
+  public resetOption(key: string) {
+    this.configForm.get(key).setValue(null)
+  }
 }
--- a/src-ui/src/app/components/app-frame/app-frame.component.scss
+++ b/src-ui/src/app/components/app-frame/app-frame.component.scss
@@ -281,7 +281,7 @@ main {
 .navbar .dropdown-menu {
  font-size: 0.875rem; // body size

-  a i-bs {
+  a i-bs, button i-bs {
    opacity: 0.6;
  }
 }
--- a/src-ui/src/app/components/manage/management-list/management-list.component.html
+++ b/src-ui/src/app/components/manage/management-list/management-list.component.html
@@ -62,9 +62,9 @@

@if (!loading) {
  <div class="d-flex mb-2">
-    @if (collectionSize > 0) {
+    @if (displayCollectionSize > 0) {
      <div>
-        <ng-container i18n>{collectionSize, plural, =1 {One {{typeName}}} other {{{collectionSize || 0}} total {{typeNamePlural}}}}</ng-container>
+        <ng-container i18n>{displayCollectionSize, plural, =1 {One {{typeName}}} other {{{displayCollectionSize || 0}} total {{typeNamePlural}}}}</ng-container>
        @if (selectedObjects.size > 0) {
          &nbsp;({{selectedObjects.size}} selected)
        }
--- a/src-ui/src/app/components/manage/management-list/management-list.component.spec.ts
+++ b/src-ui/src/app/components/manage/management-list/management-list.component.spec.ts
@@ -229,7 +229,7 @@ describe('ManagementListComponent', () => {
    expect(reloadSpy).toHaveBeenCalled()
  })

-  it('should use the all list length for collection size when provided', fakeAsync(() => {
+  it('should use API count for pagination and all ids for displayed total', fakeAsync(() => {
    jest.spyOn(tagService, 'listFiltered').mockReturnValueOnce(
      of({
        count: 1,
@@ -241,7 +241,8 @@ describe('ManagementListComponent', () => {
    component.reloadData()
    tick(100)

-    expect(component.collectionSize).toBe(3)
+    expect(component.collectionSize).toBe(1)
+    expect(component.displayCollectionSize).toBe(3)
  }))

  it('should support quick filter for objects', () => {
--- a/src-ui/src/app/components/manage/management-list/management-list.component.ts
+++ b/src-ui/src/app/components/manage/management-list/management-list.component.ts
@@ -23,6 +23,7 @@ import {
  MatchingModel,
 } from 'src/app/data/matching-model'
 import { ObjectWithPermissions } from 'src/app/data/object-with-permissions'
+import { Results } from 'src/app/data/results'
 import {
  SortableDirective,
  SortEvent,
@@ -88,6 +89,7 @@ export abstract class ManagementListComponent<T extends MatchingModel>
  public page = 1

  public collectionSize = 0
+  public displayCollectionSize = 0

  public sortField: string
  public sortReverse: boolean
@@ -141,6 +143,14 @@ export abstract class ManagementListComponent<T extends MatchingModel>
    return data
  }

+  protected getCollectionSize(results: Results<T>): number {
+    return results.all?.length ?? results.count
+  }
+
+  protected getDisplayCollectionSize(results: Results<T>): number {
+    return this.getCollectionSize(results)
+  }
+
  getDocumentCount(object: MatchingModel): number {
    return (
      object.document_count ??
@@ -171,7 +181,8 @@ export abstract class ManagementListComponent<T extends MatchingModel>
        tap((c) => {
          this.unfilteredData = c.results
          this.data = this.filterData(c.results)
-          this.collectionSize = c.all?.length ?? c.count
+          this.collectionSize = this.getCollectionSize(c)
+          this.displayCollectionSize = this.getDisplayCollectionSize(c)
        }),
        delay(100)
      )
@@ -364,7 +375,7 @@ export abstract class ManagementListComponent<T extends MatchingModel>
      backdrop: 'static',
    })
    modal.componentInstance.title = $localize`Confirm delete`
-    modal.componentInstance.messageBold = $localize`This operation will permanently delete all objects.`
+    modal.componentInstance.messageBold = $localize`This operation will permanently delete the selected ${this.typeNamePlural}.`
    modal.componentInstance.message = $localize`This operation cannot be undone.`
    modal.componentInstance.btnClass = 'btn-danger'
    modal.componentInstance.btnCaption = $localize`Proceed`
--- a/src-ui/src/app/components/manage/tag-list/tag-list.component.ts
+++ b/src-ui/src/app/components/manage/tag-list/tag-list.component.ts
@@ -7,6 +7,7 @@ import {
 } from '@ng-bootstrap/ng-bootstrap'
 import { NgxBootstrapIconsModule } from 'ngx-bootstrap-icons'
 import { FILTER_HAS_TAGS_ALL } from 'src/app/data/filter-rule-type'
+import { Results } from 'src/app/data/results'
 import { Tag } from 'src/app/data/tag'
 import { IfPermissionsDirective } from 'src/app/directives/if-permissions.directive'
 import { SortableDirective } from 'src/app/directives/sortable.directive'
@@ -77,6 +78,16 @@ export class TagListComponent extends ManagementListComponent<Tag> {
    return data.filter((tag) => !tag.parent || !availableIds.has(tag.parent))
  }

+  protected override getCollectionSize(results: Results<Tag>): number {
+    // Tag list pages are requested with is_root=true (when unfiltered), so
+    // pagination must follow root count even though `all` includes descendants
+    return results.count
+  }
+
+  protected override getDisplayCollectionSize(results: Results<Tag>): number {
+    return super.getCollectionSize(results)
+  }
+
  protected override getSelectableIDs(tags: Tag[]): number[] {
    const ids: number[] = []
    for (const tag of tags.filter(Boolean)) {
--- a/src-ui/src/environments/environment.prod.ts
+++ b/src-ui/src/environments/environment.prod.ts
@@ -6,7 +6,7 @@ export const environment = {
  apiVersion: '9', // match src/paperless/settings.py
  appTitle: 'Paperless-ngx',
  tag: 'prod',
-  version: '2.20.6',
+  version: '2.20.9',
  webSocketHost: window.location.host,
  webSocketProtocol: window.location.protocol == 'https:' ? 'wss:' : 'ws:',
  webSocketBaseUrl: base_url.pathname + 'ws/',
--- a/src/documents/permissions.py
+++ b/src/documents/permissions.py
@@ -2,10 +2,17 @@ from django.contrib.auth.models import Group
 from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.contrib.contenttypes.models import ContentType
+from django.db.models import Count
+from django.db.models import IntegerField
+from django.db.models import OuterRef
 from django.db.models import Q
 from django.db.models import QuerySet
+from django.db.models import Subquery
+from django.db.models.functions import Cast
+from django.db.models.functions import Coalesce
 from guardian.core import ObjectPermissionChecker
 from guardian.models import GroupObjectPermission
+from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from guardian.shortcuts import get_objects_for_user
 from guardian.shortcuts import get_users_with_perms
@@ -129,23 +136,96 @@ def set_permissions_for_object(permissions: dict, object, *, merge: bool = False
                        )


+def _permitted_document_ids(user):
+    """
+    Return a queryset of document IDs the user may view, limited to non-deleted
+    documents. This intentionally avoids ``get_objects_for_user`` to keep the
+    subquery small and index-friendly.
+    """
+
+    base_docs = Document.objects.filter(deleted_at__isnull=True).only("id", "owner")
+
+    if user is None or not getattr(user, "is_authenticated", False):
+        # Just Anonymous user e.g. for drf-spectacular
+        return base_docs.filter(owner__isnull=True).values_list("id", flat=True)
+
+    if getattr(user, "is_superuser", False):
+        return base_docs.values_list("id", flat=True)
+
+    document_ct = ContentType.objects.get_for_model(Document)
+    perm_filter = {
+        "permission__codename": "view_document",
+        "permission__content_type": document_ct,
+    }
+
+    user_perm_docs = (
+        UserObjectPermission.objects.filter(user=user, **perm_filter)
+        .annotate(object_pk_int=Cast("object_pk", IntegerField()))
+        .values_list("object_pk_int", flat=True)
+    )
+
+    group_perm_docs = (
+        GroupObjectPermission.objects.filter(group__user=user, **perm_filter)
+        .annotate(object_pk_int=Cast("object_pk", IntegerField()))
+        .values_list("object_pk_int", flat=True)
+    )
+
+    permitted_documents = user_perm_docs.union(group_perm_docs)
+
+    return base_docs.filter(
+        Q(owner=user) | Q(owner__isnull=True) | Q(id__in=permitted_documents),
+    ).values_list("id", flat=True)
+
+
 def get_document_count_filter_for_user(user):
    """
    Return the Q object used to filter document counts for the given user.
+
+    The filter is expressed as an ``id__in`` against a small subquery of permitted
+    document IDs to keep the generated SQL simple and avoid large OR clauses.
    """

-    if user is None or not getattr(user, "is_authenticated", False):
-        return Q(documents__deleted_at__isnull=True, documents__owner__isnull=True)
    if getattr(user, "is_superuser", False):
+        # Superuser: no permission filtering needed
        return Q(documents__deleted_at__isnull=True)
-    return Q(
-        documents__deleted_at__isnull=True,
-        documents__id__in=get_objects_for_user_owner_aware(
-            user,
-            "documents.view_document",
-            Document,
-        ).values_list("id", flat=True),
+
+    permitted_ids = _permitted_document_ids(user)
+    return Q(documents__id__in=permitted_ids)
+
+
+def annotate_document_count_for_related_queryset(
+    queryset,
+    through_model,
+    related_object_field: str,
+    target_field: str = "document_id",
+    user=None,
+):
+    """
+    Annotate a queryset with permissions-aware document counts using a subquery
+    against a relation table.
+
+    Args:
+        queryset: base queryset to annotate (must contain pk)
+        through_model: model representing the relation (e.g., Document.tags.through
+                       or CustomFieldInstance)
+        source_field: field on the relation pointing back to queryset pk
+        target_field: field on the relation pointing to Document id
+        user: the user for whom to filter permitted document ids
+    """
+
+    permitted_ids = _permitted_document_ids(user)
+    counts = (
+        through_model.objects.filter(
+            **{
+                related_object_field: OuterRef("pk"),
+                f"{target_field}__in": permitted_ids,
+            },
+        )
+        .values(related_object_field)
+        .annotate(c=Count(target_field))
+        .values("c")
    )
+    return queryset.annotate(document_count=Coalesce(Subquery(counts[:1]), 0))


 def get_objects_for_user_owner_aware(user, perms, Model) -> QuerySet:
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -6,6 +6,7 @@ import re
 from datetime import datetime
 from decimal import Decimal
 from typing import TYPE_CHECKING
+from typing import Any
 from typing import Literal

 import magic
@@ -73,6 +74,8 @@ from documents.models import WorkflowTrigger
 from documents.parsers import is_mime_type_supported
 from documents.permissions import get_document_count_filter_for_user
 from documents.permissions import get_groups_with_only_permission
+from documents.permissions import get_objects_for_user_owner_aware
+from documents.permissions import has_perms_owner_aware
 from documents.permissions import set_permissions_for_object
 from documents.regex import validate_regex_pattern
 from documents.templating.filepath import validate_filepath_template_and_render
@@ -713,6 +716,9 @@ class StoragePathField(serializers.PrimaryKeyRelatedField):

 class CustomFieldSerializer(serializers.ModelSerializer):
    def __init__(self, *args, **kwargs):
+        # Ignore args passed by permissions mixin
+        kwargs.pop("user", None)
+        kwargs.pop("full_perms", None)
        context = kwargs.get("context")
        self.api_version = int(
            context.get("request").version
@@ -2174,6 +2180,17 @@ class ShareLinkSerializer(OwnedObjectSerializer):
        validated_data["slug"] = get_random_string(50)
        return super().create(validated_data)

+    def validate_document(self, document):
+        if self.user is not None and has_perms_owner_aware(
+            self.user,
+            "view_document",
+            document,
+        ):
+            return document
+        raise PermissionDenied(
+            _("Insufficient permissions."),
+        )
+

 class BulkEditObjectsSerializer(SerializerWithPerms, SetPermissionsMixin):
    objects = serializers.ListField(
@@ -2750,8 +2767,22 @@ class StoragePathTestSerializer(SerializerWithPerms):
    )

    document = serializers.PrimaryKeyRelatedField(
-        queryset=Document.objects.all(),
+        queryset=Document.objects.none(),
        required=True,
        label="Document",
        write_only=True,
    )
+
+    def __init__(self, *args: Any, **kwargs: Any) -> None:
+        super().__init__(*args, **kwargs)
+        request = self.context.get("request")
+        user = getattr(request, "user", None) if request else None
+        if user is not None and user.is_authenticated:
+            document_field = self.fields.get("document")
+            if not isinstance(document_field, serializers.PrimaryKeyRelatedField):
+                return
+            document_field.queryset = get_objects_for_user_owner_aware(
+                user,
+                "documents.view_document",
+                Document,
+            )
--- a/src/documents/templating/filepath.py
+++ b/src/documents/templating/filepath.py
@@ -193,6 +193,52 @@ def get_basic_metadata_context(
    }


+def get_safe_document_context(
+    document: Document,
+    tags: Iterable[Tag],
+) -> dict[str, object]:
+    """
+    Build a document context object to avoid supplying entire model instance.
+    """
+    return {
+        "id": document.pk,
+        "pk": document.pk,
+        "title": document.title,
+        "content": document.content,
+        "page_count": document.page_count,
+        "created": document.created,
+        "added": document.added,
+        "modified": document.modified,
+        "archive_serial_number": document.archive_serial_number,
+        "mime_type": document.mime_type,
+        "checksum": document.checksum,
+        "archive_checksum": document.archive_checksum,
+        "filename": document.filename,
+        "archive_filename": document.archive_filename,
+        "original_filename": document.original_filename,
+        "owner": {"username": document.owner.username, "id": document.owner.id}
+        if document.owner
+        else None,
+        "tags": [{"name": tag.name, "id": tag.id} for tag in tags],
+        "correspondent": (
+            {"name": document.correspondent.name, "id": document.correspondent.id}
+            if document.correspondent
+            else None
+        ),
+        "document_type": (
+            {"name": document.document_type.name, "id": document.document_type.id}
+            if document.document_type
+            else None
+        ),
+        "storage_path": {
+            "path": document.storage_path.path,
+            "id": document.storage_path.id,
+        }
+        if document.storage_path
+        else None,
+    }
+
+
 def get_tags_context(tags: Iterable[Tag]) -> dict[str, str | list[str]]:
    """
    Given an Iterable of tags, constructs some context from them for usage
@@ -303,7 +349,7 @@ def validate_filepath_template_and_render(

    # Build the context dictionary
    context = (
-        {"document": document}
+        {"document": get_safe_document_context(document, tags=tags_list)}
        | get_basic_metadata_context(document, no_value_default=NO_VALUE_PLACEHOLDER)
        | get_creation_date_context(document)
        | get_added_date_context(document)
--- a/src/documents/tests/test_api_bulk_edit.py
+++ b/src/documents/tests/test_api_bulk_edit.py
@@ -773,6 +773,22 @@ class TestBulkEditAPI(DirectoriesMixin, APITestCase):
            ],
        )

+    def test_api_selection_data_requires_view_permission(self):
+        self.doc2.owner = self.user
+        self.doc2.save()
+
+        user1 = User.objects.create(username="user1")
+        self.client.force_authenticate(user=user1)
+
+        response = self.client.post(
+            "/api/documents/selection_data/",
+            json.dumps({"documents": [self.doc2.id]}),
+            content_type="application/json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.content, b"Insufficient permissions")
+
    @mock.patch("documents.serialisers.bulk_edit.set_permissions")
    def test_set_permissions(self, m):
        self.setup_mock(m, "set_permissions")
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@@ -2905,6 +2905,54 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
        )
        self.assertEqual(resp.status_code, status.HTTP_200_OK)

+    def test_create_share_link_requires_view_permission_for_document(self):
+        """
+        GIVEN:
+            - A user with add_sharelink but without view permission on a document
+        WHEN:
+            - API request is made to create a share link for that document
+        THEN:
+            - Share link creation is denied until view permission is granted
+        """
+        user1 = User.objects.create_user(username="test1")
+        user1.user_permissions.add(*Permission.objects.filter(codename="add_sharelink"))
+        user1.save()
+
+        user2 = User.objects.create_user(username="test2")
+        user2.save()
+
+        doc = Document.objects.create(
+            title="test",
+            mime_type="application/pdf",
+            content="this is a document which will be protected",
+            owner=user2,
+        )
+
+        self.client.force_authenticate(user1)
+
+        create_resp = self.client.post(
+            "/api/share_links/",
+            data={
+                "document": doc.pk,
+                "file_version": "original",
+            },
+            format="json",
+        )
+        self.assertEqual(create_resp.status_code, status.HTTP_403_FORBIDDEN)
+
+        assign_perm("view_document", user1, doc)
+
+        create_resp = self.client.post(
+            "/api/share_links/",
+            data={
+                "document": doc.pk,
+                "file_version": "original",
+            },
+            format="json",
+        )
+        self.assertEqual(create_resp.status_code, status.HTTP_201_CREATED)
+        self.assertEqual(create_resp.data["document"], doc.pk)
+
    def test_next_asn(self):
        """
        GIVEN:
--- a/src/documents/tests/test_api_objects.py
+++ b/src/documents/tests/test_api_objects.py
@@ -5,10 +5,13 @@ from unittest import mock
 from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.test import override_settings
+from guardian.shortcuts import assign_perm
 from rest_framework import status
 from rest_framework.test import APITestCase

 from documents.models import Correspondent
+from documents.models import CustomField
+from documents.models import CustomFieldInstance
 from documents.models import Document
 from documents.models import DocumentType
 from documents.models import StoragePath
@@ -398,6 +401,292 @@ class TestApiStoragePaths(DirectoriesMixin, APITestCase):
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        self.assertEqual(response.data, "folder/Something")

+    def test_test_storage_path_requires_document_view_permission(self) -> None:
+        owner = User.objects.create_user(username="owner")
+        unprivileged = User.objects.create_user(username="unprivileged")
+        document = Document.objects.create(
+            mime_type="application/pdf",
+            owner=owner,
+            title="Sensitive",
+            checksum="123",
+        )
+        self.client.force_authenticate(user=unprivileged)
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "document": document.id,
+                    "path": "path/{{ title }}",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("document", response.data)
+
+    def test_test_storage_path_allows_shared_document_view_permission(self) -> None:
+        owner = User.objects.create_user(username="owner")
+        viewer = User.objects.create_user(username="viewer")
+        document = Document.objects.create(
+            mime_type="application/pdf",
+            owner=owner,
+            title="Shared",
+            checksum="123",
+        )
+        assign_perm("view_document", viewer, document)
+
+        self.client.force_authenticate(user=viewer)
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "document": document.id,
+                    "path": "path/{{ title }}",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, "path/Shared")
+
+    def test_test_storage_path_exposes_basic_document_context_but_not_sensitive_owner_data(
+        self,
+    ) -> None:
+        owner = User.objects.create_user(
+            username="owner",
+            password="password",
+            email="owner@example.com",
+        )
+        document = Document.objects.create(
+            mime_type="application/pdf",
+            owner=owner,
+            title="Document",
+            content="Top secret content",
+            page_count=2,
+            checksum="123",
+        )
+        self.client.force_authenticate(user=owner)
+
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "document": document.id,
+                    "path": "{{ document.owner.username }}",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, "owner")
+
+        for expression, expected in (
+            ("{{ document.content }}", "Top secret content"),
+            ("{{ document.id }}", str(document.id)),
+            ("{{ document.page_count }}", "2"),
+        ):
+            response = self.client.post(
+                f"{self.ENDPOINT}test/",
+                json.dumps(
+                    {
+                        "document": document.id,
+                        "path": expression,
+                    },
+                ),
+                content_type="application/json",
+            )
+            self.assertEqual(response.status_code, status.HTTP_200_OK)
+            self.assertEqual(response.data, expected)
+
+        for expression in (
+            "{{ document.owner.password }}",
+            "{{ document.owner.email }}",
+        ):
+            response = self.client.post(
+                f"{self.ENDPOINT}test/",
+                json.dumps(
+                    {
+                        "document": document.id,
+                        "path": expression,
+                    },
+                ),
+                content_type="application/json",
+            )
+            self.assertEqual(response.status_code, status.HTTP_200_OK)
+            self.assertIsNone(response.data)
+
+    def test_test_storage_path_includes_related_objects_for_visible_document(
+        self,
+    ) -> None:
+        owner = User.objects.create_user(username="owner")
+        viewer = User.objects.create_user(username="viewer")
+        private_correspondent = Correspondent.objects.create(
+            name="Private Correspondent",
+            owner=owner,
+        )
+        document = Document.objects.create(
+            mime_type="application/pdf",
+            owner=owner,
+            correspondent=private_correspondent,
+            title="Document",
+            checksum="123",
+        )
+        assign_perm("view_document", viewer, document)
+
+        self.client.force_authenticate(user=viewer)
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "document": document.id,
+                    "path": "{{ correspondent }}",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, "Private Correspondent")
+
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "document": document.id,
+                    "path": (
+                        "{{ document.correspondent.name if document.correspondent else 'none' }}"
+                    ),
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, "Private Correspondent")
+
+    def test_test_storage_path_superuser_can_view_private_related_objects(self) -> None:
+        owner = User.objects.create_user(username="owner")
+        private_correspondent = Correspondent.objects.create(
+            name="Private Correspondent",
+            owner=owner,
+        )
+        document = Document.objects.create(
+            mime_type="application/pdf",
+            owner=owner,
+            correspondent=private_correspondent,
+            title="Document",
+            checksum="123",
+        )
+
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "document": document.id,
+                    "path": (
+                        "{{ document.correspondent.name if document.correspondent else 'none' }}"
+                    ),
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, "Private Correspondent")
+
+    def test_test_storage_path_includes_doc_type_storage_path_and_tags(
+        self,
+    ) -> None:
+        owner = User.objects.create_user(username="owner")
+        viewer = User.objects.create_user(username="viewer")
+        private_document_type = DocumentType.objects.create(
+            name="Private Type",
+            owner=owner,
+        )
+        private_storage_path = StoragePath.objects.create(
+            name="Private Storage Path",
+            path="private/path",
+            owner=owner,
+        )
+        private_tag = Tag.objects.create(
+            name="Private Tag",
+            owner=owner,
+        )
+        document = Document.objects.create(
+            mime_type="application/pdf",
+            owner=owner,
+            document_type=private_document_type,
+            storage_path=private_storage_path,
+            title="Document",
+            checksum="123",
+        )
+        document.tags.add(private_tag)
+        assign_perm("view_document", viewer, document)
+
+        self.client.force_authenticate(user=viewer)
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "document": document.id,
+                    "path": (
+                        "{{ document.document_type.name if document.document_type else 'none' }}/"
+                        "{{ document.storage_path.path if document.storage_path else 'none' }}/"
+                        "{{ document.tags[0].name if document.tags else 'none' }}"
+                    ),
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, "Private Type/private/path/Private Tag")
+
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "document": document.id,
+                    "path": "{{ document_type }}/{{ tag_list if tag_list else 'none' }}",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, "Private Type/Private Tag")
+
+    def test_test_storage_path_includes_custom_fields_for_visible_document(
+        self,
+    ) -> None:
+        owner = User.objects.create_user(username="owner")
+        viewer = User.objects.create_user(username="viewer")
+        document = Document.objects.create(
+            mime_type="application/pdf",
+            owner=owner,
+            title="Document",
+            checksum="123",
+        )
+        custom_field = CustomField.objects.create(
+            name="Secret Number",
+            data_type=CustomField.FieldDataType.INT,
+        )
+        CustomFieldInstance.objects.create(
+            document=document,
+            field=custom_field,
+            value_int=42,
+        )
+        assign_perm("view_document", viewer, document)
+
+        self.client.force_authenticate(user=viewer)
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "document": document.id,
+                    "path": "{{ custom_fields | get_cf_value('Secret Number', 'none') }}",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data, "42")
+

 class TestBulkEditObjects(APITestCase):
    # See test_api_permissions.py for bulk tests on permissions
--- a/src/documents/tests/test_file_handling.py
+++ b/src/documents/tests/test_file_handling.py
@@ -1382,11 +1382,11 @@ class TestFilenameGeneration(DirectoriesMixin, TestCase):
    def test_template_with_security(self):
        """
        GIVEN:
-            - Filename format with one or more undefined variables
+            - Filename format with an unavailable document attribute
        WHEN:
            - Filepath for a document with this format is called
        THEN:
-            - The first undefined variable is logged
+            - The missing attribute is logged
            - The default format is used
        """
        doc_a = Document.objects.create(
@@ -1408,7 +1408,7 @@ class TestFilenameGeneration(DirectoriesMixin, TestCase):
            self.assertEqual(len(capture.output), 1)
            self.assertEqual(
                capture.output[0],
-                "WARNING:paperless.templating:Template attempted restricted operation: <bound method Model.save of <Document: 2020-06-25 Does Matter>> is not safely callable",
+                "ERROR:paperless.templating:Template variable error: 'dict object' has no attribute 'save'",
            )

    def test_template_with_custom_fields(self):
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -32,7 +32,6 @@ from django.db.models import Count
 from django.db.models import IntegerField
 from django.db.models import Max
 from django.db.models import Model
-from django.db.models import Q
 from django.db.models import Sum
 from django.db.models import When
 from django.db.models.functions import Length
@@ -128,6 +127,7 @@ from documents.matching import match_storage_paths
 from documents.matching import match_tags
 from documents.models import Correspondent
 from documents.models import CustomField
+from documents.models import CustomFieldInstance
 from documents.models import Document
 from documents.models import DocumentType
 from documents.models import Note
@@ -147,6 +147,7 @@ from documents.permissions import PaperlessAdminPermissions
 from documents.permissions import PaperlessNotePermissions
 from documents.permissions import PaperlessObjectPermissions
 from documents.permissions import ViewDocumentsPermissions
+from documents.permissions import annotate_document_count_for_related_queryset
 from documents.permissions import get_document_count_filter_for_user
 from documents.permissions import get_objects_for_user_owner_aware
 from documents.permissions import has_perms_owner_aware
@@ -370,22 +371,37 @@ class PermissionsAwareDocumentCountMixin(BulkPermissionMixin, PassUserMixin):
    Mixin to add document count to queryset, permissions-aware if needed
    """

+    # Default is simple relation path, override for through-table/count specialization.
+    document_count_through = None
+    document_count_source_field = None
+
    def get_document_count_filter(self):
        request = getattr(self, "request", None)
        user = getattr(request, "user", None) if request else None
        return get_document_count_filter_for_user(user)

    def get_queryset(self):
+        base_qs = super().get_queryset()
+
+        # Use optimized through-table counting when configured.
+        if self.document_count_through:
+            user = getattr(getattr(self, "request", None), "user", None)
+            return annotate_document_count_for_related_queryset(
+                base_qs,
+                through_model=self.document_count_through,
+                related_object_field=self.document_count_source_field,
+                user=user,
+            )
+
+        # Fallback: simple Count on relation with permission filter.
        filter = self.get_document_count_filter()
-        return (
-            super()
-            .get_queryset()
-            .annotate(document_count=Count("documents", filter=filter))
+        return base_qs.annotate(
+            document_count=Count("documents", filter=filter),
        )


@extend_schema_view(**generate_object_with_permissions_schema(CorrespondentSerializer))
-class CorrespondentViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
+class CorrespondentViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
    model = Correspondent

    queryset = Correspondent.objects.select_related("owner").order_by(Lower("name"))
@@ -422,8 +438,10 @@ class CorrespondentViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):


@extend_schema_view(**generate_object_with_permissions_schema(TagSerializer))
-class TagViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
+class TagViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
    model = Tag
+    document_count_through = Document.tags.through
+    document_count_source_field = "tag_id"

    queryset = Tag.objects.select_related("owner").order_by(
        Lower("name"),
@@ -466,12 +484,16 @@ class TagViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
        descendant_pks = {pk for tag in all_tags for pk in tag.get_descendants_pks()}

        if descendant_pks:
-            filter_q = self.get_document_count_filter()
+            user = getattr(getattr(self, "request", None), "user", None)
            children_source = list(
-                Tag.objects.filter(pk__in=descendant_pks | {t.pk for t in all_tags})
-                .select_related("owner")
-                .annotate(document_count=Count("documents", filter=filter_q))
-                .order_by(*ordering),
+                annotate_document_count_for_related_queryset(
+                    Tag.objects.filter(pk__in=descendant_pks | {t.pk for t in all_tags})
+                    .select_related("owner")
+                    .order_by(*ordering),
+                    through_model=self.document_count_through,
+                    related_object_field=self.document_count_source_field,
+                    user=user,
+                ),
            )
        else:
            children_source = all_tags
@@ -498,7 +520,7 @@ class TagViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):


@extend_schema_view(**generate_object_with_permissions_schema(DocumentTypeSerializer))
-class DocumentTypeViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
+class DocumentTypeViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
    model = DocumentType

    queryset = DocumentType.objects.select_related("owner").order_by(Lower("name"))
@@ -1828,6 +1850,13 @@ class SelectionDataView(GenericAPIView):
        serializer.is_valid(raise_exception=True)

        ids = serializer.validated_data.get("documents")
+        permitted_documents = get_objects_for_user_owner_aware(
+            request.user,
+            "documents.view_document",
+            Document,
+        )
+        if permitted_documents.filter(pk__in=ids).count() != len(ids):
+            return HttpResponseForbidden("Insufficient permissions")

        correspondents = Correspondent.objects.annotate(
            document_count=Count(
@@ -2344,7 +2373,7 @@ class BulkDownloadView(GenericAPIView):


@extend_schema_view(**generate_object_with_permissions_schema(StoragePathSerializer))
-class StoragePathViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
+class StoragePathViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
    model = StoragePath

    queryset = StoragePath.objects.select_related("owner").order_by(
@@ -2389,7 +2418,10 @@ class StoragePathViewSet(ModelViewSet, PermissionsAwareDocumentCountMixin):
        """
        Test storage path against a document
        """
-        serializer = StoragePathTestSerializer(data=request.data)
+        serializer = StoragePathTestSerializer(
+            data=request.data,
+            context={"request": request},
+        )
        serializer.is_valid(raise_exception=True)

        document = serializer.validated_data.get("document")
@@ -2861,7 +2893,7 @@ class WorkflowViewSet(ModelViewSet):
    )


-class CustomFieldViewSet(ModelViewSet):
+class CustomFieldViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
    permission_classes = (IsAuthenticated, PaperlessObjectPermissions)

    serializer_class = CustomFieldSerializer
@@ -2873,35 +2905,11 @@ class CustomFieldViewSet(ModelViewSet):
    filterset_class = CustomFieldFilterSet

    model = CustomField
+    document_count_through = CustomFieldInstance
+    document_count_source_field = "field_id"

    queryset = CustomField.objects.all().order_by("-created")

-    def get_queryset(self):
-        filter = (
-            Q(fields__document__deleted_at__isnull=True)
-            if self.request.user is None or self.request.user.is_superuser
-            else (
-                Q(
-                    fields__document__deleted_at__isnull=True,
-                    fields__document__id__in=get_objects_for_user_owner_aware(
-                        self.request.user,
-                        "documents.view_document",
-                        Document,
-                    ).values_list("id", flat=True),
-                )
-            )
-        )
-        return (
-            super()
-            .get_queryset()
-            .annotate(
-                document_count=Count(
-                    "fields",
-                    filter=filter,
-                ),
-            )
-        )
-

@extend_schema_view(
    get=extend_schema(
--- a/src/paperless/version.py
+++ b/src/paperless/version.py
@@ -1,6 +1,6 @@
 from typing import Final

-__version__: Final[tuple[int, int, int]] = (2, 20, 6)
+__version__: Final[tuple[int, int, int]] = (2, 20, 9)
 # Version string like X.Y.Z
 __full_version_str__: Final[str] = ".".join(map(str, __version__))
 # Version string like X.Y
--- a/src/paperless_mail/tests/test_api.py
+++ b/src/paperless_mail/tests/test_api.py
@@ -272,6 +272,24 @@ class TestAPIMailAccounts(DirectoriesMixin, APITestCase):
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        self.assertEqual(response.data["success"], True)

+    def test_mail_account_test_existing_nonexistent_id_forbidden(self):
+        response = self.client.post(
+            f"{self.ENDPOINT}test/",
+            json.dumps(
+                {
+                    "id": 999999,
+                    "imap_server": "server.example.com",
+                    "imap_port": 443,
+                    "imap_security": MailAccount.ImapSecurity.SSL,
+                    "username": "admin",
+                    "password": "******",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.content.decode(), "Insufficient permissions")
+
    def test_get_mail_accounts_owner_aware(self):
        """
        GIVEN:
--- a/src/paperless_mail/tests/test_mail.py
+++ b/src/paperless_mail/tests/test_mail.py
@@ -9,6 +9,7 @@ from datetime import timedelta
 from unittest import mock

 import pytest
+from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.core.management import call_command
 from django.db import DatabaseError
@@ -1699,6 +1700,10 @@ class TestMailAccountTestView(APITestCase):
            username="testuser",
            password="testpassword",
        )
+        self.user.user_permissions.add(
+            *Permission.objects.filter(codename__in=["add_mailaccount"]),
+        )
+        self.user.save()
        self.client.force_authenticate(user=self.user)
        self.url = "/api/mail_accounts/test/"

@@ -1815,6 +1820,54 @@ class TestMailAccountTestView(APITestCase):
            expected_str = "Unable to refresh oauth token"
            self.assertIn(expected_str, error_str)

+    def test_mail_account_test_view_existing_forbidden_for_other_owner(self):
+        other_user = User.objects.create_user(
+            username="otheruser",
+            password="testpassword",
+        )
+        existing_account = MailAccount.objects.create(
+            name="Owned account",
+            imap_server="imap.example.com",
+            imap_port=993,
+            imap_security=MailAccount.ImapSecurity.SSL,
+            username="admin",
+            password="secret",
+            owner=other_user,
+        )
+        data = {
+            "id": existing_account.id,
+            "imap_server": "imap.example.com",
+            "imap_port": 993,
+            "imap_security": MailAccount.ImapSecurity.SSL,
+            "username": "admin",
+            "password": "****",
+            "is_token": False,
+        }
+
+        response = self.client.post(self.url, data, format="json")
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.content.decode(), "Insufficient permissions")
+
+    def test_mail_account_test_view_requires_add_permission_without_account_id(self):
+        self.user.user_permissions.remove(
+            *Permission.objects.filter(codename__in=["add_mailaccount"]),
+        )
+        self.user.save()
+        data = {
+            "imap_server": "imap.example.com",
+            "imap_port": 993,
+            "imap_security": MailAccount.ImapSecurity.SSL,
+            "username": "admin",
+            "password": "secret",
+            "is_token": False,
+        }
+
+        response = self.client.post(self.url, data, format="json")
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertEqual(response.content.decode(), "Insufficient permissions")
+

 class TestMailAccountProcess(APITestCase):
    def setUp(self):
--- a/src/paperless_mail/views.py
+++ b/src/paperless_mail/views.py
@@ -86,13 +86,34 @@ class MailAccountViewSet(ModelViewSet, PassUserMixin):
        request.data["name"] = datetime.datetime.now().isoformat()
        serializer = self.get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)
+        existing_account = None
+        account_id = request.data.get("id")

-        # account exists, use the password from there instead of *** and refresh_token / expiration
+        # testing a new connection requires add permission
+        if account_id is None and not request.user.has_perms(
+            ["paperless_mail.add_mailaccount"],
+        ):
+            return HttpResponseForbidden("Insufficient permissions")
+
+        # testing an existing account requires change permission on that account
+        if account_id is not None:
+            try:
+                existing_account = MailAccount.objects.get(pk=account_id)
+            except (TypeError, ValueError, MailAccount.DoesNotExist):
+                return HttpResponseForbidden("Insufficient permissions")
+
+            if not has_perms_owner_aware(
+                request.user,
+                "change_mailaccount",
+                existing_account,
+            ):
+                return HttpResponseForbidden("Insufficient permissions")
+
+        # account exists, use the password from there instead of ***
        if (
            len(serializer.validated_data.get("password").replace("*", "")) == 0
-            and request.data["id"] is not None
+            and existing_account is not None
        ):
-            existing_account = MailAccount.objects.get(pk=request.data["id"])
            serializer.validated_data["password"] = existing_account.password
            serializer.validated_data["account_type"] = existing_account.account_type
            serializer.validated_data["refresh_token"] = existing_account.refresh_token
@@ -106,7 +127,8 @@ class MailAccountViewSet(ModelViewSet, PassUserMixin):
        ) as M:
            try:
                if (
-                    account.is_token
+                    existing_account is not None
+                    and account.is_token
                    and account.expiration is not None
                    and account.expiration < timezone.now()
                ):
@@ -248,6 +270,7 @@ class OauthCallbackView(GenericAPIView):
                imap_server=imap_server,
                refresh_token=refresh_token,
                expiration=timezone.now() + timedelta(seconds=expires_in),
+                owner=request.user,
                defaults=defaults,
            )
            return HttpResponseRedirect(
--- a/uv.lock
+++ b/uv.lock
@@ -1991,7 +1991,7 @@ wheels = [

 [[package]]
 name = "paperless-ngx"
-version = "2.20.6"
+version = "2.20.9"
 source = { virtual = "." }
 dependencies = [
    { name = "babel", marker = "sys_platform == 'darwin' or sys_platform == 'linux'" },
Author	SHA1	Message	Date
shamoon	47f9f642a9	Bump version to 2.20.9	2026-02-28 01:35:26 -08:00
shamoon	8bfebc3b9b	Merge branch 'release/v2.20.x'	2026-02-28 01:34:33 -08:00
shamoon	c7f83212a3	Enforce on selection_data too	2026-02-28 01:27:40 -08:00
shamoon	b010f65ae7	Fix GHSA-386h-chg4-cfw9	2026-02-28 01:16:53 -08:00
shamoon	89d3a53603	Documentation: note GHSAs in changelog	2026-02-26 23:26:35 -08:00
shamoon	9601b3d597	Fixhancement: config option reset (#12176 )	2026-02-26 10:03:54 -08:00
shamoon	13e07844fe	Fix: separate displayed and API collection sizes for tags (#12170 )	2026-02-25 17:25:36 -08:00
shamoon	be82fcb70a	Documentation: docs cleanup (#12158 )	2026-02-24 15:10:38 -08:00
github-actions[bot]	98298e37cd	Changelog v2.20.8 - GHA (#12135 ) Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>	2026-02-21 17:43:19 -08:00
shamoon	35be0850ec	Bump version to 2.20.8	2026-02-21 16:49:52 -08:00
shamoon	1bb4b9b473	More permissions on mail account test endpoint	2026-02-21 16:47:55 -08:00
shamoon	f85094dc2b	Set owner on OAuth mail credentials	2026-02-21 16:37:32 -08:00
shamoon	65ca78e9e7	Security: fix/GHSA-7qqc-wrcw-2fj9	2026-02-21 16:34:33 -08:00
github-actions[bot]	5c1bbcd06d	Documentation: Add v2.20.7 changelog (#12100 ) --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: shamoon <4887959+shamoon@users.noreply.github.com>	2026-02-16 09:00:19 -08:00
shamoon	bc734798e3	Add permissions	2026-02-16 08:12:45 -08:00
shamoon	5ecbfc9df7	Split build vs deploy docs	2026-02-16 07:46:09 -08:00
shamoon	e63b62d531	Bump version to 2.20.7	2026-02-16 07:26:59 -08:00
shamoon	dd3ec83569	Fix: correct user dropdown button icon styling (#12092 )	2026-02-16 07:26:52 -08:00
shamoon	7a23356898	Merge branch 'release/v2.20.x'	2026-02-16 07:24:37 -08:00
shamoon	afaf39e43a	Fix/GHSA-x395-6h48-wr8v	2026-02-16 00:02:15 -08:00
shamoon	5b45b89d35	Performance fix: use subqueries to improve object retrieval in large installs (#11950 )	2026-02-05 08:46:32 -08:00
shamoon	5b9bb147cf	Tweakhancement: tweak bulk delete text (#11967 )	2026-02-01 12:16:30 -08:00
shamoon	c278f52fb2	Fix: fix broken docker create_classifier command in 2.20.6 (#11965 )	2026-02-01 12:09:52 -08:00