refactor: clarify isolation_level intent and cache_size unit

Add comment explaining isolation_level is explicit even though Django
defaults to the same value, so the intent survives future Django changes.
Add KiB unit comment to cache_size=-8000.
Rename sqlite-init-command-override test to sqlite-options-override to
reflect that both init_command and transaction_mode are being overridden.

.github/dependabot.yml

@@ -164,6 +164,8 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     groups:
       pre-commit-dependencies:
         patterns:

.github/workflows/ci-backend.yml

@@ -30,10 +30,13 @@ jobs:
           persist-credentials: false
       - name: Decide run mode
         id: force
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
             echo "run_all=true" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event_name }}" == "push" && ( "${{ github.ref_name }}" == "main" || "${{ github.ref_name }}" == "dev" ) ]]; then
+          elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then
             echo "run_all=true" >> "$GITHUB_OUTPUT"
           else
             echo "run_all=false" >> "$GITHUB_OUTPUT"
@@ -41,15 +44,22 @@ jobs:
       - name: Set diff range
         id: range
         if: steps.force.outputs.run_all != 'true'
+        env:
+          BEFORE_SHA: ${{ github.event.before }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          EVENT_CREATED: ${{ github.event.created }}
+          EVENT_NAME: ${{ github.event_name }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          SHA: ${{ github.sha }}
         run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event.created }}" == "true" ]]; then
-            echo "base=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT"
+          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
+            echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT"
+          elif [[ "${EVENT_CREATED}" == "true" ]]; then
+            echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT"
           else
-            echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
+            echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT"
           fi
-          echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+          echo "ref=${SHA}" >> "$GITHUB_OUTPUT"
       - name: Detect changes
         id: filter
         if: steps.force.outputs.run_all != 'true'
@@ -90,7 +100,7 @@ jobs:
         with:
           python-version: "${{ matrix.python-version }}"
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
           version: ${{ env.DEFAULT_UV_VERSION }}
           enable-cache: true
@@ -104,9 +114,11 @@ jobs:
         run: |
           sudo cp docker/rootfs/etc/ImageMagick-6/paperless-policy.xml /etc/ImageMagick-6/policy.xml
       - name: Install Python dependencies
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
         run: |
           uv sync \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
             --group testing \
             --frozen
       - name: List installed Python dependencies
@@ -114,26 +126,27 @@ jobs:
           uv pip list
       - name: Install NLTK data
         run: |
-          uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d ${{ env.NLTK_DATA }}
+          uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d "${NLTK_DATA}"
       - name: Run tests
         env:
           NLTK_DATA: ${{ env.NLTK_DATA }}
           PAPERLESS_CI_TEST: 1
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
         run: |
           uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
             --dev \
             --frozen \
             pytest
       - name: Upload test results to Codecov
         if: always()
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           flags: backend-python-${{ matrix.python-version }}
           files: junit.xml
           report_type: test_results
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           flags: backend-python-${{ matrix.python-version }}
           files: coverage.xml
@@ -152,6 +165,7 @@ jobs:
       contents: read
     env:
       DEFAULT_PYTHON: "3.12"
+      PAPERLESS_SECRET_KEY: "ci-typing-not-a-real-secret"
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -163,15 +177,17 @@ jobs:
         with:
           python-version: "${{ env.DEFAULT_PYTHON }}"
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
           version: ${{ env.DEFAULT_UV_VERSION }}
           enable-cache: true
           python-version: ${{ steps.setup-python.outputs.python-version }}
       - name: Install Python dependencies
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
         run: |
           uv sync \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
             --group testing \
             --group typing \
             --frozen
@@ -207,19 +223,23 @@ jobs:
     runs-on: ubuntu-slim
     steps:
       - name: Check gate
+        env:
+          BACKEND_CHANGED: ${{ needs.changes.outputs.backend_changed }}
+          TEST_RESULT: ${{ needs.test.result }}
+          TYPING_RESULT: ${{ needs.typing.result }}
         run: |
-          if [[ "${{ needs.changes.outputs.backend_changed }}" != "true" ]]; then
+          if [[ "${BACKEND_CHANGED}" != "true" ]]; then
             echo "No backend-relevant changes detected."
             exit 0
           fi
 
-          if [[ "${{ needs.test.result }}" != "success" ]]; then
-            echo "::error::Backend test job result: ${{ needs.test.result }}"
+          if [[ "${TEST_RESULT}" != "success" ]]; then
+            echo "::error::Backend test job result: ${TEST_RESULT}"
             exit 1
           fi
 
-          if [[ "${{ needs.typing.result }}" != "success" ]]; then
-            echo "::error::Backend typing job result: ${{ needs.typing.result }}"
+          if [[ "${TYPING_RESULT}" != "success" ]]; then
+            echo "::error::Backend typing job result: ${TYPING_RESULT}"
             exit 1
           fi
 

.github/workflows/ci-docker.yml

@@ -166,6 +166,7 @@ jobs:
     runs-on: ubuntu-24.04
     needs: build-arch
     if: needs.build-arch.outputs.should-push == 'true'
+    environment: image-publishing
     permissions:
       contents: read
       packages: write

.github/workflows/ci-docs.yml

@@ -78,7 +78,7 @@ jobs:
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
           version: ${{ env.DEFAULT_UV_VERSION }}
           enable-cache: true

.github/workflows/ci-frontend.yml

@@ -27,10 +27,13 @@ jobs:
           persist-credentials: false
       - name: Decide run mode
         id: force
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
             echo "run_all=true" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event_name }}" == "push" && ( "${{ github.ref_name }}" == "main" || "${{ github.ref_name }}" == "dev" ) ]]; then
+          elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then
             echo "run_all=true" >> "$GITHUB_OUTPUT"
           else
             echo "run_all=false" >> "$GITHUB_OUTPUT"
@@ -38,15 +41,22 @@ jobs:
       - name: Set diff range
         id: range
         if: steps.force.outputs.run_all != 'true'
+        env:
+          BEFORE_SHA: ${{ github.event.before }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          EVENT_CREATED: ${{ github.event.created }}
+          EVENT_NAME: ${{ github.event_name }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          SHA: ${{ github.sha }}
         run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event.created }}" == "true" ]]; then
-            echo "base=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT"
+          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
+            echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT"
+          elif [[ "${EVENT_CREATED}" == "true" ]]; then
+            echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT"
           else
-            echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
+            echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT"
           fi
-          echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+          echo "ref=${SHA}" >> "$GITHUB_OUTPUT"
       - name: Detect changes
         id: filter
         if: steps.force.outputs.run_all != 'true'
@@ -164,13 +174,13 @@ jobs:
         run: cd src-ui && pnpm run test --max-workers=2 --shard=${{ matrix.shard-index }}/${{ matrix.shard-count }}
       - name: Upload test results to Codecov
         if: always()
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           flags: frontend-node-${{ matrix.node-version }}
           directory: src-ui/
           report_type: test_results
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           flags: frontend-node-${{ matrix.node-version }}
           directory: src-ui/coverage/
@@ -181,7 +191,7 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       contents: read
-    container: mcr.microsoft.com/playwright:v1.58.2-noble
+    container: mcr.microsoft.com/playwright:v1.59.0-noble
     env:
       PLAYWRIGHT_BROWSERS_PATH: /ms-playwright
       PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
@@ -224,6 +234,7 @@ jobs:
     needs: [changes, unit-tests, e2e-tests]
     if: needs.changes.outputs.frontend_changed == 'true'
     runs-on: ubuntu-24.04
+    environment: bundle-analysis
     permissions:
       contents: read
     steps:
@@ -262,34 +273,41 @@ jobs:
     runs-on: ubuntu-slim
     steps:
       - name: Check gate
+        env:
+          BUNDLE_ANALYSIS_RESULT: ${{ needs['bundle-analysis'].result }}
+          E2E_RESULT: ${{ needs['e2e-tests'].result }}
+          FRONTEND_CHANGED: ${{ needs.changes.outputs.frontend_changed }}
+          INSTALL_RESULT: ${{ needs['install-dependencies'].result }}
+          LINT_RESULT: ${{ needs.lint.result }}
+          UNIT_RESULT: ${{ needs['unit-tests'].result }}
         run: |
-          if [[ "${{ needs.changes.outputs.frontend_changed }}" != "true" ]]; then
+          if [[ "${FRONTEND_CHANGED}" != "true" ]]; then
             echo "No frontend-relevant changes detected."
             exit 0
           fi
 
-          if [[ "${{ needs['install-dependencies'].result }}" != "success" ]]; then
-            echo "::error::Frontend install job result: ${{ needs['install-dependencies'].result }}"
+          if [[ "${INSTALL_RESULT}" != "success" ]]; then
+            echo "::error::Frontend install job result: ${INSTALL_RESULT}"
             exit 1
           fi
 
-          if [[ "${{ needs.lint.result }}" != "success" ]]; then
-            echo "::error::Frontend lint job result: ${{ needs.lint.result }}"
+          if [[ "${LINT_RESULT}" != "success" ]]; then
+            echo "::error::Frontend lint job result: ${LINT_RESULT}"
             exit 1
           fi
 
-          if [[ "${{ needs['unit-tests'].result }}" != "success" ]]; then
-            echo "::error::Frontend unit-tests job result: ${{ needs['unit-tests'].result }}"
+          if [[ "${UNIT_RESULT}" != "success" ]]; then
+            echo "::error::Frontend unit-tests job result: ${UNIT_RESULT}"
             exit 1
           fi
 
-          if [[ "${{ needs['e2e-tests'].result }}" != "success" ]]; then
-            echo "::error::Frontend e2e-tests job result: ${{ needs['e2e-tests'].result }}"
+          if [[ "${E2E_RESULT}" != "success" ]]; then
+            echo "::error::Frontend e2e-tests job result: ${E2E_RESULT}"
             exit 1
           fi
 
-          if [[ "${{ needs['bundle-analysis'].result }}" != "success" ]]; then
-            echo "::error::Frontend bundle-analysis job result: ${{ needs['bundle-analysis'].result }}"
+          if [[ "${BUNDLE_ANALYSIS_RESULT}" != "success" ]]; then
+            echo "::error::Frontend bundle-analysis job result: ${BUNDLE_ANALYSIS_RESULT}"
             exit 1
           fi
 

.github/workflows/ci-release.yml

@@ -58,23 +58,27 @@ jobs:
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
           version: ${{ env.DEFAULT_UV_VERSION }}
           enable-cache: false
           python-version: ${{ steps.setup-python.outputs.python-version }}
       - name: Install Python dependencies
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
         run: |
-          uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen
+          uv sync --python "${PYTHON_VERSION}" --dev --frozen
       - name: Install system dependencies
         run: |
           sudo apt-get update -qq
           sudo apt-get install -qq --no-install-recommends gettext liblept5
       # ---- Build Documentation ----
       - name: Build documentation
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
         run: |
           uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
             --dev \
             --frozen \
             zensical build --clean
@@ -83,16 +87,22 @@ jobs:
         run: |
           uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt
       - name: Compile messages
+        env:
+          PAPERLESS_SECRET_KEY: "ci-release-not-a-real-secret"
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
         run: |
           cd src/
           uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
             manage.py compilemessages
       - name: Collect static files
+        env:
+          PAPERLESS_SECRET_KEY: "ci-release-not-a-real-secret"
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
         run: |
           cd src/
           uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
             manage.py collectstatic --no-input --clear
       - name: Assemble release package
         run: |
@@ -201,7 +211,7 @@ jobs:
         with:
           python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
           version: ${{ env.DEFAULT_UV_VERSION }}
           enable-cache: false
@@ -210,9 +220,13 @@ jobs:
         working-directory: docs
         env:
           CHANGELOG: ${{ needs.publish-release.outputs.changelog }}
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
+          VERSION: ${{ needs.publish-release.outputs.version }}
         run: |
-          git branch ${{ needs.publish-release.outputs.version }}-changelog
-          git checkout ${{ needs.publish-release.outputs.version }}-changelog
+          branch_name="${VERSION}-changelog"
+
+          git branch "${branch_name}"
+          git checkout "${branch_name}"
 
           printf '# Changelog\n\n%s\n' "${CHANGELOG}" > changelog-new.md
 
@@ -227,24 +241,28 @@ jobs:
           mv changelog-new.md changelog.md
 
           uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
             --dev \
             prek run --files changelog.md || true
 
           git config --global user.name "github-actions"
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA"
-          git push origin ${{ needs.publish-release.outputs.version }}-changelog
+          git commit -am "Changelog ${VERSION} - GHA"
+          git push origin "${branch_name}"
       - name: Create pull request
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          VERSION: ${{ needs.publish-release.outputs.version }}
         with:
           script: |
             const { repo, owner } = context.repo;
+            const version = process.env.VERSION;
+            const head = `${version}-changelog`;
             const result = await github.rest.pulls.create({
-              title: 'Documentation: Add ${{ needs.publish-release.outputs.version }} changelog',
+              title: `Documentation: Add ${version} changelog`,
               owner,
               repo,
-              head: '${{ needs.publish-release.outputs.version }}-changelog',
+              head,
               base: 'main',
               body: 'This PR is auto-generated by CI.'
             });

.github/workflows/cleanup-tags.yml

@@ -18,6 +18,7 @@ jobs:
     name: Cleanup Image Tags for ${{ matrix.primary-name }}
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
+    environment: registry-maintenance
     strategy:
       fail-fast: false
       matrix:
@@ -44,6 +45,7 @@ jobs:
     runs-on: ubuntu-24.04
     needs:
       - cleanup-images
+    environment: registry-maintenance
     strategy:
       fail-fast: false
       matrix:

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
           persist-credentials: false
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -47,4 +47,4 @@ jobs:
           # Prefix the list here with "+" to use these queries and those in the config file.
           # queries: ./path/to/local/query, your-org/your-repo/queries@main
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1

.github/workflows/crowdin.yml

@@ -14,6 +14,7 @@ jobs:
     name: Crowdin Sync
     if: github.repository_owner == 'paperless-ngx'
     runs-on: ubuntu-24.04
+    environment: translation-sync
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -21,7 +22,7 @@ jobs:
           token: ${{ secrets.PNGX_BOT_PAT }}
           persist-credentials: false
       - name: crowdin action
-        uses: crowdin/github-action@8818ff65bfc4322384f983ea37e3926948c11745 # v2.15.0
+        uses: crowdin/github-action@7ca9c452bfe9197d3bb7fa83a4d7e2b0c9ae835d # v2.16.0
         with:
           upload_translations: false
           download_translations: true

.github/workflows/translate-strings.yml

@@ -7,6 +7,7 @@ jobs:
   generate-translate-strings:
     name: Generate Translation Strings
     runs-on: ubuntu-latest
+    environment: translation-sync
     permissions:
       contents: write
     steps:
@@ -26,7 +27,7 @@ jobs:
           sudo apt-get update -qq
           sudo apt-get install -qq --no-install-recommends gettext
       - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
           enable-cache: true
       - name: Install backend python dependencies
@@ -35,6 +36,8 @@ jobs:
             --group dev \
             --frozen
       - name: Generate backend translation strings
+        env:
+          PAPERLESS_SECRET_KEY: "ci-translate-not-a-real-secret"
         run: cd src/ && uv run manage.py makemessages -l en_US -i "samples*"
       - name: Install pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

.github/zizmor.yml

@@ -3,54 +3,22 @@ rules:
     ignore:
       # github.event_name is a GitHub-internal constant (push/pull_request/etc.),
       # not attacker-controllable.
-      - ci-backend.yml:35
       - ci-docker.yml:74
       - ci-docs.yml:33
-      - ci-frontend.yml:32
       # github.event.repository.default_branch refers to the target repo's setting,
       # which only admins can change; not influenced by fork PR authors.
-      - ci-backend.yml:47
       - ci-docs.yml:45
-      - ci-frontend.yml:44
       # steps.setup-python.outputs.python-version is always a semver string (e.g. "3.12.0")
       # produced by actions/setup-python from a hardcoded env var input.
-      - ci-backend.yml:106
-      - ci-backend.yml:121
-      - ci-backend.yml:169
       - ci-docs.yml:88
       - ci-docs.yml:92
-      - ci-release.yml:69
-      - ci-release.yml:78
-      - ci-release.yml:90
-      - ci-release.yml:96
-      - ci-release.yml:229
       # needs.*.result is always one of: success/failure/cancelled/skipped.
-      - ci-backend.yml:211
-      - ci-backend.yml:212
-      - ci-backend.yml:216
       - ci-docs.yml:131
       - ci-docs.yml:132
-      - ci-frontend.yml:259
-      - ci-frontend.yml:260
-      - ci-frontend.yml:264
-      - ci-frontend.yml:269
-      - ci-frontend.yml:274
-      - ci-frontend.yml:279
       # needs.changes.outputs.* is always "true" or "false".
-      - ci-backend.yml:206
       - ci-docs.yml:126
-      - ci-frontend.yml:254
       # steps.build.outputs.digest is always a SHA256 digest (sha256:[a-f0-9]{64}).
       - ci-docker.yml:152
-      # needs.publish-release.outputs.version is the git tag name (e.g. v2.14.0);
-      # only maintainers can push tags upstream, and the tag pattern excludes
-      # shell metacharacters. Used in git commands and github-script JS, not eval.
-      - ci-release.yml:215
-      - ci-release.yml:216
-      - ci-release.yml:231
-      - ci-release.yml:237
-      - ci-release.yml:245
-      - ci-release.yml:248
   dangerous-triggers:
     ignore:
       # Both workflows use pull_request_target solely to label/comment on fork PRs

.gitignore

@@ -79,6 +79,7 @@ virtualenv
 /docker-compose.env
 /docker-compose.yml
 .ruff_cache/
+.mypy_cache/
 
 # Used for development
 scripts/import-for-development
@@ -111,4 +112,6 @@ celerybeat-schedule*
 
 # ignore pnpm package store folder created when setting up the devcontainer
 .pnpm-store/
+
+# Git worktree local folder
 .worktrees

SECURITY.md

@@ -2,8 +2,83 @@
 
 ## Reporting a Vulnerability
 
-The Paperless-ngx team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+The Paperless-ngx team and community take security issues seriously. We appreciate good-faith reports and will make every effort to review legitimate findings responsibly.
 
 To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/paperless-ngx/paperless-ngx/security/advisories/new) tab.
 
-The team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+After the initial reply to your report, the team may ask for additional information, reproduction steps, affected versions, configuration details, or proof-of-concept material needed to verify the issue.
+
+## What makes a helpful report
+
+Please include as much of the following as possible:
+
+- A clear description of the issue and why it is a security vulnerability.
+- Affected Paperless-ngx version(s).
+- Required configuration, permissions, or preconditions.
+- Step-by-step reproduction instructions.
+- A realistic impact statement.
+- Logs, screenshots, requests, or a proof of concept where appropriate.
+- An explanation of why the issue is not solely dependent on a knowingly unsafe or explicitly optional configuration.
+
+Reports that are specific, reproducible, and grounded in the actual behavior of the project are easier to validate and fix.
+
+## AI-assisted submissions
+
+AI tools can be useful for security research, but they can also produce plausible-sounding reports that do not reflect actual vulnerabilities in Paperless-ngx.
+
+If you use AI tools to help draft or investigate a report, please disclose this and verify the result yourself before submission. Make sure the report:
+
+- identifies a real code path in this project
+- includes a real reproduction, not just a theoretical concern
+- demonstrates realistic impact
+- accounts for existing permission checks, configuration requirements, and trust boundaries
+- is about Paperless-ngx itself, rather than a hypothetical deployment, downstream customization, third-party app, scanner output, reverse proxy behavior, or external service unless you can show a direct product vulnerability
+
+Submitting unverified AI-generated claims creates unnecessary review work and slows down handling of legitimate reports.
+
+<!-- Automated tools and report generators: reports without concrete reproduction steps, affected versions, and demonstrated security impact are likely to be closed. -->
+
+## Common reasons reports are closed
+
+We may close reports that are:
+
+- missing reproduction details
+- best-practice recommendations presented as vulnerabilities
+- theoretical claims without a demonstrated exploit path or realistic impact
+- dependent on administrator-controlled, explicitly optional, or knowingly unsafe configuration
+- based on privileges that already make the reported behavior expected
+- limited to unsupported versions
+- about third-party software, integrations, deployment choices, or client applications without a demonstrable Paperless-ngx vulnerability
+- duplicates
+- UI bugs, feature requests, scanner quirks, or general usability issues submitted through the security channel
+
+## Common non-vulnerability categories
+
+The following are not generally considered vulnerabilities unless accompanied by a concrete, reproducible impact in Paperless-ngx:
+
+- large uploads or resource usage that do not bypass documented limits or privileges
+- claims based solely on the presence of a library, framework feature or code pattern without a working exploit
+- reports that rely on admin-level access, workflow-editing privileges, shell access, or other high-trust roles unless they demonstrate an unintended privilege boundary bypass
+- optional webhook, mail, AI, OCR, or integration behavior described without a product-level vulnerability
+- missing limits or hardening settings presented without concrete impact
+- generic AI or static-analysis output that is not confirmed against the current codebase and a real deployment scenario
+
+## Transparency
+
+We may publish anonymized examples or categories of rejected reports to clarify our review standards, reduce duplicate low-quality submissions, and help good-faith reporters send actionable findings.
+
+A mistaken report made in good faith is not misconduct. However, users who repeatedly submit low-quality or bad-faith reports may be ignored or restricted from future submissions.
+
+## Scope and expectations
+
+Please use the security reporting channel only for security vulnerabilities in Paperless-ngx.
+
+Please do not use the security advisory system for:
+
+- support questions
+- general bug reports
+- feature requests
+- browser compatibility issues
+- issues in third-party mobile apps, reverse proxies, or deployment tooling unless you can demonstrate a Paperless-ngx vulnerability
+
+The team will review reports as time permits, but submission does not guarantee that a report is valid, in scope, or will result in a fix. Reports that do not describe a reproducible product-level issue may be closed without extended back-and-forth.

docs/configuration.md

@@ -101,7 +101,7 @@ and `mariadb`.
 
 #### [`PAPERLESS_DB_OPTIONS=<options>`](#PAPERLESS_DB_OPTIONS) {#PAPERLESS_DB_OPTIONS}
 
-: Advanced database connection options as a semicolon-delimited key-value string.
+: Advanced database connection options as a comma-delimited key-value string.
 Keys and values are separated by `=`. Dot-notation produces nested option
 dictionaries; for example, `pool.max_size=20` sets
 `OPTIONS["pool"]["max_size"] = 20`.
@@ -123,18 +123,36 @@ dictionaries; for example, `pool.max_size=20` sets
         to handle all pool connections across all workers:
         `(web_workers + celery_workers) * pool.max_size + safety_margin`.
 
+    !!! note "SQLite defaults"
+
+        SQLite connections are pre-configured with WAL journal mode, optimised
+        synchronous and cache settings, and a 5-second busy timeout. These defaults
+        suit most deployments. To override `init_command`, use `;` between PRAGMAs
+        within the value and `,` between options:
+
+        ```bash
+        PAPERLESS_DB_OPTIONS="init_command=PRAGMA journal_mode=DELETE;PRAGMA synchronous=FULL,transaction_mode=DEFERRED"
+        ```
+
+    !!! note "MariaDB: READ COMMITTED isolation level"
+
+        MariaDB connections default to `READ COMMITTED` isolation level, which
+        eliminates gap locking and reduces deadlock frequency. If binary logging is
+        enabled on your MariaDB server, this requires `binlog_format=ROW` (the
+        default for most managed MariaDB instances). Statement-based replication is
+        not compatible with `READ COMMITTED`.
+
     **Examples:**
 
     ```bash title="PostgreSQL: require SSL, set a custom CA certificate, and limit the pool size"
-    PAPERLESS_DB_OPTIONS="sslmode=require;sslrootcert=/certs/ca.pem;pool.max_size=5"
+    PAPERLESS_DB_OPTIONS="sslmode=require,sslrootcert=/certs/ca.pem,pool.max_size=5"
     ```
 
     ```bash title="MariaDB: require SSL with a custom CA certificate"
-    PAPERLESS_DB_OPTIONS="ssl_mode=REQUIRED;ssl.ca=/certs/ca.pem"
+    PAPERLESS_DB_OPTIONS="ssl_mode=REQUIRED,ssl.ca=/certs/ca.pem"
     ```
 
-    ```bash title="SQLite: set a busy timeout of 30 seconds"
-    # PostgreSQL: set a connection timeout
+    ```bash title="PostgreSQL or MariaDB: set a connection timeout"
     PAPERLESS_DB_OPTIONS="connect_timeout=10"
     ```
 

docs/migration-v3.md

@@ -120,7 +120,7 @@ Users with any of the deprecated variables set should migrate to `PAPERLESS_DB_O
 Multiple options are combined in a single value:
 
 ```bash
-PAPERLESS_DB_OPTIONS="sslmode=require;sslrootcert=/certs/ca.pem;pool.max_size=10"
+PAPERLESS_DB_OPTIONS="sslmode=require,sslrootcert=/certs/ca.pem,pool.max_size=10"
 ```
 
 ## OCR and Archive File Generation Settings
@@ -241,3 +241,66 @@ For example:
   }
 }
 ```
+
+## Consume Script Positional Arguments Removed
+
+Pre- and post-consumption scripts no longer receive positional arguments. All information is
+now passed exclusively via environment variables, which have been available since earlier versions.
+
+### Pre-consumption script
+
+Previously, the original file path was passed as `$1`. It is now only available as
+`DOCUMENT_SOURCE_PATH`.
+
+**Before:**
+
+```bash
+#!/usr/bin/env bash
+# $1 was the original file path
+process_document "$1"
+```
+
+**After:**
+
+```bash
+#!/usr/bin/env bash
+process_document "${DOCUMENT_SOURCE_PATH}"
+```
+
+### Post-consumption script
+
+Previously, document metadata was passed as positional arguments `$1` through `$8`:
+
+| Argument | Environment Variable Equivalent |
+| -------- | ------------------------------- |
+| `$1`     | `DOCUMENT_ID`                   |
+| `$2`     | `DOCUMENT_FILE_NAME`            |
+| `$3`     | `DOCUMENT_SOURCE_PATH`          |
+| `$4`     | `DOCUMENT_THUMBNAIL_PATH`       |
+| `$5`     | `DOCUMENT_DOWNLOAD_URL`         |
+| `$6`     | `DOCUMENT_THUMBNAIL_URL`        |
+| `$7`     | `DOCUMENT_CORRESPONDENT`        |
+| `$8`     | `DOCUMENT_TAGS`                 |
+
+**Before:**
+
+```bash
+#!/usr/bin/env bash
+DOCUMENT_ID=$1
+CORRESPONDENT=$7
+TAGS=$8
+```
+
+**After:**
+
+```bash
+#!/usr/bin/env bash
+# Use environment variables directly
+echo "Document ${DOCUMENT_ID} from ${DOCUMENT_CORRESPONDENT} tagged: ${DOCUMENT_TAGS}"
+```
+
+### Action Required
+
+Update any pre- or post-consumption scripts that read `$1`, `$2`, etc. to use the
+corresponding environment variables instead. Environment variables have been the preferred
+option since v1.8.0.

docs/usage.md

@@ -398,25 +398,27 @@ Global permissions define what areas of the app and API endpoints users can acce
 determine if a user can create, edit, delete or view _any_ documents, but individual documents themselves
 still have "object-level" permissions.
 
-| Type          | Details                                                                                                                                                                                                                         |
-| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| AppConfig     | _Change_ or higher permissions grants access to the "Application Configuration" area.                                                                                                                                           |
-| Correspondent | Add, edit, delete or view Correspondents.                                                                                                                                                                                       |
-| CustomField   | Add, edit, delete or view Custom Fields.                                                                                                                                                                                        |
-| Document      | Add, edit, delete or view Documents.                                                                                                                                                                                            |
-| DocumentType  | Add, edit, delete or view Document Types.                                                                                                                                                                                       |
-| Group         | Add, edit, delete or view Groups.                                                                                                                                                                                               |
-| MailAccount   | Add, edit, delete or view Mail Accounts.                                                                                                                                                                                        |
-| MailRule      | Add, edit, delete or view Mail Rules.                                                                                                                                                                                           |
-| Note          | Add, edit, delete or view Notes.                                                                                                                                                                                                |
-| PaperlessTask | View or dismiss (_Change_) File Tasks.                                                                                                                                                                                          |
-| SavedView     | Add, edit, delete or view Saved Views.                                                                                                                                                                                          |
-| ShareLink     | Add, delete or view Share Links.                                                                                                                                                                                                |
-| StoragePath   | Add, edit, delete or view Storage Paths.                                                                                                                                                                                        |
-| Tag           | Add, edit, delete or view Tags.                                                                                                                                                                                                 |
-| UISettings    | Add, edit, delete or view the UI settings that are used by the web app.<br/>:warning: **Users that will access the web UI must be granted at least _View_ permissions.**                                                        |
-| User          | Add, edit, delete or view Users.                                                                                                                                                                                                |
-| Workflow      | Add, edit, delete or view Workflows.<br/>Note that Workflows are global; all users who can access workflows see the same set. Workflows have other permission implications — see [Workflow permissions](#workflow-permissions). |
+| Type             | Details                                                                                                                                                                                                                         |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| AppConfig        | _Change_ or higher permissions grants access to the "Application Configuration" area.                                                                                                                                           |
+| Correspondent    | Add, edit, delete or view Correspondents.                                                                                                                                                                                       |
+| CustomField      | Add, edit, delete or view Custom Fields.                                                                                                                                                                                        |
+| Document         | Add, edit, delete or view Documents.                                                                                                                                                                                            |
+| DocumentType     | Add, edit, delete or view Document Types.                                                                                                                                                                                       |
+| Group            | Add, edit, delete or view Groups.                                                                                                                                                                                               |
+| GlobalStatistics | View aggregate object counts and statistics. This does not grant access to view individual documents.                                                                                                                           |
+| MailAccount      | Add, edit, delete or view Mail Accounts.                                                                                                                                                                                        |
+| MailRule         | Add, edit, delete or view Mail Rules.                                                                                                                                                                                           |
+| Note             | Add, edit, delete or view Notes.                                                                                                                                                                                                |
+| PaperlessTask    | View or dismiss (_Change_) File Tasks.                                                                                                                                                                                          |
+| SavedView        | Add, edit, delete or view Saved Views.                                                                                                                                                                                          |
+| ShareLink        | Add, delete or view Share Links.                                                                                                                                                                                                |
+| StoragePath      | Add, edit, delete or view Storage Paths.                                                                                                                                                                                        |
+| SystemStatus     | View the system status dialog and corresponding API endpoint. Admin users also retain system status access.                                                                                                                     |
+| Tag              | Add, edit, delete or view Tags.                                                                                                                                                                                                 |
+| UISettings       | Add, edit, delete or view the UI settings that are used by the web app.<br/>:warning: **Users that will access the web UI must be granted at least _View_ permissions.**                                                        |
+| User             | Add, edit, delete or view Users.                                                                                                                                                                                                |
+| Workflow         | Add, edit, delete or view Workflows.<br/>Note that Workflows are global; all users who can access workflows see the same set. Workflows have other permission implications — see [Workflow permissions](#workflow-permissions). |
 
 #### Detailed Explanation of Object Permissions {#object-permissions}
 

pyproject.toml

@@ -24,7 +24,7 @@ dependencies = [
   "dateparser~=1.2",
   # WARNING: django does not use semver.
   #          Only patch versions are guaranteed to not introduce breaking changes.
-  "django~=5.2.10",
+  "django~=5.2.13",
   "django-allauth[mfa,socialaccount]~=65.15.0",
   "django-auditlog~=3.4.1",
   "django-cachalot~=2.9.0",
@@ -41,7 +41,7 @@ dependencies = [
   "djangorestframework~=3.16",
   "djangorestframework-guardian~=0.4.0",
   "drf-spectacular~=0.28",
-  "drf-spectacular-sidecar~=2026.3.1",
+  "drf-spectacular-sidecar~=2026.4.1",
   "drf-writable-nested~=0.7.1",
   "faiss-cpu>=1.10",
   "filelock~=3.25.2",
@@ -76,7 +76,7 @@ dependencies = [
   "setproctitle~=1.3.4",
   "tantivy>=0.25.1",
   "tika-client~=0.11.0",
-  "torch~=2.10.0",
+  "torch~=2.11.0",
   "watchfiles>=1.1.1",
   "whitenoise~=6.11",
   "zxing-cpp~=3.0.0",
@@ -111,12 +111,12 @@ lint = [
 testing = [
   "daphne",
   "factory-boy~=3.3.1",
-  "faker~=40.8.0",
+  "faker~=40.12.0",
   "imagehash",
-  "pytest~=9.0.0",
-  "pytest-cov~=7.0.0",
+  "pytest~=9.0.3",
+  "pytest-cov~=7.1.0",
   "pytest-django~=4.12.0",
-  "pytest-env~=1.5.0",
+  "pytest-env~=1.6.0",
   "pytest-httpx",
   "pytest-mock~=3.15.1",
   # "pytest-randomly~=4.0.1",

src-ui/messages.xlf

@@ -316,11 +316,11 @@
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">193</context>
+          <context context-type="linenumber">195</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">197</context>
+          <context context-type="linenumber">199</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/app-frame/app-frame.component.html</context>
@@ -518,7 +518,7 @@
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">136</context>
+          <context context-type="linenumber">138</context>
         </context-group>
       </trans-unit>
       <trans-unit id="2180291763949669799" datatype="html">
@@ -540,7 +540,7 @@
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">399</context>
+          <context context-type="linenumber">401</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/confirm-dialog/confirm-dialog.component.ts</context>
@@ -615,7 +615,7 @@
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">400</context>
+          <context context-type="linenumber">402</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/edit-dialog/correspondent-edit-dialog/correspondent-edit-dialog.component.html</context>
@@ -922,126 +922,126 @@
         <source>Open Django Admin</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">30</context>
+          <context context-type="linenumber">32</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6439365426343089851" datatype="html">
         <source>General</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">40</context>
+          <context context-type="linenumber">42</context>
         </context-group>
       </trans-unit>
       <trans-unit id="8671234314555525900" datatype="html">
         <source>Appearance</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">44</context>
+          <context context-type="linenumber">46</context>
         </context-group>
       </trans-unit>
       <trans-unit id="3777637051272512093" datatype="html">
         <source>Display language</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">47</context>
+          <context context-type="linenumber">49</context>
         </context-group>
       </trans-unit>
       <trans-unit id="53523152145406584" datatype="html">
         <source>You need to reload the page after applying a new language.</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">60</context>
+          <context context-type="linenumber">62</context>
         </context-group>
       </trans-unit>
       <trans-unit id="3766032098416558788" datatype="html">
         <source>Date display</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">68</context>
+          <context context-type="linenumber">70</context>
         </context-group>
       </trans-unit>
       <trans-unit id="3733378544613473393" datatype="html">
         <source>Date format</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">85</context>
+          <context context-type="linenumber">87</context>
         </context-group>
       </trans-unit>
       <trans-unit id="3407788781115661841" datatype="html">
         <source>Short: <x id="INTERPOLATION" equiv-text="{{today | customDate:&apos;shortDate&apos;:null:computedDateLocale}}"/></source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">91,92</context>
+          <context context-type="linenumber">93,94</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6290748171049664628" datatype="html">
         <source>Medium: <x id="INTERPOLATION" equiv-text="{{today | customDate:&apos;mediumDate&apos;:null:computedDateLocale}}"/></source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">95,96</context>
+          <context context-type="linenumber">97,98</context>
         </context-group>
       </trans-unit>
       <trans-unit id="7189855711197998347" datatype="html">
         <source>Long: <x id="INTERPOLATION" equiv-text="{{today | customDate:&apos;longDate&apos;:null:computedDateLocale}}"/></source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">99,100</context>
+          <context context-type="linenumber">101,102</context>
         </context-group>
       </trans-unit>
       <trans-unit id="3982403428275430291" datatype="html">
         <source>Sidebar</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">107</context>
+          <context context-type="linenumber">109</context>
         </context-group>
       </trans-unit>
       <trans-unit id="4608457133854405683" datatype="html">
         <source>Use &apos;slim&apos; sidebar (icons only)</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">111</context>
+          <context context-type="linenumber">113</context>
         </context-group>
       </trans-unit>
       <trans-unit id="1356890996281769972" datatype="html">
         <source>Dark mode</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">118</context>
+          <context context-type="linenumber">120</context>
         </context-group>
       </trans-unit>
       <trans-unit id="4913823100518391922" datatype="html">
         <source>Use system settings</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">121</context>
+          <context context-type="linenumber">123</context>
         </context-group>
       </trans-unit>
       <trans-unit id="5782828784040423650" datatype="html">
         <source>Enable dark mode</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">122</context>
+          <context context-type="linenumber">124</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6336642923114460405" datatype="html">
         <source>Invert thumbnails in dark mode</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">123</context>
+          <context context-type="linenumber">125</context>
         </context-group>
       </trans-unit>
       <trans-unit id="7983234071833154796" datatype="html">
         <source>Theme Color</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">129</context>
+          <context context-type="linenumber">131</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6760166989231109310" datatype="html">
         <source>Global search</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">142</context>
+          <context context-type="linenumber">144</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/app-frame/global-search/global-search.component.ts</context>
@@ -1052,28 +1052,28 @@
         <source>Do not include advanced search results</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">145</context>
+          <context context-type="linenumber">147</context>
         </context-group>
       </trans-unit>
       <trans-unit id="3969258421469113318" datatype="html">
         <source>Full search links to</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">151</context>
+          <context context-type="linenumber">153</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6631288852577115923" datatype="html">
         <source>Title and content search</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">155</context>
+          <context context-type="linenumber">157</context>
         </context-group>
       </trans-unit>
       <trans-unit id="1010505078885609376" datatype="html">
         <source>Advanced search</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">156</context>
+          <context context-type="linenumber">158</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/app-frame/global-search/global-search.component.html</context>
@@ -1088,21 +1088,21 @@
         <source>Update checking</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">161</context>
+          <context context-type="linenumber">163</context>
         </context-group>
       </trans-unit>
       <trans-unit id="5070799004079086984" datatype="html">
         <source>Enable update checking</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">164</context>
+          <context context-type="linenumber">166</context>
         </context-group>
       </trans-unit>
       <trans-unit id="5752465522295465624" datatype="html">
         <source>What&apos;s this?</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">165</context>
+          <context context-type="linenumber">167</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/page-header/page-header.component.html</context>
@@ -1121,21 +1121,21 @@
         <source> Update checking works by pinging the public GitHub API for the latest release to determine whether a new version is available. Actual updating of the app must still be performed manually. </source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">169,171</context>
+          <context context-type="linenumber">171,173</context>
         </context-group>
       </trans-unit>
       <trans-unit id="8416061320800650487" datatype="html">
         <source>No tracking data is collected by the app in any way.</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">173</context>
+          <context context-type="linenumber">175</context>
         </context-group>
       </trans-unit>
       <trans-unit id="5775451530782446954" datatype="html">
         <source>Saved Views</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">179</context>
+          <context context-type="linenumber">181</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/app-frame/app-frame.component.html</context>
@@ -1154,126 +1154,126 @@
         <source>Show warning when closing saved views with unsaved changes</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">182</context>
+          <context context-type="linenumber">184</context>
         </context-group>
       </trans-unit>
       <trans-unit id="4975481913502931184" datatype="html">
         <source>Show document counts in sidebar saved views</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">183</context>
+          <context context-type="linenumber">185</context>
         </context-group>
       </trans-unit>
       <trans-unit id="8939587804990976924" datatype="html">
         <source>Items per page</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">200</context>
+          <context context-type="linenumber">202</context>
         </context-group>
       </trans-unit>
       <trans-unit id="908152367861642592" datatype="html">
         <source>Document editing</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">212</context>
+          <context context-type="linenumber">214</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6708098108196142028" datatype="html">
         <source>Use PDF viewer provided by the browser</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">215</context>
+          <context context-type="linenumber">217</context>
         </context-group>
       </trans-unit>
       <trans-unit id="9003921625412907981" datatype="html">
         <source>This is usually faster for displaying large PDF documents, but it might not work on some browsers.</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">215</context>
+          <context context-type="linenumber">217</context>
         </context-group>
       </trans-unit>
       <trans-unit id="2678648946508279627" datatype="html">
         <source>Default zoom</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">221</context>
+          <context context-type="linenumber">223</context>
         </context-group>
       </trans-unit>
       <trans-unit id="2222784219255971268" datatype="html">
         <source>Fit width</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">225</context>
+          <context context-type="linenumber">227</context>
         </context-group>
       </trans-unit>
       <trans-unit id="8409221133589393872" datatype="html">
         <source>Fit page</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">226</context>
+          <context context-type="linenumber">228</context>
         </context-group>
       </trans-unit>
       <trans-unit id="7019985100624067992" datatype="html">
         <source>Only applies to the Paperless-ngx PDF viewer.</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">228</context>
+          <context context-type="linenumber">230</context>
         </context-group>
       </trans-unit>
       <trans-unit id="2959590948110714366" datatype="html">
         <source>Automatically remove inbox tag(s) on save</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">234</context>
+          <context context-type="linenumber">236</context>
         </context-group>
       </trans-unit>
       <trans-unit id="8793267604636304297" datatype="html">
         <source>Show document thumbnail during loading</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">240</context>
+          <context context-type="linenumber">242</context>
         </context-group>
       </trans-unit>
       <trans-unit id="1783600598811723080" datatype="html">
         <source>Built-in fields to show:</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">246</context>
+          <context context-type="linenumber">248</context>
         </context-group>
       </trans-unit>
       <trans-unit id="3467966318201103991" datatype="html">
         <source>Uncheck fields to hide them on the document details page.</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">258</context>
+          <context context-type="linenumber">260</context>
         </context-group>
       </trans-unit>
       <trans-unit id="8508424367627989968" datatype="html">
         <source>Bulk editing</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">264</context>
+          <context context-type="linenumber">266</context>
         </context-group>
       </trans-unit>
       <trans-unit id="8158899674926420054" datatype="html">
         <source>Show confirmation dialogs</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">267</context>
+          <context context-type="linenumber">269</context>
         </context-group>
       </trans-unit>
       <trans-unit id="290238406234356122" datatype="html">
         <source>Apply on close</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">268</context>
+          <context context-type="linenumber">270</context>
         </context-group>
       </trans-unit>
       <trans-unit id="5084275925647254161" datatype="html">
         <source>PDF Editor</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">272</context>
+          <context context-type="linenumber">274</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/document-detail/document-detail.component.html</context>
@@ -1288,14 +1288,14 @@
         <source>Default editing mode</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">275</context>
+          <context context-type="linenumber">277</context>
         </context-group>
       </trans-unit>
       <trans-unit id="7273640930165035289" datatype="html">
         <source>Create new document(s)</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">279</context>
+          <context context-type="linenumber">281</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/pdf-editor/pdf-editor.component.html</context>
@@ -1306,7 +1306,7 @@
         <source>Add document version</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">280</context>
+          <context context-type="linenumber">282</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/pdf-editor/pdf-editor.component.html</context>
@@ -1317,7 +1317,7 @@
         <source>Notes</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">285</context>
+          <context context-type="linenumber">287</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/document-list/document-list.component.html</context>
@@ -1336,14 +1336,14 @@
         <source>Enable notes</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">288</context>
+          <context context-type="linenumber">290</context>
         </context-group>
       </trans-unit>
       <trans-unit id="7314814725704332646" datatype="html">
         <source>Permissions</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">297</context>
+          <context context-type="linenumber">299</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/edit-dialog/group-edit-dialog/group-edit-dialog.component.html</context>
@@ -1394,28 +1394,28 @@
         <source>Default Permissions</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">300</context>
+          <context context-type="linenumber">302</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6544153565064275581" datatype="html">
         <source> Settings apply to this user account for objects (Tags, Mail Rules, etc. but not documents) created via the web UI. </source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">304,306</context>
+          <context context-type="linenumber">306,308</context>
         </context-group>
       </trans-unit>
       <trans-unit id="4292903881380648974" datatype="html">
         <source>Default Owner</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">311</context>
+          <context context-type="linenumber">313</context>
         </context-group>
       </trans-unit>
       <trans-unit id="734147282056744882" datatype="html">
         <source>Objects without an owner can be viewed and edited by all users</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">315</context>
+          <context context-type="linenumber">317</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/input/permissions/permissions-form/permissions-form.component.html</context>
@@ -1426,18 +1426,18 @@
         <source>Default View Permissions</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">320</context>
+          <context context-type="linenumber">322</context>
         </context-group>
       </trans-unit>
       <trans-unit id="2191775412581217688" datatype="html">
         <source>Users:</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">325</context>
+          <context context-type="linenumber">327</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">352</context>
+          <context context-type="linenumber">354</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/edit-dialog/workflow-edit-dialog/workflow-edit-dialog.component.html</context>
@@ -1468,11 +1468,11 @@
         <source>Groups:</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">335</context>
+          <context context-type="linenumber">337</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">362</context>
+          <context context-type="linenumber">364</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/edit-dialog/workflow-edit-dialog/workflow-edit-dialog.component.html</context>
@@ -1503,14 +1503,14 @@
         <source>Default Edit Permissions</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">347</context>
+          <context context-type="linenumber">349</context>
         </context-group>
       </trans-unit>
       <trans-unit id="3728984448750213892" datatype="html">
         <source>Edit permissions also grant viewing permissions</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">371</context>
+          <context context-type="linenumber">373</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/edit-dialog/workflow-edit-dialog/workflow-edit-dialog.component.html</context>
@@ -1529,7 +1529,7 @@
         <source>Notifications</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">379</context>
+          <context context-type="linenumber">381</context>
         </context-group>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/app-frame/toasts-dropdown/toasts-dropdown.component.html</context>
@@ -1540,42 +1540,42 @@
         <source>Document processing</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">382</context>
+          <context context-type="linenumber">384</context>
         </context-group>
       </trans-unit>
       <trans-unit id="3656786776644872398" datatype="html">
         <source>Show notifications when new documents are detected</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">386</context>
+          <context context-type="linenumber">388</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6057053428592387613" datatype="html">
         <source>Show notifications when document processing completes successfully</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">387</context>
+          <context context-type="linenumber">389</context>
         </context-group>
       </trans-unit>
       <trans-unit id="370315664367425513" datatype="html">
         <source>Show notifications when document processing fails</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">388</context>
+          <context context-type="linenumber">390</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6838309441164918531" datatype="html">
         <source>Suppress notifications on dashboard</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">389</context>
+          <context context-type="linenumber">391</context>
         </context-group>
       </trans-unit>
       <trans-unit id="2741919327232918179" datatype="html">
         <source>This will suppress all messages about document processing status on the dashboard.</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">389</context>
+          <context context-type="linenumber">391</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6839066544204061364" datatype="html">
@@ -4800,8 +4800,8 @@
           <context context-type="linenumber">26</context>
         </context-group>
       </trans-unit>
-      <trans-unit id="8563400529811056364" datatype="html">
-        <source>Access logs, Django backend</source>
+      <trans-unit id="5409927574404161431" datatype="html">
+        <source>Access system status, logs, Django backend</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html</context>
           <context context-type="linenumber">26</context>
@@ -4814,8 +4814,8 @@
           <context context-type="linenumber">30</context>
         </context-group>
       </trans-unit>
-      <trans-unit id="1403759966357927756" datatype="html">
-        <source>(Grants all permissions and can view objects)</source>
+      <trans-unit id="5622335314381948156" datatype="html">
+        <source>Grants all permissions and can view all objects</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html</context>
           <context context-type="linenumber">30</context>
@@ -6198,7 +6198,7 @@
         <source>Inherited from group</source>
         <context-group purpose="location">
           <context context-type="sourcefile">src/app/components/common/permissions-select/permissions-select.component.ts</context>
-          <context context-type="linenumber">78</context>
+          <context context-type="linenumber">85</context>
         </context-group>
       </trans-unit>
       <trans-unit id="6418218602775540217" datatype="html">

src-ui/package.json

@@ -21,7 +21,7 @@
     "@angular/platform-browser-dynamic": "~21.2.6",
     "@angular/router": "~21.2.6",
     "@ng-bootstrap/ng-bootstrap": "^20.0.0",
-    "@ng-select/ng-select": "^21.5.2",
+    "@ng-select/ng-select": "^21.7.0",
     "@ngneat/dirty-check-forms": "^3.0.3",
     "@popperjs/core": "^2.11.8",
     "bootstrap": "^5.3.8",
@@ -32,7 +32,7 @@
     "ngx-cookie-service": "^21.3.1",
     "ngx-device-detector": "^11.0.0",
     "ngx-ui-tour-ng-bootstrap": "^18.0.0",
-    "pdfjs-dist": "^5.4.624",
+    "pdfjs-dist": "^5.6.205",
     "rxjs": "^7.8.2",
     "tslib": "^2.8.1",
     "utif": "^3.1.0",
@@ -42,28 +42,28 @@
   "devDependencies": {
     "@angular-builders/custom-webpack": "^21.0.3",
     "@angular-builders/jest": "^21.0.3",
-    "@angular-devkit/core": "^21.2.3",
-    "@angular-devkit/schematics": "^21.2.3",
+    "@angular-devkit/core": "^21.2.6",
+    "@angular-devkit/schematics": "^21.2.6",
     "@angular-eslint/builder": "21.3.1",
     "@angular-eslint/eslint-plugin": "21.3.1",
     "@angular-eslint/eslint-plugin-template": "21.3.1",
     "@angular-eslint/schematics": "21.3.1",
     "@angular-eslint/template-parser": "21.3.1",
-    "@angular/build": "^21.2.3",
-    "@angular/cli": "~21.2.3",
+    "@angular/build": "^21.2.6",
+    "@angular/cli": "~21.2.6",
     "@angular/compiler-cli": "~21.2.6",
     "@codecov/webpack-plugin": "^1.9.1",
-    "@playwright/test": "^1.58.2",
+    "@playwright/test": "^1.59.0",
     "@types/jest": "^30.0.0",
     "@types/node": "^25.5.0",
-    "@typescript-eslint/eslint-plugin": "^8.57.2",
-    "@typescript-eslint/parser": "^8.57.2",
-    "@typescript-eslint/utils": "^8.57.2",
+    "@typescript-eslint/eslint-plugin": "^8.58.0",
+    "@typescript-eslint/parser": "^8.58.0",
+    "@typescript-eslint/utils": "^8.58.0",
     "eslint": "^10.1.0",
     "jest": "30.3.0",
     "jest-environment-jsdom": "^30.3.0",
     "jest-junit": "^16.0.0",
-    "jest-preset-angular": "^16.1.1",
+    "jest-preset-angular": "^16.1.2",
     "jest-websocket-mock": "^2.5.0",
     "prettier-plugin-organize-imports": "^4.3.0",
     "ts-node": "~10.9.1",

src-ui/src/app/components/admin/settings/settings.component.html

@@ -7,7 +7,7 @@
   <button class="btn btn-sm btn-outline-primary" (click)="tourService.start()">
     <i-bs class="me-2" name="airplane"></i-bs><ng-container i18n>Start tour</ng-container>
   </button>
-  @if (permissionsService.isAdmin()) {
+  @if (canViewSystemStatus) {
     <button class="btn btn-sm btn-outline-primary position-relative ms-md-5 me-1" (click)="showSystemStatus()"
       [disabled]="!systemStatus">
       @if (!systemStatus) {
@@ -26,6 +26,8 @@
       }
       <ng-container i18n>System Status</ng-container>
     </button>
+  }
+  @if (permissionsService.isAdmin()) {
     <a class="btn btn-sm btn-primary" href="admin/" target="_blank">
       <ng-container i18n>Open Django Admin</ng-container>
       <i-bs class="ms-2" name="arrow-up-right"></i-bs>

src-ui/src/app/components/admin/settings/settings.component.spec.ts

@@ -29,7 +29,11 @@ import { IfOwnerDirective } from 'src/app/directives/if-owner.directive'
 import { IfPermissionsDirective } from 'src/app/directives/if-permissions.directive'
 import { PermissionsGuard } from 'src/app/guards/permissions.guard'
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
-import { PermissionsService } from 'src/app/services/permissions.service'
+import {
+  PermissionAction,
+  PermissionType,
+  PermissionsService,
+} from 'src/app/services/permissions.service'
 import { GroupService } from 'src/app/services/rest/group.service'
 import { SavedViewService } from 'src/app/services/rest/saved-view.service'
 import { UserService } from 'src/app/services/rest/user.service'
@@ -328,7 +332,13 @@ describe('SettingsComponent', () => {
 
   it('should load system status on initialize, show errors if needed', () => {
     jest.spyOn(systemStatusService, 'get').mockReturnValue(of(status))
-    jest.spyOn(permissionsService, 'isAdmin').mockReturnValue(true)
+    jest
+      .spyOn(permissionsService, 'currentUserCan')
+      .mockImplementation(
+        (action, type) =>
+          action === PermissionAction.View &&
+          type === PermissionType.SystemStatus
+      )
     completeSetup()
     expect(component['systemStatus']).toEqual(status) // private
     expect(component.systemStatusHasErrors).toBeTruthy()
@@ -344,7 +354,13 @@ describe('SettingsComponent', () => {
   it('should open system status dialog', () => {
     const modalOpenSpy = jest.spyOn(modalService, 'open')
     jest.spyOn(systemStatusService, 'get').mockReturnValue(of(status))
-    jest.spyOn(permissionsService, 'isAdmin').mockReturnValue(true)
+    jest
+      .spyOn(permissionsService, 'currentUserCan')
+      .mockImplementation(
+        (action, type) =>
+          action === PermissionAction.View &&
+          type === PermissionType.SystemStatus
+      )
     completeSetup()
     component.showSystemStatus()
     expect(modalOpenSpy).toHaveBeenCalledWith(SystemStatusDialogComponent, {

src-ui/src/app/components/admin/settings/settings.component.ts

@@ -429,7 +429,7 @@ export class SettingsComponent
       this.settingsForm.patchValue(currentFormValue)
     }
 
-    if (this.permissionsService.isAdmin()) {
+    if (this.canViewSystemStatus) {
       this.systemStatusService.get().subscribe((status) => {
         this.systemStatus = status
       })
@@ -647,6 +647,16 @@ export class SettingsComponent
       .setValue(Array.from(hiddenFields))
   }
 
+  public get canViewSystemStatus(): boolean {
+    return (
+      this.permissionsService.isAdmin() ||
+      this.permissionsService.currentUserCan(
+        PermissionAction.View,
+        PermissionType.SystemStatus
+      )
+    )
+  }
+
   showSystemStatus() {
     const modal: NgbModalRef = this.modalService.open(
       SystemStatusDialogComponent,

src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html

@@ -23,11 +23,11 @@
             </div>
             <div class="form-check form-switch form-check-inline">
               <input type="checkbox" class="form-check-input" id="is_staff" formControlName="is_staff">
-              <label class="form-check-label" for="is_staff"><ng-container i18n>Admin</ng-container> <small class="form-text text-muted ms-1" i18n>Access logs, Django backend</small></label>
+              <label class="form-check-label" for="is_staff"><ng-container i18n>Admin</ng-container> <small class="form-text text-muted ms-1" i18n>Access system status, logs, Django backend</small></label>
             </div>
             <div class="form-check form-switch form-check-inline">
               <input type="checkbox" class="form-check-input" id="is_superuser" formControlName="is_superuser" (change)="onToggleSuperUser()">
-              <label class="form-check-label" for="is_superuser"><ng-container i18n>Superuser</ng-container> <small class="form-text text-muted ms-1" i18n>(Grants all permissions and can view objects)</small></label>
+              <label class="form-check-label" for="is_superuser"><ng-container i18n>Superuser</ng-container> <small class="form-text text-muted ms-1" i18n>Grants all permissions and can view all objects</small></label>
             </div>
           </div>
 

src-ui/src/app/components/common/permissions-select/permissions-select.component.html

@@ -26,8 +26,8 @@
           <input type="checkbox" class="form-check-input" id="{{type}}_all" (change)="toggleAll($event, type)" [checked]="typesWithAllActions.has(type) || isInherited(type)" [attr.disabled]="disabled || isInherited(type) ? true : null">
           <label class="form-check-label visually-hidden" for="{{type}}_all" i18n>All</label>
         </div>
-        @for (action of PermissionAction | keyvalue; track action) {
-          <div class="col form-check form-check-inline" [ngbPopover]="inheritedWarning" [disablePopover]="!isInherited(type, action.key)" placement="left" triggers="mouseenter:mouseleave">
+        @for (action of PermissionAction | keyvalue: sortActions; track action.key) {
+          <div class="col form-check form-check-inline" [class.invisible]="!isActionSupported(PermissionType[type], action.value)" [ngbPopover]="inheritedWarning" [disablePopover]="!isInherited(type, action.key)" placement="left" triggers="mouseenter:mouseleave">
             <input type="checkbox" class="form-check-input" id="{{type}}_{{action.key}}" formControlName="{{action.key}}">
             <label class="form-check-label visually-hidden" for="{{type}}_{{action.key}}">{{action.key}}</label>
           </div>

src-ui/src/app/components/common/permissions-select/permissions-select.component.spec.ts

@@ -26,7 +26,6 @@ const inheritedPermissions = ['change_tag', 'view_documenttype']
 describe('PermissionsSelectComponent', () => {
   let component: PermissionsSelectComponent
   let fixture: ComponentFixture<PermissionsSelectComponent>
-  let permissionsChangeResult: Permissions
   let settingsService: SettingsService
 
   beforeEach(async () => {
@@ -45,7 +44,7 @@ describe('PermissionsSelectComponent', () => {
     fixture = TestBed.createComponent(PermissionsSelectComponent)
     fixture.debugElement.injector.get(NG_VALUE_ACCESSOR)
     component = fixture.componentInstance
-    component.registerOnChange((r) => (permissionsChangeResult = r))
+    component.registerOnChange((r) => r)
     fixture.detectChanges()
   })
 
@@ -75,7 +74,6 @@ describe('PermissionsSelectComponent', () => {
   it('should update on permissions set', () => {
     component.ngOnInit()
     component.writeValue(permissions)
-    expect(permissionsChangeResult).toEqual(permissions)
     expect(component.typesWithAllActions).toContain('Document')
   })
 
@@ -92,13 +90,12 @@ describe('PermissionsSelectComponent', () => {
   it('disable checkboxes when permissions are inherited', () => {
     component.ngOnInit()
     component.inheritedPermissions = inheritedPermissions
+    fixture.detectChanges()
     expect(component.isInherited('Document', 'Add')).toBeFalsy()
     expect(component.isInherited('Document')).toBeFalsy()
     expect(component.isInherited('Tag', 'Change')).toBeTruthy()
-    const input1 = fixture.debugElement.query(By.css('input#Document_Add'))
-    expect(input1.nativeElement.disabled).toBeFalsy()
-    const input2 = fixture.debugElement.query(By.css('input#Tag_Change'))
-    expect(input2.nativeElement.disabled).toBeTruthy()
+    expect(component.form.get('Document').get('Add').disabled).toBeFalsy()
+    expect(component.form.get('Tag').get('Change').disabled).toBeTruthy()
   })
 
   it('should exclude history permissions if disabled', () => {
@@ -107,4 +104,60 @@ describe('PermissionsSelectComponent', () => {
     component = fixture.componentInstance
     expect(component.allowedTypes).not.toContain('History')
   })
+
+  it('should treat global statistics as view-only', () => {
+    component.ngOnInit()
+    fixture.detectChanges()
+
+    expect(
+      component.isActionSupported(
+        PermissionType.GlobalStatistics,
+        PermissionAction.View
+      )
+    ).toBeTruthy()
+    expect(
+      component.isActionSupported(
+        PermissionType.GlobalStatistics,
+        PermissionAction.Add
+      )
+    ).toBeFalsy()
+
+    const addInput = fixture.debugElement.query(
+      By.css('input#GlobalStatistics_Add')
+    )
+    const viewInput = fixture.debugElement.query(
+      By.css('input#GlobalStatistics_View')
+    )
+
+    expect(addInput.nativeElement.disabled).toBeTruthy()
+    expect(viewInput.nativeElement.disabled).toBeFalsy()
+  })
+
+  it('should treat system status as view-only', () => {
+    component.ngOnInit()
+    fixture.detectChanges()
+
+    expect(
+      component.isActionSupported(
+        PermissionType.SystemStatus,
+        PermissionAction.View
+      )
+    ).toBeTruthy()
+    expect(
+      component.isActionSupported(
+        PermissionType.SystemStatus,
+        PermissionAction.Change
+      )
+    ).toBeFalsy()
+
+    const changeInput = fixture.debugElement.query(
+      By.css('input#SystemStatus_Change')
+    )
+    const viewInput = fixture.debugElement.query(
+      By.css('input#SystemStatus_View')
+    )
+
+    expect(changeInput.nativeElement.disabled).toBeTruthy()
+    expect(viewInput.nativeElement.disabled).toBeFalsy()
+  })
 })

src-ui/src/app/components/common/permissions-select/permissions-select.component.ts

@@ -1,4 +1,4 @@
-import { KeyValuePipe } from '@angular/common'
+import { KeyValue, KeyValuePipe } from '@angular/common'
 import { Component, forwardRef, inject, Input, OnInit } from '@angular/core'
 import {
   AbstractControl,
@@ -58,6 +58,13 @@ export class PermissionsSelectComponent
 
   typesWithAllActions: Set<string> = new Set()
 
+  private readonly actionOrder = [
+    PermissionAction.Add,
+    PermissionAction.Change,
+    PermissionAction.Delete,
+    PermissionAction.View,
+  ]
+
   _inheritedPermissions: string[] = []
 
   @Input()
@@ -86,7 +93,7 @@ export class PermissionsSelectComponent
     }
     this.allowedTypes.forEach((type) => {
       const control = new FormGroup({})
-      for (const action in PermissionAction) {
+      for (const action of Object.keys(PermissionAction)) {
         control.addControl(action, new FormControl(null))
       }
       this.form.addControl(type, control)
@@ -106,18 +113,14 @@ export class PermissionsSelectComponent
         this.permissionsService.getPermissionKeys(permissionStr)
 
       if (actionKey && typeKey) {
-        if (this.form.get(typeKey)?.get(actionKey)) {
-          this.form
-            .get(typeKey)
-            .get(actionKey)
-            .patchValue(true, { emitEvent: false })
-        }
+        this.form
+          .get(typeKey)
+          ?.get(actionKey)
+          ?.patchValue(true, { emitEvent: false })
       }
     })
     this.allowedTypes.forEach((type) => {
-      if (
-        Object.values(this.form.get(type).value).every((val) => val == true)
-      ) {
+      if (this.typeHasAllActionsSelected(type)) {
         this.typesWithAllActions.add(type)
       } else {
         this.typesWithAllActions.delete(type)
@@ -149,12 +152,16 @@ export class PermissionsSelectComponent
     this.form.valueChanges.subscribe((newValue) => {
       let permissions = []
       Object.entries(newValue).forEach(([typeKey, typeValue]) => {
-        // e.g. [Document, { Add: true, View: true ... }]
         const selectedActions = Object.entries(typeValue).filter(
-          ([actionKey, actionValue]) => actionValue == true
+          ([actionKey, actionValue]) =>
+            actionValue &&
+            this.isActionSupported(
+              PermissionType[typeKey],
+              PermissionAction[actionKey]
+            )
         )
 
-        selectedActions.forEach(([actionKey, actionValue]) => {
+        selectedActions.forEach(([actionKey]) => {
           permissions.push(
             (PermissionType[typeKey] as string).replace(
               '%s',
@@ -163,7 +170,7 @@ export class PermissionsSelectComponent
           )
         })
 
-        if (selectedActions.length == Object.entries(typeValue).length) {
+        if (this.typeHasAllActionsSelected(typeKey)) {
           this.typesWithAllActions.add(typeKey)
         } else {
           this.typesWithAllActions.delete(typeKey)
@@ -174,19 +181,23 @@ export class PermissionsSelectComponent
         permissions.filter((p) => !this._inheritedPermissions.includes(p))
       )
     })
+
+    this.updateDisabledStates()
   }
 
   toggleAll(event, type) {
     const typeGroup = this.form.get(type)
-    if (event.target.checked) {
-      Object.keys(PermissionAction).forEach((action) => {
-        typeGroup.get(action).patchValue(true)
+    Object.keys(PermissionAction)
+      .filter((action) =>
+        this.isActionSupported(PermissionType[type], PermissionAction[action])
+      )
+      .forEach((action) => {
+        typeGroup.get(action).patchValue(event.target.checked)
       })
+
+    if (this.typeHasAllActionsSelected(type)) {
       this.typesWithAllActions.add(type)
     } else {
-      Object.keys(PermissionAction).forEach((action) => {
-        typeGroup.get(action).patchValue(false)
-      })
       this.typesWithAllActions.delete(type)
     }
   }
@@ -201,14 +212,21 @@ export class PermissionsSelectComponent
         )
       )
     } else {
-      return Object.values(PermissionAction).every((action) => {
-        return this._inheritedPermissions.includes(
-          this.permissionsService.getPermissionCode(
-            action as PermissionAction,
-            PermissionType[typeKey]
+      return Object.keys(PermissionAction)
+        .filter((action) =>
+          this.isActionSupported(
+            PermissionType[typeKey],
+            PermissionAction[action]
           )
         )
-      })
+        .every((action) => {
+          return this._inheritedPermissions.includes(
+            this.permissionsService.getPermissionCode(
+              PermissionAction[action],
+              PermissionType[typeKey]
+            )
+          )
+        })
     }
   }
 
@@ -216,12 +234,55 @@ export class PermissionsSelectComponent
     this.allowedTypes.forEach((type) => {
       const control = this.form.get(type)
       let actionControl: AbstractControl
-      for (const action in PermissionAction) {
+      for (const action of Object.keys(PermissionAction)) {
         actionControl = control.get(action)
+        if (
+          !this.isActionSupported(
+            PermissionType[type],
+            PermissionAction[action]
+          )
+        ) {
+          actionControl.patchValue(false, { emitEvent: false })
+          actionControl.disable({ emitEvent: false })
+          continue
+        }
+
         this.isInherited(type, action) || this.disabled
-          ? actionControl.disable()
-          : actionControl.enable()
+          ? actionControl.disable({ emitEvent: false })
+          : actionControl.enable({ emitEvent: false })
       }
     })
   }
+
+  public isActionSupported(
+    type: PermissionType,
+    action: PermissionAction
+  ): boolean {
+    // Global statistics and system status only support view
+    if (
+      type === PermissionType.GlobalStatistics ||
+      type === PermissionType.SystemStatus
+    ) {
+      return action === PermissionAction.View
+    }
+
+    return true
+  }
+
+  private typeHasAllActionsSelected(typeKey: string): boolean {
+    return Object.keys(PermissionAction)
+      .filter((action) =>
+        this.isActionSupported(
+          PermissionType[typeKey],
+          PermissionAction[action]
+        )
+      )
+      .every((action) => !!this.form.get(typeKey)?.get(action)?.value)
+  }
+
+  public sortActions = (
+    a: KeyValue<string, PermissionAction>,
+    b: KeyValue<string, PermissionAction>
+  ): number =>
+    this.actionOrder.indexOf(a.value) - this.actionOrder.indexOf(b.value)
 }

src-ui/src/app/services/permissions.service.spec.ts

@@ -6,6 +6,11 @@ import {
   PermissionsService,
 } from './permissions.service'
 
+const VIEW_ONLY_PERMISSION_TYPES = new Set<PermissionType>([
+  PermissionType.GlobalStatistics,
+  PermissionType.SystemStatus,
+])
+
 describe('PermissionsService', () => {
   let permissionsService: PermissionsService
 
@@ -264,6 +269,8 @@ describe('PermissionsService', () => {
         'change_applicationconfiguration',
         'delete_applicationconfiguration',
         'view_applicationconfiguration',
+        'view_global_statistics',
+        'view_system_status',
       ],
       {
         username: 'testuser',
@@ -274,7 +281,10 @@ describe('PermissionsService', () => {
 
     Object.values(PermissionType).forEach((type) => {
       Object.values(PermissionAction).forEach((action) => {
-        expect(permissionsService.currentUserCan(action, type)).toBeTruthy()
+        expect(permissionsService.currentUserCan(action, type)).toBe(
+          !VIEW_ONLY_PERMISSION_TYPES.has(type) ||
+            action === PermissionAction.View
+        )
       })
     })
 

src-ui/src/app/services/permissions.service.ts

@@ -29,6 +29,8 @@ export enum PermissionType {
   CustomField = '%s_customfield',
   Workflow = '%s_workflow',
   ProcessedMail = '%s_processedmail',
+  GlobalStatistics = '%s_global_statistics',
+  SystemStatus = '%s_system_status',
 }
 
 @Injectable({

src-ui/src/app/utils/ngb-date-parser-formatter.spec.ts

@@ -73,7 +73,7 @@ describe('LocalizedDateParserFormatter', () => {
 
   it('should handle years when current year % 100 < 50', () => {
     jest.useFakeTimers()
-    jest.setSystemTime(new Date(2026, 5, 15))
+    jest.setSystemTime(new Date(2026, 5, 15).getTime())
     let val = dateParserFormatter.parse('5/4/26')
     expect(val).toEqual({ day: 4, month: 5, year: 2026 })
 
@@ -87,7 +87,7 @@ describe('LocalizedDateParserFormatter', () => {
 
   it('should handle years when current year % 100 >= 50', () => {
     jest.useFakeTimers()
-    jest.setSystemTime(new Date(2076, 5, 15))
+    jest.setSystemTime(new Date(2076, 5, 15).getTime())
     const val = dateParserFormatter.parse('5/4/00')
     expect(val).toEqual({ day: 4, month: 5, year: 2100 })
     jest.useRealTimers()

src/documents/consumer.py

@@ -313,7 +313,6 @@ class ConsumerPlugin(
             run_subprocess(
                 [
                     settings.PRE_CONSUME_SCRIPT,
-                    original_file_path,
                 ],
                 script_env,
                 self.log,
@@ -383,14 +382,6 @@ class ConsumerPlugin(
             run_subprocess(
                 [
                     settings.POST_CONSUME_SCRIPT,
-                    str(document.pk),
-                    document.get_public_filename(),
-                    os.path.normpath(document.source_path),
-                    os.path.normpath(document.thumbnail_path),
-                    reverse("document-download", kwargs={"pk": document.pk}),
-                    reverse("document-thumb", kwargs={"pk": document.pk}),
-                    str(document.correspondent),
-                    str(",".join(document.tags.all().values_list("name", flat=True))),
                 ],
                 script_env,
                 self.log,
@@ -650,6 +641,10 @@ class ConsumerPlugin(
                         # If we get here, it was successful. Proceed with post-consume
                         # hooks. If they fail, nothing will get changed.
 
+                        document = Document.objects.prefetch_related("versions").get(
+                            pk=document.pk,
+                        )
+
                         document_consumption_finished.send(
                             sender=self.__class__,
                             document=document,

src/documents/models.py

@@ -381,7 +381,10 @@ class Document(SoftDeleteModel, ModelWithOwner):  # type: ignore[django-manager-
             if isinstance(prefetched_cache, dict)
             else None
         )
-        if prefetched_versions:
+        if prefetched_versions is not None:
+            # Empty list means prefetch ran and found no versions — use own content.
+            if not prefetched_versions:
+                return self.content
             latest_prefetched = max(prefetched_versions, key=lambda doc: doc.id)
             return latest_prefetched.content
 

src/documents/permissions.py

@@ -56,6 +56,26 @@ class PaperlessAdminPermissions(BasePermission):
         return request.user.is_staff
 
 
+def has_global_statistics_permission(user: User | None) -> bool:
+    if user is None or not getattr(user, "is_authenticated", False):
+        return False
+
+    return getattr(user, "is_superuser", False) or user.has_perm(
+        "paperless.view_global_statistics",
+    )
+
+
+def has_system_status_permission(user: User | None) -> bool:
+    if user is None or not getattr(user, "is_authenticated", False):
+        return False
+
+    return (
+        getattr(user, "is_superuser", False)
+        or getattr(user, "is_staff", False)
+        or user.has_perm("paperless.view_system_status")
+    )
+
+
 def get_groups_with_only_permission(obj, codename):
     ctype = ContentType.objects.get_for_model(obj)
     permission = Permission.objects.get(content_type=ctype, codename=codename)

src/documents/sanity_checker.py

@@ -182,8 +182,9 @@ def _check_thumbnail(
     present_files: set[Path],
 ) -> None:
     """Verify the thumbnail exists and is readable."""
-    thumbnail_path: Final[Path] = Path(doc.thumbnail_path).resolve()
-    if not thumbnail_path.exists() or not thumbnail_path.is_file():
+    # doc.thumbnail_path already returns a resolved Path; no need to re-resolve.
+    thumbnail_path: Final[Path] = doc.thumbnail_path
+    if not thumbnail_path.is_file():
         messages.error(doc.pk, "Thumbnail of document does not exist.")
         return
 
@@ -200,8 +201,9 @@ def _check_original(
     present_files: set[Path],
 ) -> None:
     """Verify the original file exists, is readable, and has matching checksum."""
-    source_path: Final[Path] = Path(doc.source_path).resolve()
-    if not source_path.exists() or not source_path.is_file():
+    # doc.source_path already returns a resolved Path; no need to re-resolve.
+    source_path: Final[Path] = doc.source_path
+    if not source_path.is_file():
         messages.error(doc.pk, "Original of document does not exist.")
         return
 
@@ -237,8 +239,9 @@ def _check_archive(
     elif doc.has_archive_version:
         if TYPE_CHECKING:
             assert isinstance(doc.archive_path, Path)
-        archive_path: Final[Path] = Path(doc.archive_path).resolve()
-        if not archive_path.exists() or not archive_path.is_file():
+        # doc.archive_path already returns a resolved Path; no need to re-resolve.
+        archive_path: Final[Path] = doc.archive_path  # type: ignore[assignment]
+        if not archive_path.is_file():
             messages.error(doc.pk, "Archived version of document does not exist.")
             return
 
@@ -314,7 +317,15 @@ def check_sanity(
     messages = SanityCheckMessages()
     present_files = _build_present_files()
 
-    documents = Document.global_objects.all()
+    documents = Document.global_objects.only(
+        "pk",
+        "filename",
+        "mime_type",
+        "checksum",
+        "archive_checksum",
+        "archive_filename",
+        "content",
+    ).iterator(chunk_size=500)
     for doc in iter_wrapper(documents):
         _check_document(doc, messages, present_files)
 

src/documents/serialisers.py

@@ -100,7 +100,7 @@ logger = logging.getLogger("paperless.serializers")
 
 
 # https://www.django-rest-framework.org/api-guide/serializers/#example
-class DynamicFieldsModelSerializer(serializers.ModelSerializer):
+class DynamicFieldsModelSerializer(serializers.ModelSerializer[Any]):
     """
     A ModelSerializer that takes an additional `fields` argument that
     controls which fields should be displayed.
@@ -121,7 +121,7 @@ class DynamicFieldsModelSerializer(serializers.ModelSerializer):
                 self.fields.pop(field_name)
 
 
-class MatchingModelSerializer(serializers.ModelSerializer):
+class MatchingModelSerializer(serializers.ModelSerializer[Any]):
     document_count = serializers.IntegerField(read_only=True)
 
     def get_slug(self, obj) -> str:
@@ -261,7 +261,7 @@ class SetPermissionsSerializer(serializers.DictField):
 
 class OwnedObjectSerializer(
     SerializerWithPerms,
-    serializers.ModelSerializer,
+    serializers.ModelSerializer[Any],
     SetPermissionsMixin,
 ):
     def __init__(self, *args, **kwargs) -> None:
@@ -469,7 +469,7 @@ class OwnedObjectSerializer(
         return super().update(instance, validated_data)
 
 
-class OwnedObjectListSerializer(serializers.ListSerializer):
+class OwnedObjectListSerializer(serializers.ListSerializer[Any]):
     def to_representation(self, documents):
         self.child.context["shared_object_pks"] = self.child.get_shared_object_pks(
             documents,
@@ -682,27 +682,27 @@ class TagSerializer(MatchingModelSerializer, OwnedObjectSerializer):
         return super().validate(attrs)
 
 
-class CorrespondentField(serializers.PrimaryKeyRelatedField):
+class CorrespondentField(serializers.PrimaryKeyRelatedField[Correspondent]):
     def get_queryset(self):
         return Correspondent.objects.all()
 
 
-class TagsField(serializers.PrimaryKeyRelatedField):
+class TagsField(serializers.PrimaryKeyRelatedField[Tag]):
     def get_queryset(self):
         return Tag.objects.all()
 
 
-class DocumentTypeField(serializers.PrimaryKeyRelatedField):
+class DocumentTypeField(serializers.PrimaryKeyRelatedField[DocumentType]):
     def get_queryset(self):
         return DocumentType.objects.all()
 
 
-class StoragePathField(serializers.PrimaryKeyRelatedField):
+class StoragePathField(serializers.PrimaryKeyRelatedField[StoragePath]):
     def get_queryset(self):
         return StoragePath.objects.all()
 
 
-class CustomFieldSerializer(serializers.ModelSerializer):
+class CustomFieldSerializer(serializers.ModelSerializer[CustomField]):
     data_type = serializers.ChoiceField(
         choices=CustomField.FieldDataType,
         read_only=False,
@@ -816,7 +816,7 @@ def validate_documentlink_targets(user, doc_ids):
         )
 
 
-class CustomFieldInstanceSerializer(serializers.ModelSerializer):
+class CustomFieldInstanceSerializer(serializers.ModelSerializer[CustomFieldInstance]):
     field = serializers.PrimaryKeyRelatedField(queryset=CustomField.objects.all())
     value = ReadWriteSerializerMethodField(allow_null=True)
 
@@ -922,14 +922,14 @@ class CustomFieldInstanceSerializer(serializers.ModelSerializer):
         ]
 
 
-class BasicUserSerializer(serializers.ModelSerializer):
+class BasicUserSerializer(serializers.ModelSerializer[User]):
     # Different than paperless.serializers.UserSerializer
     class Meta:
         model = User
         fields = ["id", "username", "first_name", "last_name"]
 
 
-class NotesSerializer(serializers.ModelSerializer):
+class NotesSerializer(serializers.ModelSerializer[Note]):
     user = BasicUserSerializer(read_only=True)
 
     class Meta:
@@ -1256,7 +1256,7 @@ class DocumentSerializer(
         list_serializer_class = OwnedObjectListSerializer
 
 
-class SearchResultListSerializer(serializers.ListSerializer):
+class SearchResultListSerializer(serializers.ListSerializer[Document]):
     def to_representation(self, hits):
         document_ids = [hit["id"] for hit in hits]
         # Fetch all Document objects in the list in one SQL query.
@@ -1313,7 +1313,7 @@ class SearchResultSerializer(DocumentSerializer):
         list_serializer_class = SearchResultListSerializer
 
 
-class SavedViewFilterRuleSerializer(serializers.ModelSerializer):
+class SavedViewFilterRuleSerializer(serializers.ModelSerializer[SavedViewFilterRule]):
     class Meta:
         model = SavedViewFilterRule
         fields = ["rule_type", "value"]
@@ -2401,7 +2401,7 @@ class StoragePathSerializer(MatchingModelSerializer, OwnedObjectSerializer):
         return super().update(instance, validated_data)
 
 
-class UiSettingsViewSerializer(serializers.ModelSerializer):
+class UiSettingsViewSerializer(serializers.ModelSerializer[UiSettings]):
     settings = serializers.DictField(required=False, allow_null=True)
 
     class Meta:
@@ -2760,7 +2760,7 @@ class BulkEditObjectsSerializer(SerializerWithPerms, SetPermissionsMixin):
         return attrs
 
 
-class WorkflowTriggerSerializer(serializers.ModelSerializer):
+class WorkflowTriggerSerializer(serializers.ModelSerializer[WorkflowTrigger]):
     id = serializers.IntegerField(required=False, allow_null=True)
     sources = fields.MultipleChoiceField(
         choices=WorkflowTrigger.DocumentSourceChoices.choices,
@@ -2870,7 +2870,7 @@ class WorkflowTriggerSerializer(serializers.ModelSerializer):
         return super().update(instance, validated_data)
 
 
-class WorkflowActionEmailSerializer(serializers.ModelSerializer):
+class WorkflowActionEmailSerializer(serializers.ModelSerializer[WorkflowActionEmail]):
     id = serializers.IntegerField(allow_null=True, required=False)
 
     class Meta:
@@ -2884,7 +2884,9 @@ class WorkflowActionEmailSerializer(serializers.ModelSerializer):
         ]
 
 
-class WorkflowActionWebhookSerializer(serializers.ModelSerializer):
+class WorkflowActionWebhookSerializer(
+    serializers.ModelSerializer[WorkflowActionWebhook],
+):
     id = serializers.IntegerField(allow_null=True, required=False)
 
     def validate_url(self, url):
@@ -2905,7 +2907,7 @@ class WorkflowActionWebhookSerializer(serializers.ModelSerializer):
         ]
 
 
-class WorkflowActionSerializer(serializers.ModelSerializer):
+class WorkflowActionSerializer(serializers.ModelSerializer[WorkflowAction]):
     id = serializers.IntegerField(required=False, allow_null=True)
     assign_correspondent = CorrespondentField(allow_null=True, required=False)
     assign_tags = TagsField(many=True, allow_null=True, required=False)
@@ -3027,7 +3029,7 @@ class WorkflowActionSerializer(serializers.ModelSerializer):
         return attrs
 
 
-class WorkflowSerializer(serializers.ModelSerializer):
+class WorkflowSerializer(serializers.ModelSerializer[Workflow]):
     order = serializers.IntegerField(required=False)
 
     triggers = WorkflowTriggerSerializer(many=True)

src/documents/tests/test_api_app_config.py

@@ -6,6 +6,8 @@ from unittest.mock import patch
 from django.contrib.auth.models import User
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.test import override_settings
+from PIL import Image
+from PIL.PngImagePlugin import PngInfo
 from rest_framework import status
 from rest_framework.test import APITestCase
 
@@ -201,6 +203,156 @@ class TestApiAppConfig(DirectoriesMixin, APITestCase):
         )
         self.assertFalse(Path(old_logo.path).exists())
 
+    def test_api_strips_exif_data_from_uploaded_logo(self) -> None:
+        """
+        GIVEN:
+            - A JPEG logo upload containing EXIF metadata
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - Stored logo image has EXIF metadata removed
+        """
+        image = Image.new("RGB", (12, 12), "blue")
+        exif = Image.Exif()
+        exif[315] = "Paperless Test Author"
+
+        logo = BytesIO()
+        image.save(logo, format="JPEG", exif=exif)
+        logo.seek(0)
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {
+                "app_logo": SimpleUploadedFile(
+                    name="logo-with-exif.jpg",
+                    content=logo.getvalue(),
+                    content_type="image/jpeg",
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        config = ApplicationConfiguration.objects.first()
+        with Image.open(config.app_logo.path) as stored_logo:
+            stored_exif = stored_logo.getexif()
+
+        self.assertEqual(len(stored_exif), 0)
+
+    def test_api_strips_png_metadata_from_uploaded_logo(self) -> None:
+        """
+        GIVEN:
+            - A PNG logo upload containing text metadata
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - Stored logo image has metadata removed
+        """
+        image = Image.new("RGB", (12, 12), "green")
+        pnginfo = PngInfo()
+        pnginfo.add_text("Author", "Paperless Test Author")
+
+        logo = BytesIO()
+        image.save(logo, format="PNG", pnginfo=pnginfo)
+        logo.seek(0)
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {
+                "app_logo": SimpleUploadedFile(
+                    name="logo-with-metadata.png",
+                    content=logo.getvalue(),
+                    content_type="image/png",
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        config = ApplicationConfiguration.objects.first()
+        with Image.open(config.app_logo.path) as stored_logo:
+            stored_text = stored_logo.text
+
+        self.assertEqual(stored_text, {})
+
+    def test_api_accepts_valid_gif_logo(self) -> None:
+        """
+        GIVEN:
+            - A valid GIF logo upload
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - Upload succeeds
+        """
+        image = Image.new("RGB", (12, 12), "red")
+
+        logo = BytesIO()
+        image.save(logo, format="GIF", comment=b"Paperless Test Comment")
+        logo.seek(0)
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {
+                "app_logo": SimpleUploadedFile(
+                    name="logo.gif",
+                    content=logo.getvalue(),
+                    content_type="image/gif",
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_api_rejects_invalid_raster_logo(self) -> None:
+        """
+        GIVEN:
+            - A file named as a JPEG but containing non-image payload data
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - Upload is rejected with 400
+        """
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {
+                "app_logo": SimpleUploadedFile(
+                    name="not-an-image.jpg",
+                    content=b"<script>alert('xss')</script>",
+                    content_type="image/jpeg",
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("invalid logo image", str(response.data).lower())
+
+    @override_settings(MAX_IMAGE_PIXELS=100)
+    def test_api_rejects_logo_exceeding_max_image_pixels(self) -> None:
+        """
+        GIVEN:
+            - A raster logo larger than the configured MAX_IMAGE_PIXELS limit
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - Upload is rejected with 400
+        """
+        image = Image.new("RGB", (12, 12), "purple")
+        logo = BytesIO()
+        image.save(logo, format="PNG")
+        logo.seek(0)
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {
+                "app_logo": SimpleUploadedFile(
+                    name="too-large.png",
+                    content=logo.getvalue(),
+                    content_type="image/png",
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn(
+            "uploaded logo exceeds the maximum allowed image size",
+            str(response.data).lower(),
+        )
+
     def test_api_rejects_malicious_svg_logo(self) -> None:
         """
         GIVEN:

src/documents/tests/test_api_custom_fields.py

@@ -1309,7 +1309,7 @@ class TestCustomFieldsAPI(DirectoriesMixin, APITestCase):
         # Test as user without access to the document
         non_superuser = User.objects.create_user(username="non_superuser")
         non_superuser.user_permissions.add(
-            *Permission.objects.all(),
+            *Permission.objects.exclude(codename="view_global_statistics"),
         )
         non_superuser.save()
         self.client.force_authenticate(user=non_superuser)

src/documents/tests/test_api_documents.py

@@ -18,6 +18,7 @@ from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.core import mail
 from django.core.cache import cache
+from django.core.files.uploadedfile import SimpleUploadedFile
 from django.db import DataError
 from django.test import override_settings
 from django.utils import timezone
@@ -1314,6 +1315,41 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.data["documents_inbox"], 0)
 
+    def test_statistics_with_statistics_permission(self) -> None:
+        owner = User.objects.create_user("owner")
+        stats_user = User.objects.create_user("stats-user")
+        stats_user.user_permissions.add(
+            Permission.objects.get(codename="view_global_statistics"),
+        )
+
+        inbox_tag = Tag.objects.create(
+            name="stats_inbox",
+            is_inbox_tag=True,
+            owner=owner,
+        )
+        Document.objects.create(
+            title="owned-doc",
+            checksum="stats-A",
+            mime_type="application/pdf",
+            content="abcdef",
+            owner=owner,
+        ).tags.add(inbox_tag)
+        Correspondent.objects.create(name="stats-correspondent", owner=owner)
+        DocumentType.objects.create(name="stats-type", owner=owner)
+        StoragePath.objects.create(name="stats-path", path="archive", owner=owner)
+
+        self.client.force_authenticate(user=stats_user)
+        response = self.client.get("/api/statistics/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["documents_total"], 1)
+        self.assertEqual(response.data["documents_inbox"], 1)
+        self.assertEqual(response.data["inbox_tags"], [inbox_tag.pk])
+        self.assertEqual(response.data["character_count"], 6)
+        self.assertEqual(response.data["correspondent_count"], 1)
+        self.assertEqual(response.data["document_type_count"], 1)
+        self.assertEqual(response.data["storage_path_count"], 1)
+
     def test_upload(self) -> None:
         self.consume_file_mock.return_value = celery.result.AsyncResult(
             id=str(uuid.uuid4()),
@@ -1342,6 +1378,79 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
         self.assertIsNone(overrides.document_type_id)
         self.assertIsNone(overrides.tag_ids)
 
+    def test_upload_with_path_traversal_filename_is_reduced_to_basename(self) -> None:
+        self.consume_file_mock.return_value = celery.result.AsyncResult(
+            id=str(uuid.uuid4()),
+        )
+
+        payload = SimpleUploadedFile(
+            "../../outside.pdf",
+            (Path(__file__).parent / "samples" / "simple.pdf").read_bytes(),
+            content_type="application/pdf",
+        )
+
+        response = self.client.post(
+            "/api/documents/post_document/",
+            {"document": payload},
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.consume_file_mock.assert_called_once()
+
+        input_doc, overrides = self.get_last_consume_delay_call_args()
+
+        self.assertEqual(input_doc.original_file.name, "outside.pdf")
+        self.assertEqual(overrides.filename, "outside.pdf")
+        self.assertNotIn("..", input_doc.original_file.name)
+        self.assertNotIn("..", overrides.filename)
+        self.assertTrue(
+            input_doc.original_file.resolve(strict=False).is_relative_to(
+                Path(settings.SCRATCH_DIR).resolve(strict=False),
+            ),
+        )
+
+    def test_upload_with_path_traversal_content_disposition_filename_is_reduced_to_basename(
+        self,
+    ) -> None:
+        self.consume_file_mock.return_value = celery.result.AsyncResult(
+            id=str(uuid.uuid4()),
+        )
+
+        pdf_bytes = (Path(__file__).parent / "samples" / "simple.pdf").read_bytes()
+        boundary = "paperless-boundary"
+        payload = (
+            (
+                f"--{boundary}\r\n"
+                'Content-Disposition: form-data; name="document"; '
+                'filename="../../outside.pdf"\r\n'
+                "Content-Type: application/pdf\r\n\r\n"
+            ).encode()
+            + pdf_bytes
+            + f"\r\n--{boundary}--\r\n".encode()
+        )
+
+        response = self.client.generic(
+            "POST",
+            "/api/documents/post_document/",
+            payload,
+            content_type=f"multipart/form-data; boundary={boundary}",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.consume_file_mock.assert_called_once()
+
+        input_doc, overrides = self.get_last_consume_delay_call_args()
+
+        self.assertEqual(input_doc.original_file.name, "outside.pdf")
+        self.assertEqual(overrides.filename, "outside.pdf")
+        self.assertNotIn("..", input_doc.original_file.name)
+        self.assertNotIn("..", overrides.filename)
+        self.assertTrue(
+            input_doc.original_file.resolve(strict=False).is_relative_to(
+                Path(settings.SCRATCH_DIR).resolve(strict=False),
+            ),
+        )
+
     def test_document_filters_use_latest_version_content(self) -> None:
         root = Document.objects.create(
             title="versioned root",

src/documents/tests/test_api_status.py

@@ -5,12 +5,14 @@ from pathlib import Path
 from unittest import mock
 
 from celery import states
+from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.test import override_settings
 from rest_framework import status
 from rest_framework.test import APITestCase
 
 from documents.models import PaperlessTask
+from documents.permissions import has_system_status_permission
 from paperless import version
 
 
@@ -91,6 +93,22 @@ class TestSystemStatus(APITestCase):
         self.client.force_login(normal_user)
         response = self.client.get(self.ENDPOINT)
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        # test the permission helper function directly for good measure
+        self.assertFalse(has_system_status_permission(None))
+
+    def test_system_status_with_system_status_permission(self) -> None:
+        response = self.client.get(self.ENDPOINT)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+        user = User.objects.create_user(username="status_user")
+        user.user_permissions.add(
+            Permission.objects.get(codename="view_system_status"),
+        )
+
+        self.client.force_login(user)
+        response = self.client.get(self.ENDPOINT)
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
 
     def test_system_status_with_bad_basic_auth_challenges(self) -> None:
         self.client.credentials(HTTP_AUTHORIZATION="Basic invalid")

src/documents/tests/test_consumer.py

@@ -1328,7 +1328,7 @@ class PreConsumeTestCase(DirectoriesMixin, GetConsumerMixin, TestCase):
                     environment = args[1]
 
                     self.assertEqual(command[0], script.name)
-                    self.assertEqual(command[1], str(self.test_file))
+                    self.assertEqual(len(command), 1)
 
                     subset = {
                         "DOCUMENT_SOURCE_PATH": str(c.input_doc.original_file),
@@ -1478,11 +1478,7 @@ class PostConsumeTestCase(DirectoriesMixin, GetConsumerMixin, TestCase):
                 environment = args[1]
 
                 self.assertEqual(command[0], script.name)
-                self.assertEqual(command[1], str(doc.pk))
-                self.assertEqual(command[5], f"/api/documents/{doc.pk}/download/")
-                self.assertEqual(command[6], f"/api/documents/{doc.pk}/thumb/")
-                self.assertEqual(command[7], "my_bank")
-                self.assertCountEqual(command[8].split(","), ["a", "b"])
+                self.assertEqual(len(command), 1)
 
                 subset = {
                     "DOCUMENT_ID": str(doc.pk),

src/documents/views.py

@@ -165,7 +165,9 @@ from documents.permissions import ViewDocumentsPermissions
 from documents.permissions import annotate_document_count_for_related_queryset
 from documents.permissions import get_document_count_filter_for_user
 from documents.permissions import get_objects_for_user_owner_aware
+from documents.permissions import has_global_statistics_permission
 from documents.permissions import has_perms_owner_aware
+from documents.permissions import has_system_status_permission
 from documents.permissions import set_permissions_for_object
 from documents.plugins.date_parsing import get_date_parser
 from documents.schema import generate_object_with_permissions_schema
@@ -289,7 +291,7 @@ class IndexView(TemplateView):
         return context
 
 
-class PassUserMixin(GenericAPIView):
+class PassUserMixin(GenericAPIView[Any]):
     """
     Pass a user object to serializer
     """
@@ -455,7 +457,10 @@ class PermissionsAwareDocumentCountMixin(BulkPermissionMixin, PassUserMixin):
 
 
 @extend_schema_view(**generate_object_with_permissions_schema(CorrespondentSerializer))
-class CorrespondentViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class CorrespondentViewSet(
+    PermissionsAwareDocumentCountMixin,
+    ModelViewSet[Correspondent],
+):
     model = Correspondent
 
     queryset = Correspondent.objects.select_related("owner").order_by(Lower("name"))
@@ -492,7 +497,7 @@ class CorrespondentViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
 
 
 @extend_schema_view(**generate_object_with_permissions_schema(TagSerializer))
-class TagViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class TagViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet[Tag]):
     model = Tag
     serializer_class = TagSerializer
     document_count_through = Document.tags.through
@@ -571,7 +576,10 @@ class TagViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
 
 
 @extend_schema_view(**generate_object_with_permissions_schema(DocumentTypeSerializer))
-class DocumentTypeViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class DocumentTypeViewSet(
+    PermissionsAwareDocumentCountMixin,
+    ModelViewSet[DocumentType],
+):
     model = DocumentType
 
     queryset = DocumentType.objects.select_related("owner").order_by(Lower("name"))
@@ -806,7 +814,7 @@ class DocumentViewSet(
     UpdateModelMixin,
     DestroyModelMixin,
     ListModelMixin,
-    GenericViewSet,
+    GenericViewSet[Document],
 ):
     model = Document
     queryset = Document.objects.all()
@@ -1246,7 +1254,10 @@ class DocumentViewSet(
         ),
     )
     def suggestions(self, request, pk=None):
-        doc = get_object_or_404(Document.objects.select_related("owner"), pk=pk)
+        doc = get_object_or_404(
+            Document.objects.select_related("owner").prefetch_related("versions"),
+            pk=pk,
+        )
         if request.user is not None and not has_perms_owner_aware(
             request.user,
             "view_document",
@@ -1950,7 +1961,7 @@ class ChatStreamingSerializer(serializers.Serializer):
     ],
     name="dispatch",
 )
-class ChatStreamingView(GenericAPIView):
+class ChatStreamingView(GenericAPIView[Any]):
     permission_classes = (IsAuthenticated,)
     serializer_class = ChatStreamingSerializer
 
@@ -2276,7 +2287,7 @@ class LogViewSet(ViewSet):
 
 
 @extend_schema_view(**generate_object_with_permissions_schema(SavedViewSerializer))
-class SavedViewViewSet(BulkPermissionMixin, PassUserMixin, ModelViewSet):
+class SavedViewViewSet(BulkPermissionMixin, PassUserMixin, ModelViewSet[SavedView]):
     model = SavedView
 
     queryset = SavedView.objects.select_related("owner").prefetch_related(
@@ -2754,7 +2765,7 @@ class RemovePasswordDocumentsView(DocumentOperationPermissionMixin):
         },
     ),
 )
-class PostDocumentView(GenericAPIView):
+class PostDocumentView(GenericAPIView[Any]):
     permission_classes = (IsAuthenticated,)
     serializer_class = PostDocumentSerializer
     parser_classes = (parsers.MultiPartParser,)
@@ -2875,7 +2886,7 @@ class PostDocumentView(GenericAPIView):
         },
     ),
 )
-class SelectionDataView(GenericAPIView):
+class SelectionDataView(GenericAPIView[Any]):
     permission_classes = (IsAuthenticated,)
     serializer_class = DocumentListSerializer
     parser_classes = (parsers.MultiPartParser, parsers.JSONParser)
@@ -2979,7 +2990,7 @@ class SelectionDataView(GenericAPIView):
         },
     ),
 )
-class SearchAutoCompleteView(GenericAPIView):
+class SearchAutoCompleteView(GenericAPIView[Any]):
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, format=None):
@@ -3260,15 +3271,16 @@ class GlobalSearchView(PassUserMixin):
         },
     ),
 )
-class StatisticsView(GenericAPIView):
+class StatisticsView(GenericAPIView[Any]):
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, format=None):
         user = request.user if request.user is not None else None
+        can_view_global_stats = has_global_statistics_permission(user) or user is None
 
         documents = (
             Document.objects.all()
-            if user is None
+            if can_view_global_stats
             else get_objects_for_user_owner_aware(
                 user,
                 "documents.view_document",
@@ -3277,12 +3289,12 @@ class StatisticsView(GenericAPIView):
         )
         tags = (
             Tag.objects.all()
-            if user is None
+            if can_view_global_stats
             else get_objects_for_user_owner_aware(user, "documents.view_tag", Tag)
         ).only("id", "is_inbox_tag")
         correspondent_count = (
             Correspondent.objects.count()
-            if user is None
+            if can_view_global_stats
             else get_objects_for_user_owner_aware(
                 user,
                 "documents.view_correspondent",
@@ -3291,7 +3303,7 @@ class StatisticsView(GenericAPIView):
         )
         document_type_count = (
             DocumentType.objects.count()
-            if user is None
+            if can_view_global_stats
             else get_objects_for_user_owner_aware(
                 user,
                 "documents.view_documenttype",
@@ -3300,7 +3312,7 @@ class StatisticsView(GenericAPIView):
         )
         storage_path_count = (
             StoragePath.objects.count()
-            if user is None
+            if can_view_global_stats
             else get_objects_for_user_owner_aware(
                 user,
                 "documents.view_storagepath",
@@ -3361,7 +3373,7 @@ class StatisticsView(GenericAPIView):
         )
 
 
-class BulkDownloadView(DocumentSelectionMixin, GenericAPIView):
+class BulkDownloadView(DocumentSelectionMixin, GenericAPIView[Any]):
     permission_classes = (IsAuthenticated,)
     serializer_class = BulkDownloadSerializer
     parser_classes = (parsers.JSONParser,)
@@ -3414,7 +3426,7 @@ class BulkDownloadView(DocumentSelectionMixin, GenericAPIView):
 
 
 @extend_schema_view(**generate_object_with_permissions_schema(StoragePathSerializer))
-class StoragePathViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class StoragePathViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet[StoragePath]):
     model = StoragePath
 
     queryset = StoragePath.objects.select_related("owner").order_by(
@@ -3478,7 +3490,7 @@ class StoragePathViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
         return Response(result)
 
 
-class UiSettingsView(GenericAPIView):
+class UiSettingsView(GenericAPIView[Any]):
     queryset = UiSettings.objects.all()
     permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
     serializer_class = UiSettingsViewSerializer
@@ -3576,7 +3588,7 @@ class UiSettingsView(GenericAPIView):
         },
     ),
 )
-class RemoteVersionView(GenericAPIView):
+class RemoteVersionView(GenericAPIView[Any]):
     cache_key = "remote_version_view_latest_release"
 
     def get(self, request, format=None):
@@ -3653,7 +3665,7 @@ class RemoteVersionView(GenericAPIView):
         ),
     ],
 )
-class TasksViewSet(ReadOnlyModelViewSet):
+class TasksViewSet(ReadOnlyModelViewSet[PaperlessTask]):
     permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
     serializer_class = TasksViewSerializer
     filter_backends = (
@@ -3727,7 +3739,7 @@ class TasksViewSet(ReadOnlyModelViewSet):
             )
 
 
-class ShareLinkViewSet(ModelViewSet, PassUserMixin):
+class ShareLinkViewSet(PassUserMixin, ModelViewSet[ShareLink]):
     model = ShareLink
 
     queryset = ShareLink.objects.all()
@@ -3744,7 +3756,7 @@ class ShareLinkViewSet(ModelViewSet, PassUserMixin):
     ordering_fields = ("created", "expiration", "document")
 
 
-class ShareLinkBundleViewSet(ModelViewSet, PassUserMixin):
+class ShareLinkBundleViewSet(PassUserMixin, ModelViewSet[ShareLinkBundle]):
     model = ShareLinkBundle
 
     queryset = ShareLinkBundle.objects.all()
@@ -4101,7 +4113,7 @@ class BulkEditObjectsView(PassUserMixin):
         return Response({"result": "OK"})
 
 
-class WorkflowTriggerViewSet(ModelViewSet):
+class WorkflowTriggerViewSet(ModelViewSet[WorkflowTrigger]):
     permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
 
     serializer_class = WorkflowTriggerSerializer
@@ -4119,7 +4131,7 @@ class WorkflowTriggerViewSet(ModelViewSet):
         return super().partial_update(request, *args, **kwargs)
 
 
-class WorkflowActionViewSet(ModelViewSet):
+class WorkflowActionViewSet(ModelViewSet[WorkflowAction]):
     permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
 
     serializer_class = WorkflowActionSerializer
@@ -4144,7 +4156,7 @@ class WorkflowActionViewSet(ModelViewSet):
         return super().partial_update(request, *args, **kwargs)
 
 
-class WorkflowViewSet(ModelViewSet):
+class WorkflowViewSet(ModelViewSet[Workflow]):
     permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
 
     serializer_class = WorkflowSerializer
@@ -4162,7 +4174,7 @@ class WorkflowViewSet(ModelViewSet):
     )
 
 
-class CustomFieldViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet):
+class CustomFieldViewSet(PermissionsAwareDocumentCountMixin, ModelViewSet[CustomField]):
     permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
 
     serializer_class = CustomFieldSerializer
@@ -4257,7 +4269,7 @@ class SystemStatusView(PassUserMixin):
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, format=None):
-        if not request.user.is_staff:
+        if not has_system_status_permission(request.user):
             return HttpResponseForbidden("Insufficient permissions")
 
         current_version = version.__full_version_str__

src/paperless/migrations/0009_alter_applicationconfiguration_options.py

@@ -0,0 +1,22 @@
+# Generated by Django 5.2.12 on 2026-04-07 23:13
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("paperless", "0008_replace_skip_archive_file"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="applicationconfiguration",
+            options={
+                "permissions": [
+                    ("view_global_statistics", "Can view global object counts"),
+                    ("view_system_status", "Can view system status information"),
+                ],
+                "verbose_name": "paperless application settings",
+            },
+        ),
+    ]

src/paperless/models.py

@@ -341,6 +341,10 @@ class ApplicationConfiguration(AbstractSingletonModel):
 
     class Meta:
         verbose_name = _("paperless application settings")
+        permissions = [
+            ("view_global_statistics", "Can view global object counts"),
+            ("view_system_status", "Can view system status information"),
+        ]
 
     def __str__(self) -> str:  # pragma: no cover
         return "ApplicationConfiguration"

src/paperless/serialisers.py

@@ -1,4 +1,5 @@
 import logging
+from io import BytesIO
 
 import magic
 from allauth.mfa.adapter import get_adapter as get_mfa_adapter
@@ -11,13 +12,16 @@ from django.contrib.auth.models import Group
 from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.contrib.auth.password_validation import validate_password
+from django.core.files.uploadedfile import InMemoryUploadedFile
 from django.core.files.uploadedfile import UploadedFile
+from PIL import Image
 from rest_framework import serializers
 from rest_framework.authtoken.serializers import AuthTokenSerializer
 
 from paperless.models import ApplicationConfiguration
 from paperless.network import validate_outbound_http_url
 from paperless.validators import reject_dangerous_svg
+from paperless.validators import validate_raster_image
 from paperless_mail.serialisers import ObfuscatedPasswordField
 
 logger = logging.getLogger("paperless.settings")
@@ -70,7 +74,7 @@ class PaperlessAuthTokenSerializer(AuthTokenSerializer):
         return attrs
 
 
-class UserSerializer(PasswordValidationMixin, serializers.ModelSerializer):
+class UserSerializer(PasswordValidationMixin, serializers.ModelSerializer[User]):
     password = ObfuscatedPasswordField(required=False)
     user_permissions = serializers.SlugRelatedField(
         many=True,
@@ -138,7 +142,7 @@ class UserSerializer(PasswordValidationMixin, serializers.ModelSerializer):
         return user
 
 
-class GroupSerializer(serializers.ModelSerializer):
+class GroupSerializer(serializers.ModelSerializer[Group]):
     permissions = serializers.SlugRelatedField(
         many=True,
         queryset=Permission.objects.exclude(content_type__app_label="admin"),
@@ -154,7 +158,7 @@ class GroupSerializer(serializers.ModelSerializer):
         )
 
 
-class SocialAccountSerializer(serializers.ModelSerializer):
+class SocialAccountSerializer(serializers.ModelSerializer[SocialAccount]):
     name = serializers.SerializerMethodField()
 
     class Meta:
@@ -172,7 +176,7 @@ class SocialAccountSerializer(serializers.ModelSerializer):
             return "Unknown App"
 
 
-class ProfileSerializer(PasswordValidationMixin, serializers.ModelSerializer):
+class ProfileSerializer(PasswordValidationMixin, serializers.ModelSerializer[User]):
     email = serializers.EmailField(allow_blank=True, required=False)
     password = ObfuscatedPasswordField(required=False, allow_null=False)
     auth_token = serializers.SlugRelatedField(read_only=True, slug_field="key")
@@ -205,7 +209,9 @@ class ProfileSerializer(PasswordValidationMixin, serializers.ModelSerializer):
         )
 
 
-class ApplicationConfigurationSerializer(serializers.ModelSerializer):
+class ApplicationConfigurationSerializer(
+    serializers.ModelSerializer[ApplicationConfiguration],
+):
     user_args = serializers.JSONField(binary=True, allow_null=True)
     barcode_tag_mapping = serializers.JSONField(binary=True, allow_null=True)
     llm_api_key = ObfuscatedPasswordField(
@@ -233,9 +239,40 @@ class ApplicationConfigurationSerializer(serializers.ModelSerializer):
             instance.app_logo.delete()
         return super().update(instance, validated_data)
 
+    def _sanitize_raster_image(self, file: UploadedFile) -> UploadedFile:
+        try:
+            data = BytesIO()
+            image = Image.open(file)
+            image.save(data, format=image.format)
+            data.seek(0)
+
+            return InMemoryUploadedFile(
+                file=data,
+                field_name=file.field_name,
+                name=file.name,
+                content_type=file.content_type,
+                size=data.getbuffer().nbytes,
+                charset=getattr(file, "charset", None),
+            )
+        finally:
+            image.close()
+
     def validate_app_logo(self, file: UploadedFile):
-        if file and magic.from_buffer(file.read(2048), mime=True) == "image/svg+xml":
-            reject_dangerous_svg(file)
+        """
+        Validates and sanitizes the uploaded app logo image. Model field already restricts to
+        jpg/png/gif/svg.
+        """
+        if file:
+            mime_type = magic.from_buffer(file.read(2048), mime=True)
+
+            if mime_type == "image/svg+xml":
+                reject_dangerous_svg(file)
+            else:
+                validate_raster_image(file)
+
+                if mime_type in {"image/jpeg", "image/png"}:
+                    file = self._sanitize_raster_image(file)
+
         return file
 
     def validate_llm_endpoint(self, value: str | None) -> str | None:

src/paperless/settings/custom.py

@@ -224,7 +224,23 @@ def parse_db_settings(data_dir: Path) -> dict[str, dict[str, Any]]:
                 "ENGINE": "django.db.backends.sqlite3",
                 "NAME": str((data_dir / "db.sqlite3").resolve()),
             }
-            base_options = {}
+            base_options = {
+                # Django splits init_command on ";" and calls conn.execute()
+                # once per statement, so multiple PRAGMAs work correctly.
+                # foreign_keys is omitted — Django sets it natively.
+                "init_command": (
+                    "PRAGMA journal_mode=WAL;"
+                    "PRAGMA synchronous=NORMAL;"
+                    "PRAGMA busy_timeout=5000;"
+                    "PRAGMA temp_store=MEMORY;"
+                    "PRAGMA mmap_size=134217728;"
+                    "PRAGMA journal_size_limit=67108864;"
+                    "PRAGMA cache_size=-8000"  # negative = KiB; -8000 ≈ 8 MB
+                ),
+                # IMMEDIATE acquires the write lock at BEGIN, ensuring
+                # busy_timeout is respected from the start of the transaction.
+                "transaction_mode": "IMMEDIATE",
+            }
 
         case "postgresql":
             db_config = {
@@ -240,6 +256,7 @@ def parse_db_settings(data_dir: Path) -> dict[str, dict[str, Any]]:
                 "sslrootcert": os.getenv("PAPERLESS_DBSSLROOTCERT"),
                 "sslcert": os.getenv("PAPERLESS_DBSSLCERT"),
                 "sslkey": os.getenv("PAPERLESS_DBSSLKEY"),
+                "application_name": "paperless-ngx",
             }
 
             if (pool_size := get_int_from_env("PAPERLESS_DB_POOLSIZE")) is not None:
@@ -267,6 +284,12 @@ def parse_db_settings(data_dir: Path) -> dict[str, dict[str, Any]]:
                     "cert": os.getenv("PAPERLESS_DBSSLCERT"),
                     "key": os.getenv("PAPERLESS_DBSSLKEY"),
                 },
+                # READ COMMITTED eliminates gap locking and reduces deadlocks.
+                # Django also defaults to "read committed" for MySQL/MariaDB, but
+                # we set it explicitly so the intent is clear and survives any
+                # future changes to Django's default.
+                # Requires binlog_format=ROW if binary logging is enabled.
+                "isolation_level": "read committed",
             }
         case _:  # pragma: no cover
             raise NotImplementedError(engine)
@@ -287,7 +310,7 @@ def parse_db_settings(data_dir: Path) -> dict[str, dict[str, Any]]:
     db_config["OPTIONS"] = parse_dict_from_str(
         os.getenv("PAPERLESS_DB_OPTIONS"),
         defaults=base_options,
-        separator=";",
+        separator=",",
         type_map={
             # SQLite options
             "timeout": int,

src/paperless/tests/settings/test_custom_parsers.py

@@ -296,8 +296,19 @@ class TestParseDbSettings:
                 {
                     "default": {
                         "ENGINE": "django.db.backends.sqlite3",
-                        "NAME": None,  # Will be replaced with tmp_path
-                        "OPTIONS": {},
+                        "NAME": None,  # replaced with tmp_path in test body
+                        "OPTIONS": {
+                            "init_command": (
+                                "PRAGMA journal_mode=WAL;"
+                                "PRAGMA synchronous=NORMAL;"
+                                "PRAGMA busy_timeout=5000;"
+                                "PRAGMA temp_store=MEMORY;"
+                                "PRAGMA mmap_size=134217728;"
+                                "PRAGMA journal_size_limit=67108864;"
+                                "PRAGMA cache_size=-8000"
+                            ),
+                            "transaction_mode": "IMMEDIATE",
+                        },
                     },
                 },
                 id="default-sqlite",
@@ -310,14 +321,41 @@ class TestParseDbSettings:
                 {
                     "default": {
                         "ENGINE": "django.db.backends.sqlite3",
-                        "NAME": None,  # Will be replaced with tmp_path
+                        "NAME": None,
                         "OPTIONS": {
+                            "init_command": (
+                                "PRAGMA journal_mode=WAL;"
+                                "PRAGMA synchronous=NORMAL;"
+                                "PRAGMA busy_timeout=5000;"
+                                "PRAGMA temp_store=MEMORY;"
+                                "PRAGMA mmap_size=134217728;"
+                                "PRAGMA journal_size_limit=67108864;"
+                                "PRAGMA cache_size=-8000"
+                            ),
+                            "transaction_mode": "IMMEDIATE",
                             "timeout": 30,
                         },
                     },
                 },
                 id="sqlite-with-timeout-override",
             ),
+            pytest.param(
+                {
+                    "PAPERLESS_DBENGINE": "sqlite",
+                    "PAPERLESS_DB_OPTIONS": "init_command=PRAGMA journal_mode=DELETE;PRAGMA synchronous=FULL,transaction_mode=DEFERRED",
+                },
+                {
+                    "default": {
+                        "ENGINE": "django.db.backends.sqlite3",
+                        "NAME": None,
+                        "OPTIONS": {
+                            "init_command": "PRAGMA journal_mode=DELETE;PRAGMA synchronous=FULL",
+                            "transaction_mode": "DEFERRED",
+                        },
+                    },
+                },
+                id="sqlite-options-override",
+            ),
             pytest.param(
                 {
                     "PAPERLESS_DBENGINE": "postgresql",
@@ -335,6 +373,7 @@ class TestParseDbSettings:
                             "sslrootcert": None,
                             "sslcert": None,
                             "sslkey": None,
+                            "application_name": "paperless-ngx",
                         },
                     },
                 },
@@ -348,7 +387,7 @@ class TestParseDbSettings:
                     "PAPERLESS_DBNAME": "customdb",
                     "PAPERLESS_DBUSER": "customuser",
                     "PAPERLESS_DBPASS": "custompass",
-                    "PAPERLESS_DB_OPTIONS": "pool.max_size=50;pool.min_size=2;sslmode=require",
+                    "PAPERLESS_DB_OPTIONS": "pool.max_size=50,pool.min_size=2,sslmode=require",
                 },
                 {
                     "default": {
@@ -363,6 +402,7 @@ class TestParseDbSettings:
                             "sslrootcert": None,
                             "sslcert": None,
                             "sslkey": None,
+                            "application_name": "paperless-ngx",
                             "pool": {
                                 "min_size": 2,
                                 "max_size": 50,
@@ -390,6 +430,7 @@ class TestParseDbSettings:
                             "sslrootcert": None,
                             "sslcert": None,
                             "sslkey": None,
+                            "application_name": "paperless-ngx",
                             "pool": {
                                 "min_size": 1,
                                 "max_size": 10,
@@ -419,6 +460,7 @@ class TestParseDbSettings:
                             "sslrootcert": "/certs/ca.crt",
                             "sslcert": None,
                             "sslkey": None,
+                            "application_name": "paperless-ngx",
                             "connect_timeout": 30,
                         },
                     },
@@ -447,6 +489,7 @@ class TestParseDbSettings:
                                 "cert": None,
                                 "key": None,
                             },
+                            "isolation_level": "read committed",
                         },
                     },
                 },
@@ -455,18 +498,17 @@ class TestParseDbSettings:
             pytest.param(
                 {
                     "PAPERLESS_DBENGINE": "mariadb",
-                    "PAPERLESS_DBHOST": "paperless-mariadb-host",
-                    "PAPERLESS_DBPORT": "5555",
+                    "PAPERLESS_DBHOST": "mariahost",
+                    "PAPERLESS_DBNAME": "paperlessdb",
                     "PAPERLESS_DBUSER": "my-cool-user",
                     "PAPERLESS_DBPASS": "my-secure-password",
-                    "PAPERLESS_DB_OPTIONS": "ssl.ca=/path/to/ca.pem;ssl_mode=REQUIRED",
+                    "PAPERLESS_DB_OPTIONS": "ssl_mode=REQUIRED,ssl.ca=/path/to/ca.pem",
                 },
                 {
                     "default": {
                         "ENGINE": "django.db.backends.mysql",
-                        "HOST": "paperless-mariadb-host",
-                        "PORT": 5555,
-                        "NAME": "paperless",
+                        "HOST": "mariahost",
+                        "NAME": "paperlessdb",
                         "USER": "my-cool-user",
                         "PASSWORD": "my-secure-password",
                         "OPTIONS": {
@@ -479,6 +521,7 @@ class TestParseDbSettings:
                                 "cert": None,
                                 "key": None,
                             },
+                            "isolation_level": "read committed",
                         },
                     },
                 },
@@ -512,6 +555,7 @@ class TestParseDbSettings:
                                 "key": "/certs/client.key",
                             },
                             "connect_timeout": 25,
+                            "isolation_level": "read committed",
                         },
                     },
                 },
@@ -527,10 +571,8 @@ class TestParseDbSettings:
         expected_database_settings: dict[str, dict],
     ) -> None:
         """Test various database configurations with defaults and overrides."""
-        # Clear environment and set test vars
         mocker.patch.dict(os.environ, env_vars, clear=True)
 
-        # Update expected paths with actual tmp_path
         if (
             "default" in expected_database_settings
             and expected_database_settings["default"]["NAME"] is None

src/paperless/validators.py

@@ -1,6 +1,10 @@
+from io import BytesIO
+
+from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.core.files.uploadedfile import UploadedFile
 from lxml import etree
+from PIL import Image
 
 ALLOWED_SVG_TAGS: set[str] = {
     # Basic shapes
@@ -254,3 +258,30 @@ def reject_dangerous_svg(file: UploadedFile) -> None:
                     raise ValidationError(
                         f"URI scheme not allowed in {attr_name}: must be #anchor, relative path, or data:image/*",
                     )
+
+
+def validate_raster_image(file: UploadedFile) -> None:
+    """
+    Validates that the uploaded file is a valid raster image (JPEG, PNG, etc.)
+    and does not exceed maximum pixel limits.
+    Raises ValidationError if the image is invalid or exceeds the allowed size.
+    """
+
+    file.seek(0)
+    image_data = file.read()
+    try:
+        with Image.open(BytesIO(image_data)) as image:
+            image.verify()
+
+            if (
+                settings.MAX_IMAGE_PIXELS is not None
+                and settings.MAX_IMAGE_PIXELS > 0
+                and image.width * image.height > settings.MAX_IMAGE_PIXELS
+            ):
+                raise ValidationError(
+                    "Uploaded logo exceeds the maximum allowed image size.",
+                )
+            if image.format is None:  # pragma: no cover
+                raise ValidationError("Invalid logo image.")
+    except (OSError, Image.DecompressionBombError) as e:
+        raise ValidationError("Invalid logo image.") from e

src/paperless/views.py

@@ -1,5 +1,6 @@
 from collections import OrderedDict
 from pathlib import Path
+from typing import Any
 
 from allauth.mfa import signals
 from allauth.mfa.adapter import get_adapter as get_mfa_adapter
@@ -114,7 +115,7 @@ class FaviconView(View):
             return HttpResponseNotFound("favicon.ico not found")
 
 
-class UserViewSet(ModelViewSet):
+class UserViewSet(ModelViewSet[User]):
     _BOOL_NOT_PROVIDED = object()
     model = User
 
@@ -216,7 +217,7 @@ class UserViewSet(ModelViewSet):
             return HttpResponseNotFound("TOTP not found")
 
 
-class GroupViewSet(ModelViewSet):
+class GroupViewSet(ModelViewSet[Group]):
     model = Group
 
     queryset = Group.objects.order_by(Lower("name"))
@@ -229,7 +230,7 @@ class GroupViewSet(ModelViewSet):
     ordering_fields = ("name",)
 
 
-class ProfileView(GenericAPIView):
+class ProfileView(GenericAPIView[Any]):
     """
     User profile view, only available when logged in
     """
@@ -288,7 +289,7 @@ class ProfileView(GenericAPIView):
         },
     ),
 )
-class TOTPView(GenericAPIView):
+class TOTPView(GenericAPIView[Any]):
     """
     TOTP views
     """
@@ -368,7 +369,7 @@ class TOTPView(GenericAPIView):
         },
     ),
 )
-class GenerateAuthTokenView(GenericAPIView):
+class GenerateAuthTokenView(GenericAPIView[Any]):
     """
     Generates (or re-generates) an auth token, requires a logged in user
     unlike the default DRF endpoint
@@ -397,7 +398,7 @@ class GenerateAuthTokenView(GenericAPIView):
         },
     ),
 )
-class ApplicationConfigurationViewSet(ModelViewSet):
+class ApplicationConfigurationViewSet(ModelViewSet[ApplicationConfiguration]):
     model = ApplicationConfiguration
 
     queryset = ApplicationConfiguration.objects
@@ -450,7 +451,7 @@ class ApplicationConfigurationViewSet(ModelViewSet):
         },
     ),
 )
-class DisconnectSocialAccountView(GenericAPIView):
+class DisconnectSocialAccountView(GenericAPIView[Any]):
     """
     Disconnects a social account provider from the user account
     """
@@ -476,7 +477,7 @@ class DisconnectSocialAccountView(GenericAPIView):
         },
     ),
 )
-class SocialAccountProvidersView(GenericAPIView):
+class SocialAccountProvidersView(GenericAPIView[Any]):
     """
     List of social account providers
     """

src/paperless_mail/serialisers.py

@@ -57,7 +57,7 @@ class MailAccountSerializer(OwnedObjectSerializer):
         return instance
 
 
-class AccountField(serializers.PrimaryKeyRelatedField):
+class AccountField(serializers.PrimaryKeyRelatedField[MailAccount]):
     def get_queryset(self):
         return MailAccount.objects.all().order_by("-id")
 

src/paperless_mail/views.py

@@ -1,6 +1,7 @@
 import datetime
 import logging
 from datetime import timedelta
+from typing import Any
 
 from django.http import HttpResponseBadRequest
 from django.http import HttpResponseForbidden
@@ -65,7 +66,7 @@ from paperless_mail.tasks import process_mail_accounts
         },
     ),
 )
-class MailAccountViewSet(ModelViewSet, PassUserMixin):
+class MailAccountViewSet(PassUserMixin, ModelViewSet[MailAccount]):
     model = MailAccount
 
     queryset = MailAccount.objects.all().order_by("pk")
@@ -159,7 +160,7 @@ class MailAccountViewSet(ModelViewSet, PassUserMixin):
         return Response({"result": "OK"})
 
 
-class ProcessedMailViewSet(ReadOnlyModelViewSet, PassUserMixin):
+class ProcessedMailViewSet(PassUserMixin, ReadOnlyModelViewSet[ProcessedMail]):
     permission_classes = (IsAuthenticated, PaperlessObjectPermissions)
     serializer_class = ProcessedMailSerializer
     pagination_class = StandardPagination
@@ -187,7 +188,7 @@ class ProcessedMailViewSet(ReadOnlyModelViewSet, PassUserMixin):
         return Response({"result": "OK", "deleted_mail_ids": mail_ids})
 
 
-class MailRuleViewSet(ModelViewSet, PassUserMixin):
+class MailRuleViewSet(PassUserMixin, ModelViewSet[MailRule]):
     model = MailRule
 
     queryset = MailRule.objects.all().order_by("order")
@@ -203,7 +204,7 @@ class MailRuleViewSet(ModelViewSet, PassUserMixin):
         responses={200: None},
     ),
 )
-class OauthCallbackView(GenericAPIView):
+class OauthCallbackView(GenericAPIView[Any]):
     permission_classes = (IsAuthenticated,)
 
     def get(self, request, format=None):