Docstrings

Security: validate and sanitize uploaded logos
Chore(deps): Bump the utilities-minor group with 19 updates (#12540 )
2026-04-10 18:18:50 +00:00 · 2026-04-10 11:17:46 -07:00 · 2026-04-10 10:27:42 -07:00 · 2026-04-08 15:09:42 -07:00 · 2026-04-08 14:01:39 -07:00 · 2026-04-08 13:46:05 -07:00
42 changed files with 1692 additions and 1901 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -164,6 +164,8 @@ updates:
    directory: "/" # Location of package manifests
    schedule:
      interval: "monthly"
+    cooldown:
+      default-days: 7
    groups:
      pre-commit-dependencies:
        patterns:
--- a/.github/workflows/ci-backend.yml
+++ b/.github/workflows/ci-backend.yml
@@ -30,10 +30,13 @@ jobs:
          persist-credentials: false
      - name: Decide run mode
        id: force
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          REF_NAME: ${{ github.ref_name }}
        run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event_name }}" == "push" && ( "${{ github.ref_name }}" == "main" || "${{ github.ref_name }}" == "dev" ) ]]; then
+          elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          else
            echo "run_all=false" >> "$GITHUB_OUTPUT"
@@ -41,15 +44,22 @@ jobs:
      - name: Set diff range
        id: range
        if: steps.force.outputs.run_all != 'true'
+        env:
+          BEFORE_SHA: ${{ github.event.before }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          EVENT_CREATED: ${{ github.event.created }}
+          EVENT_NAME: ${{ github.event_name }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          SHA: ${{ github.sha }}
        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event.created }}" == "true" ]]; then
-            echo "base=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT"
+          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
+            echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT"
+          elif [[ "${EVENT_CREATED}" == "true" ]]; then
+            echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT"
          else
-            echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
+            echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT"
          fi
-          echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+          echo "ref=${SHA}" >> "$GITHUB_OUTPUT"
      - name: Detect changes
        id: filter
        if: steps.force.outputs.run_all != 'true'
@@ -90,7 +100,7 @@ jobs:
        with:
          python-version: "${{ matrix.python-version }}"
      - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
@@ -104,9 +114,11 @@ jobs:
        run: |
          sudo cp docker/rootfs/etc/ImageMagick-6/paperless-policy.xml /etc/ImageMagick-6/policy.xml
      - name: Install Python dependencies
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv sync \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --group testing \
            --frozen
      - name: List installed Python dependencies
@@ -114,26 +126,27 @@ jobs:
          uv pip list
      - name: Install NLTK data
        run: |
-          uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d ${{ env.NLTK_DATA }}
+          uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d "${NLTK_DATA}"
      - name: Run tests
        env:
          NLTK_DATA: ${{ env.NLTK_DATA }}
          PAPERLESS_CI_TEST: 1
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --dev \
            --frozen \
            pytest
      - name: Upload test results to Codecov
        if: always()
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          flags: backend-python-${{ matrix.python-version }}
          files: junit.xml
          report_type: test_results
      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          flags: backend-python-${{ matrix.python-version }}
          files: coverage.xml
@@ -163,15 +176,17 @@ jobs:
        with:
          python-version: "${{ env.DEFAULT_PYTHON }}"
      - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
          python-version: ${{ steps.setup-python.outputs.python-version }}
      - name: Install Python dependencies
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv sync \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --group testing \
            --group typing \
            --frozen
@@ -207,19 +222,23 @@ jobs:
    runs-on: ubuntu-slim
    steps:
      - name: Check gate
+        env:
+          BACKEND_CHANGED: ${{ needs.changes.outputs.backend_changed }}
+          TEST_RESULT: ${{ needs.test.result }}
+          TYPING_RESULT: ${{ needs.typing.result }}
        run: |
-          if [[ "${{ needs.changes.outputs.backend_changed }}" != "true" ]]; then
+          if [[ "${BACKEND_CHANGED}" != "true" ]]; then
            echo "No backend-relevant changes detected."
            exit 0
          fi

-          if [[ "${{ needs.test.result }}" != "success" ]]; then
-            echo "::error::Backend test job result: ${{ needs.test.result }}"
+          if [[ "${TEST_RESULT}" != "success" ]]; then
+            echo "::error::Backend test job result: ${TEST_RESULT}"
            exit 1
          fi

-          if [[ "${{ needs.typing.result }}" != "success" ]]; then
-            echo "::error::Backend typing job result: ${{ needs.typing.result }}"
+          if [[ "${TYPING_RESULT}" != "success" ]]; then
+            echo "::error::Backend typing job result: ${TYPING_RESULT}"
            exit 1
          fi

--- a/.github/workflows/ci-docker.yml
+++ b/.github/workflows/ci-docker.yml
@@ -166,6 +166,7 @@ jobs:
    runs-on: ubuntu-24.04
    needs: build-arch
    if: needs.build-arch.outputs.should-push == 'true'
+    environment: image-publishing
    permissions:
      contents: read
      packages: write
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -78,7 +78,7 @@ jobs:
        with:
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
--- a/.github/workflows/ci-frontend.yml
+++ b/.github/workflows/ci-frontend.yml
@@ -27,10 +27,13 @@ jobs:
          persist-credentials: false
      - name: Decide run mode
        id: force
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          REF_NAME: ${{ github.ref_name }}
        run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event_name }}" == "push" && ( "${{ github.ref_name }}" == "main" || "${{ github.ref_name }}" == "dev" ) ]]; then
+          elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          else
            echo "run_all=false" >> "$GITHUB_OUTPUT"
@@ -38,15 +41,22 @@ jobs:
      - name: Set diff range
        id: range
        if: steps.force.outputs.run_all != 'true'
+        env:
+          BEFORE_SHA: ${{ github.event.before }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          EVENT_CREATED: ${{ github.event.created }}
+          EVENT_NAME: ${{ github.event_name }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          SHA: ${{ github.sha }}
        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event.created }}" == "true" ]]; then
-            echo "base=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT"
+          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
+            echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT"
+          elif [[ "${EVENT_CREATED}" == "true" ]]; then
+            echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT"
          else
-            echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
+            echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT"
          fi
-          echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+          echo "ref=${SHA}" >> "$GITHUB_OUTPUT"
      - name: Detect changes
        id: filter
        if: steps.force.outputs.run_all != 'true'
@@ -164,13 +174,13 @@ jobs:
        run: cd src-ui && pnpm run test --max-workers=2 --shard=${{ matrix.shard-index }}/${{ matrix.shard-count }}
      - name: Upload test results to Codecov
        if: always()
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          flags: frontend-node-${{ matrix.node-version }}
          directory: src-ui/
          report_type: test_results
      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          flags: frontend-node-${{ matrix.node-version }}
          directory: src-ui/coverage/
@@ -181,7 +191,7 @@ jobs:
    runs-on: ubuntu-24.04
    permissions:
      contents: read
-    container: mcr.microsoft.com/playwright:v1.58.2-noble
+    container: mcr.microsoft.com/playwright:v1.59.0-noble
    env:
      PLAYWRIGHT_BROWSERS_PATH: /ms-playwright
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
@@ -224,6 +234,7 @@ jobs:
    needs: [changes, unit-tests, e2e-tests]
    if: needs.changes.outputs.frontend_changed == 'true'
    runs-on: ubuntu-24.04
+    environment: bundle-analysis
    permissions:
      contents: read
    steps:
@@ -262,34 +273,41 @@ jobs:
    runs-on: ubuntu-slim
    steps:
      - name: Check gate
+        env:
+          BUNDLE_ANALYSIS_RESULT: ${{ needs['bundle-analysis'].result }}
+          E2E_RESULT: ${{ needs['e2e-tests'].result }}
+          FRONTEND_CHANGED: ${{ needs.changes.outputs.frontend_changed }}
+          INSTALL_RESULT: ${{ needs['install-dependencies'].result }}
+          LINT_RESULT: ${{ needs.lint.result }}
+          UNIT_RESULT: ${{ needs['unit-tests'].result }}
        run: |
-          if [[ "${{ needs.changes.outputs.frontend_changed }}" != "true" ]]; then
+          if [[ "${FRONTEND_CHANGED}" != "true" ]]; then
            echo "No frontend-relevant changes detected."
            exit 0
          fi

-          if [[ "${{ needs['install-dependencies'].result }}" != "success" ]]; then
-            echo "::error::Frontend install job result: ${{ needs['install-dependencies'].result }}"
+          if [[ "${INSTALL_RESULT}" != "success" ]]; then
+            echo "::error::Frontend install job result: ${INSTALL_RESULT}"
            exit 1
          fi

-          if [[ "${{ needs.lint.result }}" != "success" ]]; then
-            echo "::error::Frontend lint job result: ${{ needs.lint.result }}"
+          if [[ "${LINT_RESULT}" != "success" ]]; then
+            echo "::error::Frontend lint job result: ${LINT_RESULT}"
            exit 1
          fi

-          if [[ "${{ needs['unit-tests'].result }}" != "success" ]]; then
-            echo "::error::Frontend unit-tests job result: ${{ needs['unit-tests'].result }}"
+          if [[ "${UNIT_RESULT}" != "success" ]]; then
+            echo "::error::Frontend unit-tests job result: ${UNIT_RESULT}"
            exit 1
          fi

-          if [[ "${{ needs['e2e-tests'].result }}" != "success" ]]; then
-            echo "::error::Frontend e2e-tests job result: ${{ needs['e2e-tests'].result }}"
+          if [[ "${E2E_RESULT}" != "success" ]]; then
+            echo "::error::Frontend e2e-tests job result: ${E2E_RESULT}"
            exit 1
          fi

-          if [[ "${{ needs['bundle-analysis'].result }}" != "success" ]]; then
-            echo "::error::Frontend bundle-analysis job result: ${{ needs['bundle-analysis'].result }}"
+          if [[ "${BUNDLE_ANALYSIS_RESULT}" != "success" ]]; then
+            echo "::error::Frontend bundle-analysis job result: ${BUNDLE_ANALYSIS_RESULT}"
            exit 1
          fi

--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -58,23 +58,27 @@ jobs:
        with:
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: false
          python-version: ${{ steps.setup-python.outputs.python-version }}
      - name: Install Python dependencies
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
-          uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen
+          uv sync --python "${PYTHON_VERSION}" --dev --frozen
      - name: Install system dependencies
        run: |
          sudo apt-get update -qq
          sudo apt-get install -qq --no-install-recommends gettext liblept5
      # ---- Build Documentation ----
      - name: Build documentation
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --dev \
            --frozen \
            zensical build --clean
@@ -83,16 +87,20 @@ jobs:
        run: |
          uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt
      - name: Compile messages
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          cd src/
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            manage.py compilemessages
      - name: Collect static files
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          cd src/
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            manage.py collectstatic --no-input --clear
      - name: Assemble release package
        run: |
@@ -201,7 +209,7 @@ jobs:
        with:
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: false
@@ -210,9 +218,13 @@ jobs:
        working-directory: docs
        env:
          CHANGELOG: ${{ needs.publish-release.outputs.changelog }}
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
+          VERSION: ${{ needs.publish-release.outputs.version }}
        run: |
-          git branch ${{ needs.publish-release.outputs.version }}-changelog
-          git checkout ${{ needs.publish-release.outputs.version }}-changelog
+          branch_name="${VERSION}-changelog"
+
+          git branch "${branch_name}"
+          git checkout "${branch_name}"

          printf '# Changelog\n\n%s\n' "${CHANGELOG}" > changelog-new.md

@@ -227,24 +239,28 @@ jobs:
          mv changelog-new.md changelog.md

          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --dev \
            prek run --files changelog.md || true

          git config --global user.name "github-actions"
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA"
-          git push origin ${{ needs.publish-release.outputs.version }}-changelog
+          git commit -am "Changelog ${VERSION} - GHA"
+          git push origin "${branch_name}"
      - name: Create pull request
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          VERSION: ${{ needs.publish-release.outputs.version }}
        with:
          script: |
            const { repo, owner } = context.repo;
+            const version = process.env.VERSION;
+            const head = `${version}-changelog`;
            const result = await github.rest.pulls.create({
-              title: 'Documentation: Add ${{ needs.publish-release.outputs.version }} changelog',
+              title: `Documentation: Add ${version} changelog`,
              owner,
              repo,
-              head: '${{ needs.publish-release.outputs.version }}-changelog',
+              head,
              base: 'main',
              body: 'This PR is auto-generated by CI.'
            });
--- a/.github/workflows/cleanup-tags.yml
+++ b/.github/workflows/cleanup-tags.yml
@@ -18,6 +18,7 @@ jobs:
    name: Cleanup Image Tags for ${{ matrix.primary-name }}
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
+    environment: registry-maintenance
    strategy:
      fail-fast: false
      matrix:
@@ -44,6 +45,7 @@ jobs:
    runs-on: ubuntu-24.04
    needs:
      - cleanup-images
+    environment: registry-maintenance
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -39,7 +39,7 @@ jobs:
          persist-credentials: false
      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -47,4 +47,4 @@ jobs:
          # Prefix the list here with "+" to use these queries and those in the config file.
          # queries: ./path/to/local/query, your-org/your-repo/queries@main
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
--- a/.github/workflows/crowdin.yml
+++ b/.github/workflows/crowdin.yml
@@ -14,6 +14,7 @@ jobs:
    name: Crowdin Sync
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
+    environment: translation-sync
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -21,7 +22,7 @@ jobs:
          token: ${{ secrets.PNGX_BOT_PAT }}
          persist-credentials: false
      - name: crowdin action
-        uses: crowdin/github-action@8818ff65bfc4322384f983ea37e3926948c11745 # v2.15.0
+        uses: crowdin/github-action@7ca9c452bfe9197d3bb7fa83a4d7e2b0c9ae835d # v2.16.0
        with:
          upload_translations: false
          download_translations: true
--- a/.github/workflows/translate-strings.yml
+++ b/.github/workflows/translate-strings.yml
@@ -7,6 +7,7 @@ jobs:
  generate-translate-strings:
    name: Generate Translation Strings
    runs-on: ubuntu-latest
+    environment: translation-sync
    permissions:
      contents: write
    steps:
@@ -26,7 +27,7 @@ jobs:
          sudo apt-get update -qq
          sudo apt-get install -qq --no-install-recommends gettext
      - name: Install uv
-        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
          enable-cache: true
      - name: Install backend python dependencies
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -3,54 +3,22 @@ rules:
    ignore:
      # github.event_name is a GitHub-internal constant (push/pull_request/etc.),
      # not attacker-controllable.
-      - ci-backend.yml:35
      - ci-docker.yml:74
      - ci-docs.yml:33
-      - ci-frontend.yml:32
      # github.event.repository.default_branch refers to the target repo's setting,
      # which only admins can change; not influenced by fork PR authors.
-      - ci-backend.yml:47
      - ci-docs.yml:45
-      - ci-frontend.yml:44
      # steps.setup-python.outputs.python-version is always a semver string (e.g. "3.12.0")
      # produced by actions/setup-python from a hardcoded env var input.
-      - ci-backend.yml:106
-      - ci-backend.yml:121
-      - ci-backend.yml:169
      - ci-docs.yml:88
      - ci-docs.yml:92
-      - ci-release.yml:69
-      - ci-release.yml:78
-      - ci-release.yml:90
-      - ci-release.yml:96
-      - ci-release.yml:229
      # needs.*.result is always one of: success/failure/cancelled/skipped.
-      - ci-backend.yml:211
-      - ci-backend.yml:212
-      - ci-backend.yml:216
      - ci-docs.yml:131
      - ci-docs.yml:132
-      - ci-frontend.yml:259
-      - ci-frontend.yml:260
-      - ci-frontend.yml:264
-      - ci-frontend.yml:269
-      - ci-frontend.yml:274
-      - ci-frontend.yml:279
      # needs.changes.outputs.* is always "true" or "false".
-      - ci-backend.yml:206
      - ci-docs.yml:126
-      - ci-frontend.yml:254
      # steps.build.outputs.digest is always a SHA256 digest (sha256:[a-f0-9]{64}).
      - ci-docker.yml:152
-      # needs.publish-release.outputs.version is the git tag name (e.g. v2.14.0);
-      # only maintainers can push tags upstream, and the tag pattern excludes
-      # shell metacharacters. Used in git commands and github-script JS, not eval.
-      - ci-release.yml:215
-      - ci-release.yml:216
-      - ci-release.yml:231
-      - ci-release.yml:237
-      - ci-release.yml:245
-      - ci-release.yml:248
  dangerous-triggers:
    ignore:
      # Both workflows use pull_request_target solely to label/comment on fork PRs
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -398,25 +398,27 @@ Global permissions define what areas of the app and API endpoints users can acce
 determine if a user can create, edit, delete or view _any_ documents, but individual documents themselves
 still have "object-level" permissions.

-| Type          | Details                                                                                                                                                                                                                         |
-| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| AppConfig     | _Change_ or higher permissions grants access to the "Application Configuration" area.                                                                                                                                           |
-| Correspondent | Add, edit, delete or view Correspondents.                                                                                                                                                                                       |
-| CustomField   | Add, edit, delete or view Custom Fields.                                                                                                                                                                                        |
-| Document      | Add, edit, delete or view Documents.                                                                                                                                                                                            |
-| DocumentType  | Add, edit, delete or view Document Types.                                                                                                                                                                                       |
-| Group         | Add, edit, delete or view Groups.                                                                                                                                                                                               |
-| MailAccount   | Add, edit, delete or view Mail Accounts.                                                                                                                                                                                        |
-| MailRule      | Add, edit, delete or view Mail Rules.                                                                                                                                                                                           |
-| Note          | Add, edit, delete or view Notes.                                                                                                                                                                                                |
-| PaperlessTask | View or dismiss (_Change_) File Tasks.                                                                                                                                                                                          |
-| SavedView     | Add, edit, delete or view Saved Views.                                                                                                                                                                                          |
-| ShareLink     | Add, delete or view Share Links.                                                                                                                                                                                                |
-| StoragePath   | Add, edit, delete or view Storage Paths.                                                                                                                                                                                        |
-| Tag           | Add, edit, delete or view Tags.                                                                                                                                                                                                 |
-| UISettings    | Add, edit, delete or view the UI settings that are used by the web app.<br/>:warning: **Users that will access the web UI must be granted at least _View_ permissions.**                                                        |
-| User          | Add, edit, delete or view Users.                                                                                                                                                                                                |
-| Workflow      | Add, edit, delete or view Workflows.<br/>Note that Workflows are global; all users who can access workflows see the same set. Workflows have other permission implications — see [Workflow permissions](#workflow-permissions). |
+| Type             | Details                                                                                                                                                                                                                         |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| AppConfig        | _Change_ or higher permissions grants access to the "Application Configuration" area.                                                                                                                                           |
+| Correspondent    | Add, edit, delete or view Correspondents.                                                                                                                                                                                       |
+| CustomField      | Add, edit, delete or view Custom Fields.                                                                                                                                                                                        |
+| Document         | Add, edit, delete or view Documents.                                                                                                                                                                                            |
+| DocumentType     | Add, edit, delete or view Document Types.                                                                                                                                                                                       |
+| Group            | Add, edit, delete or view Groups.                                                                                                                                                                                               |
+| GlobalStatistics | View aggregate object counts and statistics. This does not grant access to view individual documents.                                                                                                                           |
+| MailAccount      | Add, edit, delete or view Mail Accounts.                                                                                                                                                                                        |
+| MailRule         | Add, edit, delete or view Mail Rules.                                                                                                                                                                                           |
+| Note             | Add, edit, delete or view Notes.                                                                                                                                                                                                |
+| PaperlessTask    | View or dismiss (_Change_) File Tasks.                                                                                                                                                                                          |
+| SavedView        | Add, edit, delete or view Saved Views.                                                                                                                                                                                          |
+| ShareLink        | Add, delete or view Share Links.                                                                                                                                                                                                |
+| StoragePath      | Add, edit, delete or view Storage Paths.                                                                                                                                                                                        |
+| SystemStatus     | View the system status dialog and corresponding API endpoint. Admin users also retain system status access.                                                                                                                     |
+| Tag              | Add, edit, delete or view Tags.                                                                                                                                                                                                 |
+| UISettings       | Add, edit, delete or view the UI settings that are used by the web app.<br/>:warning: **Users that will access the web UI must be granted at least _View_ permissions.**                                                        |
+| User             | Add, edit, delete or view Users.                                                                                                                                                                                                |
+| Workflow         | Add, edit, delete or view Workflows.<br/>Note that Workflows are global; all users who can access workflows see the same set. Workflows have other permission implications — see [Workflow permissions](#workflow-permissions). |

 #### Detailed Explanation of Object Permissions {#object-permissions}

--- a/pyproject.toml
+++ b/pyproject.toml
@@ -41,7 +41,7 @@ dependencies = [
  "djangorestframework~=3.16",
  "djangorestframework-guardian~=0.4.0",
  "drf-spectacular~=0.28",
-  "drf-spectacular-sidecar~=2026.3.1",
+  "drf-spectacular-sidecar~=2026.4.1",
  "drf-writable-nested~=0.7.1",
  "faiss-cpu>=1.10",
  "filelock~=3.25.2",
@@ -76,7 +76,7 @@ dependencies = [
  "setproctitle~=1.3.4",
  "tantivy>=0.25.1",
  "tika-client~=0.11.0",
-  "torch~=2.10.0",
+  "torch~=2.11.0",
  "watchfiles>=1.1.1",
  "whitenoise~=6.11",
  "zxing-cpp~=3.0.0",
@@ -111,12 +111,12 @@ lint = [
 testing = [
  "daphne",
  "factory-boy~=3.3.1",
-  "faker~=40.8.0",
+  "faker~=40.12.0",
  "imagehash",
  "pytest~=9.0.0",
-  "pytest-cov~=7.0.0",
+  "pytest-cov~=7.1.0",
  "pytest-django~=4.12.0",
-  "pytest-env~=1.5.0",
+  "pytest-env~=1.6.0",
  "pytest-httpx",
  "pytest-mock~=3.15.1",
  # "pytest-randomly~=4.0.1",
--- a/src-ui/messages.xlf
+++ b/src-ui/messages.xlf
@@ -316,11 +316,11 @@
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">193</context>
+          <context context-type="linenumber">195</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">197</context>
+          <context context-type="linenumber">199</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/app-frame/app-frame.component.html</context>
@@ -518,7 +518,7 @@
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">136</context>
+          <context context-type="linenumber">138</context>
        </context-group>
      </trans-unit>
      <trans-unit id="2180291763949669799" datatype="html">
@@ -540,7 +540,7 @@
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">399</context>
+          <context context-type="linenumber">401</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/confirm-dialog/confirm-dialog.component.ts</context>
@@ -615,7 +615,7 @@
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">400</context>
+          <context context-type="linenumber">402</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/edit-dialog/correspondent-edit-dialog/correspondent-edit-dialog.component.html</context>
@@ -922,126 +922,126 @@
        <source>Open Django Admin</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">30</context>
+          <context context-type="linenumber">32</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6439365426343089851" datatype="html">
        <source>General</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">40</context>
+          <context context-type="linenumber">42</context>
        </context-group>
      </trans-unit>
      <trans-unit id="8671234314555525900" datatype="html">
        <source>Appearance</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">44</context>
+          <context context-type="linenumber">46</context>
        </context-group>
      </trans-unit>
      <trans-unit id="3777637051272512093" datatype="html">
        <source>Display language</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">47</context>
+          <context context-type="linenumber">49</context>
        </context-group>
      </trans-unit>
      <trans-unit id="53523152145406584" datatype="html">
        <source>You need to reload the page after applying a new language.</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">60</context>
+          <context context-type="linenumber">62</context>
        </context-group>
      </trans-unit>
      <trans-unit id="3766032098416558788" datatype="html">
        <source>Date display</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">68</context>
+          <context context-type="linenumber">70</context>
        </context-group>
      </trans-unit>
      <trans-unit id="3733378544613473393" datatype="html">
        <source>Date format</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">85</context>
+          <context context-type="linenumber">87</context>
        </context-group>
      </trans-unit>
      <trans-unit id="3407788781115661841" datatype="html">
        <source>Short: <x id="INTERPOLATION" equiv-text="{{today | customDate:&apos;shortDate&apos;:null:computedDateLocale}}"/></source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">91,92</context>
+          <context context-type="linenumber">93,94</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6290748171049664628" datatype="html">
        <source>Medium: <x id="INTERPOLATION" equiv-text="{{today | customDate:&apos;mediumDate&apos;:null:computedDateLocale}}"/></source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">95,96</context>
+          <context context-type="linenumber">97,98</context>
        </context-group>
      </trans-unit>
      <trans-unit id="7189855711197998347" datatype="html">
        <source>Long: <x id="INTERPOLATION" equiv-text="{{today | customDate:&apos;longDate&apos;:null:computedDateLocale}}"/></source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">99,100</context>
+          <context context-type="linenumber">101,102</context>
        </context-group>
      </trans-unit>
      <trans-unit id="3982403428275430291" datatype="html">
        <source>Sidebar</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">107</context>
+          <context context-type="linenumber">109</context>
        </context-group>
      </trans-unit>
      <trans-unit id="4608457133854405683" datatype="html">
        <source>Use &apos;slim&apos; sidebar (icons only)</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">111</context>
+          <context context-type="linenumber">113</context>
        </context-group>
      </trans-unit>
      <trans-unit id="1356890996281769972" datatype="html">
        <source>Dark mode</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">118</context>
+          <context context-type="linenumber">120</context>
        </context-group>
      </trans-unit>
      <trans-unit id="4913823100518391922" datatype="html">
        <source>Use system settings</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">121</context>
+          <context context-type="linenumber">123</context>
        </context-group>
      </trans-unit>
      <trans-unit id="5782828784040423650" datatype="html">
        <source>Enable dark mode</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">122</context>
+          <context context-type="linenumber">124</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6336642923114460405" datatype="html">
        <source>Invert thumbnails in dark mode</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">123</context>
+          <context context-type="linenumber">125</context>
        </context-group>
      </trans-unit>
      <trans-unit id="7983234071833154796" datatype="html">
        <source>Theme Color</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">129</context>
+          <context context-type="linenumber">131</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6760166989231109310" datatype="html">
        <source>Global search</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">142</context>
+          <context context-type="linenumber">144</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/app-frame/global-search/global-search.component.ts</context>
@@ -1052,28 +1052,28 @@
        <source>Do not include advanced search results</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">145</context>
+          <context context-type="linenumber">147</context>
        </context-group>
      </trans-unit>
      <trans-unit id="3969258421469113318" datatype="html">
        <source>Full search links to</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">151</context>
+          <context context-type="linenumber">153</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6631288852577115923" datatype="html">
        <source>Title and content search</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">155</context>
+          <context context-type="linenumber">157</context>
        </context-group>
      </trans-unit>
      <trans-unit id="1010505078885609376" datatype="html">
        <source>Advanced search</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">156</context>
+          <context context-type="linenumber">158</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/app-frame/global-search/global-search.component.html</context>
@@ -1088,21 +1088,21 @@
        <source>Update checking</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">161</context>
+          <context context-type="linenumber">163</context>
        </context-group>
      </trans-unit>
      <trans-unit id="5070799004079086984" datatype="html">
        <source>Enable update checking</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">164</context>
+          <context context-type="linenumber">166</context>
        </context-group>
      </trans-unit>
      <trans-unit id="5752465522295465624" datatype="html">
        <source>What&apos;s this?</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">165</context>
+          <context context-type="linenumber">167</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/page-header/page-header.component.html</context>
@@ -1121,21 +1121,21 @@
        <source> Update checking works by pinging the public GitHub API for the latest release to determine whether a new version is available. Actual updating of the app must still be performed manually. </source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">169,171</context>
+          <context context-type="linenumber">171,173</context>
        </context-group>
      </trans-unit>
      <trans-unit id="8416061320800650487" datatype="html">
        <source>No tracking data is collected by the app in any way.</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">173</context>
+          <context context-type="linenumber">175</context>
        </context-group>
      </trans-unit>
      <trans-unit id="5775451530782446954" datatype="html">
        <source>Saved Views</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">179</context>
+          <context context-type="linenumber">181</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/app-frame/app-frame.component.html</context>
@@ -1154,126 +1154,126 @@
        <source>Show warning when closing saved views with unsaved changes</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">182</context>
+          <context context-type="linenumber">184</context>
        </context-group>
      </trans-unit>
      <trans-unit id="4975481913502931184" datatype="html">
        <source>Show document counts in sidebar saved views</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">183</context>
+          <context context-type="linenumber">185</context>
        </context-group>
      </trans-unit>
      <trans-unit id="8939587804990976924" datatype="html">
        <source>Items per page</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">200</context>
+          <context context-type="linenumber">202</context>
        </context-group>
      </trans-unit>
      <trans-unit id="908152367861642592" datatype="html">
        <source>Document editing</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">212</context>
+          <context context-type="linenumber">214</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6708098108196142028" datatype="html">
        <source>Use PDF viewer provided by the browser</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">215</context>
+          <context context-type="linenumber">217</context>
        </context-group>
      </trans-unit>
      <trans-unit id="9003921625412907981" datatype="html">
        <source>This is usually faster for displaying large PDF documents, but it might not work on some browsers.</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">215</context>
+          <context context-type="linenumber">217</context>
        </context-group>
      </trans-unit>
      <trans-unit id="2678648946508279627" datatype="html">
        <source>Default zoom</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">221</context>
+          <context context-type="linenumber">223</context>
        </context-group>
      </trans-unit>
      <trans-unit id="2222784219255971268" datatype="html">
        <source>Fit width</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">225</context>
+          <context context-type="linenumber">227</context>
        </context-group>
      </trans-unit>
      <trans-unit id="8409221133589393872" datatype="html">
        <source>Fit page</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">226</context>
+          <context context-type="linenumber">228</context>
        </context-group>
      </trans-unit>
      <trans-unit id="7019985100624067992" datatype="html">
        <source>Only applies to the Paperless-ngx PDF viewer.</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">228</context>
+          <context context-type="linenumber">230</context>
        </context-group>
      </trans-unit>
      <trans-unit id="2959590948110714366" datatype="html">
        <source>Automatically remove inbox tag(s) on save</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">234</context>
+          <context context-type="linenumber">236</context>
        </context-group>
      </trans-unit>
      <trans-unit id="8793267604636304297" datatype="html">
        <source>Show document thumbnail during loading</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">240</context>
+          <context context-type="linenumber">242</context>
        </context-group>
      </trans-unit>
      <trans-unit id="1783600598811723080" datatype="html">
        <source>Built-in fields to show:</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">246</context>
+          <context context-type="linenumber">248</context>
        </context-group>
      </trans-unit>
      <trans-unit id="3467966318201103991" datatype="html">
        <source>Uncheck fields to hide them on the document details page.</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">258</context>
+          <context context-type="linenumber">260</context>
        </context-group>
      </trans-unit>
      <trans-unit id="8508424367627989968" datatype="html">
        <source>Bulk editing</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">264</context>
+          <context context-type="linenumber">266</context>
        </context-group>
      </trans-unit>
      <trans-unit id="8158899674926420054" datatype="html">
        <source>Show confirmation dialogs</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">267</context>
+          <context context-type="linenumber">269</context>
        </context-group>
      </trans-unit>
      <trans-unit id="290238406234356122" datatype="html">
        <source>Apply on close</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">268</context>
+          <context context-type="linenumber">270</context>
        </context-group>
      </trans-unit>
      <trans-unit id="5084275925647254161" datatype="html">
        <source>PDF Editor</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">272</context>
+          <context context-type="linenumber">274</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/document-detail/document-detail.component.html</context>
@@ -1288,14 +1288,14 @@
        <source>Default editing mode</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">275</context>
+          <context context-type="linenumber">277</context>
        </context-group>
      </trans-unit>
      <trans-unit id="7273640930165035289" datatype="html">
        <source>Create new document(s)</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">279</context>
+          <context context-type="linenumber">281</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/pdf-editor/pdf-editor.component.html</context>
@@ -1306,7 +1306,7 @@
        <source>Add document version</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">280</context>
+          <context context-type="linenumber">282</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/pdf-editor/pdf-editor.component.html</context>
@@ -1317,7 +1317,7 @@
        <source>Notes</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">285</context>
+          <context context-type="linenumber">287</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/document-list/document-list.component.html</context>
@@ -1336,14 +1336,14 @@
        <source>Enable notes</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">288</context>
+          <context context-type="linenumber">290</context>
        </context-group>
      </trans-unit>
      <trans-unit id="7314814725704332646" datatype="html">
        <source>Permissions</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">297</context>
+          <context context-type="linenumber">299</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/edit-dialog/group-edit-dialog/group-edit-dialog.component.html</context>
@@ -1394,28 +1394,28 @@
        <source>Default Permissions</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">300</context>
+          <context context-type="linenumber">302</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6544153565064275581" datatype="html">
        <source> Settings apply to this user account for objects (Tags, Mail Rules, etc. but not documents) created via the web UI. </source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">304,306</context>
+          <context context-type="linenumber">306,308</context>
        </context-group>
      </trans-unit>
      <trans-unit id="4292903881380648974" datatype="html">
        <source>Default Owner</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">311</context>
+          <context context-type="linenumber">313</context>
        </context-group>
      </trans-unit>
      <trans-unit id="734147282056744882" datatype="html">
        <source>Objects without an owner can be viewed and edited by all users</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">315</context>
+          <context context-type="linenumber">317</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/input/permissions/permissions-form/permissions-form.component.html</context>
@@ -1426,18 +1426,18 @@
        <source>Default View Permissions</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">320</context>
+          <context context-type="linenumber">322</context>
        </context-group>
      </trans-unit>
      <trans-unit id="2191775412581217688" datatype="html">
        <source>Users:</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">325</context>
+          <context context-type="linenumber">327</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">352</context>
+          <context context-type="linenumber">354</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/edit-dialog/workflow-edit-dialog/workflow-edit-dialog.component.html</context>
@@ -1468,11 +1468,11 @@
        <source>Groups:</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">335</context>
+          <context context-type="linenumber">337</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">362</context>
+          <context context-type="linenumber">364</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/edit-dialog/workflow-edit-dialog/workflow-edit-dialog.component.html</context>
@@ -1503,14 +1503,14 @@
        <source>Default Edit Permissions</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">347</context>
+          <context context-type="linenumber">349</context>
        </context-group>
      </trans-unit>
      <trans-unit id="3728984448750213892" datatype="html">
        <source>Edit permissions also grant viewing permissions</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">371</context>
+          <context context-type="linenumber">373</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/edit-dialog/workflow-edit-dialog/workflow-edit-dialog.component.html</context>
@@ -1529,7 +1529,7 @@
        <source>Notifications</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">379</context>
+          <context context-type="linenumber">381</context>
        </context-group>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/app-frame/toasts-dropdown/toasts-dropdown.component.html</context>
@@ -1540,42 +1540,42 @@
        <source>Document processing</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">382</context>
+          <context context-type="linenumber">384</context>
        </context-group>
      </trans-unit>
      <trans-unit id="3656786776644872398" datatype="html">
        <source>Show notifications when new documents are detected</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">386</context>
+          <context context-type="linenumber">388</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6057053428592387613" datatype="html">
        <source>Show notifications when document processing completes successfully</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">387</context>
+          <context context-type="linenumber">389</context>
        </context-group>
      </trans-unit>
      <trans-unit id="370315664367425513" datatype="html">
        <source>Show notifications when document processing fails</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">388</context>
+          <context context-type="linenumber">390</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6838309441164918531" datatype="html">
        <source>Suppress notifications on dashboard</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">389</context>
+          <context context-type="linenumber">391</context>
        </context-group>
      </trans-unit>
      <trans-unit id="2741919327232918179" datatype="html">
        <source>This will suppress all messages about document processing status on the dashboard.</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/admin/settings/settings.component.html</context>
-          <context context-type="linenumber">389</context>
+          <context context-type="linenumber">391</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6839066544204061364" datatype="html">
@@ -4800,8 +4800,8 @@
          <context context-type="linenumber">26</context>
        </context-group>
      </trans-unit>
-      <trans-unit id="8563400529811056364" datatype="html">
-        <source>Access logs, Django backend</source>
+      <trans-unit id="5409927574404161431" datatype="html">
+        <source>Access system status, logs, Django backend</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html</context>
          <context context-type="linenumber">26</context>
@@ -4814,8 +4814,8 @@
          <context context-type="linenumber">30</context>
        </context-group>
      </trans-unit>
-      <trans-unit id="1403759966357927756" datatype="html">
-        <source>(Grants all permissions and can view objects)</source>
+      <trans-unit id="5622335314381948156" datatype="html">
+        <source>Grants all permissions and can view all objects</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html</context>
          <context context-type="linenumber">30</context>
@@ -6198,7 +6198,7 @@
        <source>Inherited from group</source>
        <context-group purpose="location">
          <context context-type="sourcefile">src/app/components/common/permissions-select/permissions-select.component.ts</context>
-          <context context-type="linenumber">78</context>
+          <context context-type="linenumber">85</context>
        </context-group>
      </trans-unit>
      <trans-unit id="6418218602775540217" datatype="html">
--- a/src-ui/package.json
+++ b/src-ui/package.json
@@ -21,7 +21,7 @@
    "@angular/platform-browser-dynamic": "~21.2.6",
    "@angular/router": "~21.2.6",
    "@ng-bootstrap/ng-bootstrap": "^20.0.0",
-    "@ng-select/ng-select": "^21.5.2",
+    "@ng-select/ng-select": "^21.7.0",
    "@ngneat/dirty-check-forms": "^3.0.3",
    "@popperjs/core": "^2.11.8",
    "bootstrap": "^5.3.8",
@@ -32,7 +32,7 @@
    "ngx-cookie-service": "^21.3.1",
    "ngx-device-detector": "^11.0.0",
    "ngx-ui-tour-ng-bootstrap": "^18.0.0",
-    "pdfjs-dist": "^5.4.624",
+    "pdfjs-dist": "^5.6.205",
    "rxjs": "^7.8.2",
    "tslib": "^2.8.1",
    "utif": "^3.1.0",
@@ -42,28 +42,28 @@
  "devDependencies": {
    "@angular-builders/custom-webpack": "^21.0.3",
    "@angular-builders/jest": "^21.0.3",
-    "@angular-devkit/core": "^21.2.3",
-    "@angular-devkit/schematics": "^21.2.3",
+    "@angular-devkit/core": "^21.2.6",
+    "@angular-devkit/schematics": "^21.2.6",
    "@angular-eslint/builder": "21.3.1",
    "@angular-eslint/eslint-plugin": "21.3.1",
    "@angular-eslint/eslint-plugin-template": "21.3.1",
    "@angular-eslint/schematics": "21.3.1",
    "@angular-eslint/template-parser": "21.3.1",
-    "@angular/build": "^21.2.3",
-    "@angular/cli": "~21.2.3",
+    "@angular/build": "^21.2.6",
+    "@angular/cli": "~21.2.6",
    "@angular/compiler-cli": "~21.2.6",
    "@codecov/webpack-plugin": "^1.9.1",
-    "@playwright/test": "^1.58.2",
+    "@playwright/test": "^1.59.0",
    "@types/jest": "^30.0.0",
    "@types/node": "^25.5.0",
-    "@typescript-eslint/eslint-plugin": "^8.57.2",
-    "@typescript-eslint/parser": "^8.57.2",
-    "@typescript-eslint/utils": "^8.57.2",
+    "@typescript-eslint/eslint-plugin": "^8.58.0",
+    "@typescript-eslint/parser": "^8.58.0",
+    "@typescript-eslint/utils": "^8.58.0",
    "eslint": "^10.1.0",
    "jest": "30.3.0",
    "jest-environment-jsdom": "^30.3.0",
    "jest-junit": "^16.0.0",
-    "jest-preset-angular": "^16.1.1",
+    "jest-preset-angular": "^16.1.2",
    "jest-websocket-mock": "^2.5.0",
    "prettier-plugin-organize-imports": "^4.3.0",
    "ts-node": "~10.9.1",
--- a/src-ui/pnpm-lock.yaml
+++ b/src-ui/pnpm-lock.yaml
--- a/src-ui/src/app/components/admin/settings/settings.component.html
+++ b/src-ui/src/app/components/admin/settings/settings.component.html
@@ -7,7 +7,7 @@
  <button class="btn btn-sm btn-outline-primary" (click)="tourService.start()">
    <i-bs class="me-2" name="airplane"></i-bs><ng-container i18n>Start tour</ng-container>
  </button>
-  @if (permissionsService.isAdmin()) {
+  @if (canViewSystemStatus) {
    <button class="btn btn-sm btn-outline-primary position-relative ms-md-5 me-1" (click)="showSystemStatus()"
      [disabled]="!systemStatus">
      @if (!systemStatus) {
@@ -26,6 +26,8 @@
      }
      <ng-container i18n>System Status</ng-container>
    </button>
+  }
+  @if (permissionsService.isAdmin()) {
    <a class="btn btn-sm btn-primary" href="admin/" target="_blank">
      <ng-container i18n>Open Django Admin</ng-container>
      <i-bs class="ms-2" name="arrow-up-right"></i-bs>
--- a/src-ui/src/app/components/admin/settings/settings.component.spec.ts
+++ b/src-ui/src/app/components/admin/settings/settings.component.spec.ts
@@ -29,7 +29,11 @@ import { IfOwnerDirective } from 'src/app/directives/if-owner.directive'
 import { IfPermissionsDirective } from 'src/app/directives/if-permissions.directive'
 import { PermissionsGuard } from 'src/app/guards/permissions.guard'
 import { CustomDatePipe } from 'src/app/pipes/custom-date.pipe'
-import { PermissionsService } from 'src/app/services/permissions.service'
+import {
+  PermissionAction,
+  PermissionType,
+  PermissionsService,
+} from 'src/app/services/permissions.service'
 import { GroupService } from 'src/app/services/rest/group.service'
 import { SavedViewService } from 'src/app/services/rest/saved-view.service'
 import { UserService } from 'src/app/services/rest/user.service'
@@ -328,7 +332,13 @@ describe('SettingsComponent', () => {

  it('should load system status on initialize, show errors if needed', () => {
    jest.spyOn(systemStatusService, 'get').mockReturnValue(of(status))
-    jest.spyOn(permissionsService, 'isAdmin').mockReturnValue(true)
+    jest
+      .spyOn(permissionsService, 'currentUserCan')
+      .mockImplementation(
+        (action, type) =>
+          action === PermissionAction.View &&
+          type === PermissionType.SystemStatus
+      )
    completeSetup()
    expect(component['systemStatus']).toEqual(status) // private
    expect(component.systemStatusHasErrors).toBeTruthy()
@@ -344,7 +354,13 @@ describe('SettingsComponent', () => {
  it('should open system status dialog', () => {
    const modalOpenSpy = jest.spyOn(modalService, 'open')
    jest.spyOn(systemStatusService, 'get').mockReturnValue(of(status))
-    jest.spyOn(permissionsService, 'isAdmin').mockReturnValue(true)
+    jest
+      .spyOn(permissionsService, 'currentUserCan')
+      .mockImplementation(
+        (action, type) =>
+          action === PermissionAction.View &&
+          type === PermissionType.SystemStatus
+      )
    completeSetup()
    component.showSystemStatus()
    expect(modalOpenSpy).toHaveBeenCalledWith(SystemStatusDialogComponent, {
--- a/src-ui/src/app/components/admin/settings/settings.component.ts
+++ b/src-ui/src/app/components/admin/settings/settings.component.ts
@@ -429,7 +429,7 @@ export class SettingsComponent
      this.settingsForm.patchValue(currentFormValue)
    }

-    if (this.permissionsService.isAdmin()) {
+    if (this.canViewSystemStatus) {
      this.systemStatusService.get().subscribe((status) => {
        this.systemStatus = status
      })
@@ -647,6 +647,16 @@ export class SettingsComponent
      .setValue(Array.from(hiddenFields))
  }

+  public get canViewSystemStatus(): boolean {
+    return (
+      this.permissionsService.isAdmin() ||
+      this.permissionsService.currentUserCan(
+        PermissionAction.View,
+        PermissionType.SystemStatus
+      )
+    )
+  }
+
  showSystemStatus() {
    const modal: NgbModalRef = this.modalService.open(
      SystemStatusDialogComponent,
--- a/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html
+++ b/src-ui/src/app/components/common/edit-dialog/user-edit-dialog/user-edit-dialog.component.html
@@ -23,11 +23,11 @@
            </div>
            <div class="form-check form-switch form-check-inline">
              <input type="checkbox" class="form-check-input" id="is_staff" formControlName="is_staff">
-              <label class="form-check-label" for="is_staff"><ng-container i18n>Admin</ng-container> <small class="form-text text-muted ms-1" i18n>Access logs, Django backend</small></label>
+              <label class="form-check-label" for="is_staff"><ng-container i18n>Admin</ng-container> <small class="form-text text-muted ms-1" i18n>Access system status, logs, Django backend</small></label>
            </div>
            <div class="form-check form-switch form-check-inline">
              <input type="checkbox" class="form-check-input" id="is_superuser" formControlName="is_superuser" (change)="onToggleSuperUser()">
-              <label class="form-check-label" for="is_superuser"><ng-container i18n>Superuser</ng-container> <small class="form-text text-muted ms-1" i18n>(Grants all permissions and can view objects)</small></label>
+              <label class="form-check-label" for="is_superuser"><ng-container i18n>Superuser</ng-container> <small class="form-text text-muted ms-1" i18n>Grants all permissions and can view all objects</small></label>
            </div>
          </div>

--- a/src-ui/src/app/components/common/permissions-select/permissions-select.component.html
+++ b/src-ui/src/app/components/common/permissions-select/permissions-select.component.html
@@ -26,8 +26,8 @@
          <input type="checkbox" class="form-check-input" id="{{type}}_all" (change)="toggleAll($event, type)" [checked]="typesWithAllActions.has(type) || isInherited(type)" [attr.disabled]="disabled || isInherited(type) ? true : null">
          <label class="form-check-label visually-hidden" for="{{type}}_all" i18n>All</label>
        </div>
-        @for (action of PermissionAction | keyvalue; track action) {
-          <div class="col form-check form-check-inline" [ngbPopover]="inheritedWarning" [disablePopover]="!isInherited(type, action.key)" placement="left" triggers="mouseenter:mouseleave">
+        @for (action of PermissionAction | keyvalue: sortActions; track action.key) {
+          <div class="col form-check form-check-inline" [class.invisible]="!isActionSupported(PermissionType[type], action.value)" [ngbPopover]="inheritedWarning" [disablePopover]="!isInherited(type, action.key)" placement="left" triggers="mouseenter:mouseleave">
            <input type="checkbox" class="form-check-input" id="{{type}}_{{action.key}}" formControlName="{{action.key}}">
            <label class="form-check-label visually-hidden" for="{{type}}_{{action.key}}">{{action.key}}</label>
          </div>
--- a/src-ui/src/app/components/common/permissions-select/permissions-select.component.spec.ts
+++ b/src-ui/src/app/components/common/permissions-select/permissions-select.component.spec.ts
@@ -26,7 +26,6 @@ const inheritedPermissions = ['change_tag', 'view_documenttype']
 describe('PermissionsSelectComponent', () => {
  let component: PermissionsSelectComponent
  let fixture: ComponentFixture<PermissionsSelectComponent>
-  let permissionsChangeResult: Permissions
  let settingsService: SettingsService

  beforeEach(async () => {
@@ -45,7 +44,7 @@ describe('PermissionsSelectComponent', () => {
    fixture = TestBed.createComponent(PermissionsSelectComponent)
    fixture.debugElement.injector.get(NG_VALUE_ACCESSOR)
    component = fixture.componentInstance
-    component.registerOnChange((r) => (permissionsChangeResult = r))
+    component.registerOnChange((r) => r)
    fixture.detectChanges()
  })

@@ -75,7 +74,6 @@ describe('PermissionsSelectComponent', () => {
  it('should update on permissions set', () => {
    component.ngOnInit()
    component.writeValue(permissions)
-    expect(permissionsChangeResult).toEqual(permissions)
    expect(component.typesWithAllActions).toContain('Document')
  })

@@ -92,13 +90,12 @@ describe('PermissionsSelectComponent', () => {
  it('disable checkboxes when permissions are inherited', () => {
    component.ngOnInit()
    component.inheritedPermissions = inheritedPermissions
+    fixture.detectChanges()
    expect(component.isInherited('Document', 'Add')).toBeFalsy()
    expect(component.isInherited('Document')).toBeFalsy()
    expect(component.isInherited('Tag', 'Change')).toBeTruthy()
-    const input1 = fixture.debugElement.query(By.css('input#Document_Add'))
-    expect(input1.nativeElement.disabled).toBeFalsy()
-    const input2 = fixture.debugElement.query(By.css('input#Tag_Change'))
-    expect(input2.nativeElement.disabled).toBeTruthy()
+    expect(component.form.get('Document').get('Add').disabled).toBeFalsy()
+    expect(component.form.get('Tag').get('Change').disabled).toBeTruthy()
  })

  it('should exclude history permissions if disabled', () => {
@@ -107,4 +104,60 @@ describe('PermissionsSelectComponent', () => {
    component = fixture.componentInstance
    expect(component.allowedTypes).not.toContain('History')
  })
+
+  it('should treat global statistics as view-only', () => {
+    component.ngOnInit()
+    fixture.detectChanges()
+
+    expect(
+      component.isActionSupported(
+        PermissionType.GlobalStatistics,
+        PermissionAction.View
+      )
+    ).toBeTruthy()
+    expect(
+      component.isActionSupported(
+        PermissionType.GlobalStatistics,
+        PermissionAction.Add
+      )
+    ).toBeFalsy()
+
+    const addInput = fixture.debugElement.query(
+      By.css('input#GlobalStatistics_Add')
+    )
+    const viewInput = fixture.debugElement.query(
+      By.css('input#GlobalStatistics_View')
+    )
+
+    expect(addInput.nativeElement.disabled).toBeTruthy()
+    expect(viewInput.nativeElement.disabled).toBeFalsy()
+  })
+
+  it('should treat system status as view-only', () => {
+    component.ngOnInit()
+    fixture.detectChanges()
+
+    expect(
+      component.isActionSupported(
+        PermissionType.SystemStatus,
+        PermissionAction.View
+      )
+    ).toBeTruthy()
+    expect(
+      component.isActionSupported(
+        PermissionType.SystemStatus,
+        PermissionAction.Change
+      )
+    ).toBeFalsy()
+
+    const changeInput = fixture.debugElement.query(
+      By.css('input#SystemStatus_Change')
+    )
+    const viewInput = fixture.debugElement.query(
+      By.css('input#SystemStatus_View')
+    )
+
+    expect(changeInput.nativeElement.disabled).toBeTruthy()
+    expect(viewInput.nativeElement.disabled).toBeFalsy()
+  })
 })
--- a/src-ui/src/app/components/common/permissions-select/permissions-select.component.ts
+++ b/src-ui/src/app/components/common/permissions-select/permissions-select.component.ts
@@ -1,4 +1,4 @@
-import { KeyValuePipe } from '@angular/common'
+import { KeyValue, KeyValuePipe } from '@angular/common'
 import { Component, forwardRef, inject, Input, OnInit } from '@angular/core'
 import {
  AbstractControl,
@@ -58,6 +58,13 @@ export class PermissionsSelectComponent

  typesWithAllActions: Set<string> = new Set()

+  private readonly actionOrder = [
+    PermissionAction.Add,
+    PermissionAction.Change,
+    PermissionAction.Delete,
+    PermissionAction.View,
+  ]
+
  _inheritedPermissions: string[] = []

  @Input()
@@ -86,7 +93,7 @@ export class PermissionsSelectComponent
    }
    this.allowedTypes.forEach((type) => {
      const control = new FormGroup({})
-      for (const action in PermissionAction) {
+      for (const action of Object.keys(PermissionAction)) {
        control.addControl(action, new FormControl(null))
      }
      this.form.addControl(type, control)
@@ -106,18 +113,14 @@ export class PermissionsSelectComponent
        this.permissionsService.getPermissionKeys(permissionStr)

      if (actionKey && typeKey) {
-        if (this.form.get(typeKey)?.get(actionKey)) {
-          this.form
-            .get(typeKey)
-            .get(actionKey)
-            .patchValue(true, { emitEvent: false })
-        }
+        this.form
+          .get(typeKey)
+          ?.get(actionKey)
+          ?.patchValue(true, { emitEvent: false })
      }
    })
    this.allowedTypes.forEach((type) => {
-      if (
-        Object.values(this.form.get(type).value).every((val) => val == true)
-      ) {
+      if (this.typeHasAllActionsSelected(type)) {
        this.typesWithAllActions.add(type)
      } else {
        this.typesWithAllActions.delete(type)
@@ -149,12 +152,16 @@ export class PermissionsSelectComponent
    this.form.valueChanges.subscribe((newValue) => {
      let permissions = []
      Object.entries(newValue).forEach(([typeKey, typeValue]) => {
-        // e.g. [Document, { Add: true, View: true ... }]
        const selectedActions = Object.entries(typeValue).filter(
-          ([actionKey, actionValue]) => actionValue == true
+          ([actionKey, actionValue]) =>
+            actionValue &&
+            this.isActionSupported(
+              PermissionType[typeKey],
+              PermissionAction[actionKey]
+            )
        )

-        selectedActions.forEach(([actionKey, actionValue]) => {
+        selectedActions.forEach(([actionKey]) => {
          permissions.push(
            (PermissionType[typeKey] as string).replace(
              '%s',
@@ -163,7 +170,7 @@ export class PermissionsSelectComponent
          )
        })

-        if (selectedActions.length == Object.entries(typeValue).length) {
+        if (this.typeHasAllActionsSelected(typeKey)) {
          this.typesWithAllActions.add(typeKey)
        } else {
          this.typesWithAllActions.delete(typeKey)
@@ -174,19 +181,23 @@ export class PermissionsSelectComponent
        permissions.filter((p) => !this._inheritedPermissions.includes(p))
      )
    })
+
+    this.updateDisabledStates()
  }

  toggleAll(event, type) {
    const typeGroup = this.form.get(type)
-    if (event.target.checked) {
-      Object.keys(PermissionAction).forEach((action) => {
-        typeGroup.get(action).patchValue(true)
+    Object.keys(PermissionAction)
+      .filter((action) =>
+        this.isActionSupported(PermissionType[type], PermissionAction[action])
+      )
+      .forEach((action) => {
+        typeGroup.get(action).patchValue(event.target.checked)
      })
+
+    if (this.typeHasAllActionsSelected(type)) {
      this.typesWithAllActions.add(type)
    } else {
-      Object.keys(PermissionAction).forEach((action) => {
-        typeGroup.get(action).patchValue(false)
-      })
      this.typesWithAllActions.delete(type)
    }
  }
@@ -201,14 +212,21 @@ export class PermissionsSelectComponent
        )
      )
    } else {
-      return Object.values(PermissionAction).every((action) => {
-        return this._inheritedPermissions.includes(
-          this.permissionsService.getPermissionCode(
-            action as PermissionAction,
-            PermissionType[typeKey]
+      return Object.keys(PermissionAction)
+        .filter((action) =>
+          this.isActionSupported(
+            PermissionType[typeKey],
+            PermissionAction[action]
          )
        )
-      })
+        .every((action) => {
+          return this._inheritedPermissions.includes(
+            this.permissionsService.getPermissionCode(
+              PermissionAction[action],
+              PermissionType[typeKey]
+            )
+          )
+        })
    }
  }

@@ -216,12 +234,55 @@ export class PermissionsSelectComponent
    this.allowedTypes.forEach((type) => {
      const control = this.form.get(type)
      let actionControl: AbstractControl
-      for (const action in PermissionAction) {
+      for (const action of Object.keys(PermissionAction)) {
        actionControl = control.get(action)
+        if (
+          !this.isActionSupported(
+            PermissionType[type],
+            PermissionAction[action]
+          )
+        ) {
+          actionControl.patchValue(false, { emitEvent: false })
+          actionControl.disable({ emitEvent: false })
+          continue
+        }
+
        this.isInherited(type, action) || this.disabled
-          ? actionControl.disable()
-          : actionControl.enable()
+          ? actionControl.disable({ emitEvent: false })
+          : actionControl.enable({ emitEvent: false })
      }
    })
  }
+
+  public isActionSupported(
+    type: PermissionType,
+    action: PermissionAction
+  ): boolean {
+    // Global statistics and system status only support view
+    if (
+      type === PermissionType.GlobalStatistics ||
+      type === PermissionType.SystemStatus
+    ) {
+      return action === PermissionAction.View
+    }
+
+    return true
+  }
+
+  private typeHasAllActionsSelected(typeKey: string): boolean {
+    return Object.keys(PermissionAction)
+      .filter((action) =>
+        this.isActionSupported(
+          PermissionType[typeKey],
+          PermissionAction[action]
+        )
+      )
+      .every((action) => !!this.form.get(typeKey)?.get(action)?.value)
+  }
+
+  public sortActions = (
+    a: KeyValue<string, PermissionAction>,
+    b: KeyValue<string, PermissionAction>
+  ): number =>
+    this.actionOrder.indexOf(a.value) - this.actionOrder.indexOf(b.value)
 }
--- a/src-ui/src/app/services/permissions.service.spec.ts
+++ b/src-ui/src/app/services/permissions.service.spec.ts
@@ -6,6 +6,11 @@ import {
  PermissionsService,
 } from './permissions.service'

+const VIEW_ONLY_PERMISSION_TYPES = new Set<PermissionType>([
+  PermissionType.GlobalStatistics,
+  PermissionType.SystemStatus,
+])
+
 describe('PermissionsService', () => {
  let permissionsService: PermissionsService

@@ -264,6 +269,8 @@ describe('PermissionsService', () => {
        'change_applicationconfiguration',
        'delete_applicationconfiguration',
        'view_applicationconfiguration',
+        'view_global_statistics',
+        'view_system_status',
      ],
      {
        username: 'testuser',
@@ -274,7 +281,10 @@ describe('PermissionsService', () => {

    Object.values(PermissionType).forEach((type) => {
      Object.values(PermissionAction).forEach((action) => {
-        expect(permissionsService.currentUserCan(action, type)).toBeTruthy()
+        expect(permissionsService.currentUserCan(action, type)).toBe(
+          !VIEW_ONLY_PERMISSION_TYPES.has(type) ||
+            action === PermissionAction.View
+        )
      })
    })

--- a/src-ui/src/app/services/permissions.service.ts
+++ b/src-ui/src/app/services/permissions.service.ts
@@ -29,6 +29,8 @@ export enum PermissionType {
  CustomField = '%s_customfield',
  Workflow = '%s_workflow',
  ProcessedMail = '%s_processedmail',
+  GlobalStatistics = '%s_global_statistics',
+  SystemStatus = '%s_system_status',
 }

@Injectable({
--- a/src-ui/src/app/utils/ngb-date-parser-formatter.spec.ts
+++ b/src-ui/src/app/utils/ngb-date-parser-formatter.spec.ts
@@ -73,7 +73,7 @@ describe('LocalizedDateParserFormatter', () => {

  it('should handle years when current year % 100 < 50', () => {
    jest.useFakeTimers()
-    jest.setSystemTime(new Date(2026, 5, 15))
+    jest.setSystemTime(new Date(2026, 5, 15).getTime())
    let val = dateParserFormatter.parse('5/4/26')
    expect(val).toEqual({ day: 4, month: 5, year: 2026 })

@@ -87,7 +87,7 @@ describe('LocalizedDateParserFormatter', () => {

  it('should handle years when current year % 100 >= 50', () => {
    jest.useFakeTimers()
-    jest.setSystemTime(new Date(2076, 5, 15))
+    jest.setSystemTime(new Date(2076, 5, 15).getTime())
    const val = dateParserFormatter.parse('5/4/00')
    expect(val).toEqual({ day: 4, month: 5, year: 2100 })
    jest.useRealTimers()
--- a/src/documents/classifier.py
+++ b/src/documents/classifier.py
@@ -11,6 +11,7 @@ from typing import TYPE_CHECKING

 if TYPE_CHECKING:
    from collections.abc import Callable
+    from collections.abc import Iterator
    from datetime import datetime

    from numpy import ndarray
@@ -18,7 +19,6 @@ if TYPE_CHECKING:
 from django.conf import settings
 from django.core.cache import cache
 from django.core.cache import caches
-from django.db.models import Max

 from documents.caching import CACHE_5_MINUTES
 from documents.caching import CACHE_50_MINUTES
@@ -99,8 +99,7 @@ class DocumentClassifier:
    # v8 - Added storage path classifier
    # v9 - Changed from hashing to time/ids for re-train check
    # v10 - HMAC-signed model file
-    # v11 - Added auto-label-set digest for fast skip without full document scan
-    FORMAT_VERSION = 11
+    FORMAT_VERSION = 10

    HMAC_SIZE = 32  # SHA-256 digest length

@@ -109,8 +108,6 @@ class DocumentClassifier:
        self.last_doc_change_time: datetime | None = None
        # Hash of primary keys of AUTO matching values last used in training
        self.last_auto_type_hash: bytes | None = None
-        # Digest of the set of all MATCH_AUTO label PKs (fast-skip guard)
-        self.last_auto_label_set_digest: bytes | None = None

        self.data_vectorizer = None
        self.data_vectorizer_hash = None
@@ -143,29 +140,6 @@ class DocumentClassifier:
            sha256,
        ).digest()

-    @staticmethod
-    def _compute_auto_label_set_digest() -> bytes:
-        """
-        Return a SHA-256 digest of all MATCH_AUTO label PKs across the four
-        label types.  Four cheap indexed queries; stable for any fixed set of
-        AUTO labels regardless of document assignments.
-        """
-        from documents.models import Correspondent
-        from documents.models import DocumentType
-        from documents.models import StoragePath
-        from documents.models import Tag
-
-        hasher = sha256()
-        for model in (Correspondent, DocumentType, Tag, StoragePath):
-            pks = sorted(
-                model.objects.filter(
-                    matching_algorithm=MatchingModel.MATCH_AUTO,
-                ).values_list("pk", flat=True),
-            )
-            for pk in pks:
-                hasher.update(pk.to_bytes(4, "little", signed=False))
-        return hasher.digest()
-
    def load(self) -> None:
        from sklearn.exceptions import InconsistentVersionWarning

@@ -187,7 +161,6 @@ class DocumentClassifier:
                    schema_version,
                    self.last_doc_change_time,
                    self.last_auto_type_hash,
-                    self.last_auto_label_set_digest,
                    self.data_vectorizer,
                    self.tags_binarizer,
                    self.tags_classifier,
@@ -229,7 +202,6 @@ class DocumentClassifier:
                self.FORMAT_VERSION,
                self.last_doc_change_time,
                self.last_auto_type_hash,
-                self.last_auto_label_set_digest,
                self.data_vectorizer,
                self.tags_binarizer,
                self.tags_classifier,
@@ -252,39 +224,6 @@ class DocumentClassifier:
    ) -> bool:
        notify = status_callback if status_callback is not None else lambda _: None

-        # Fast skip: avoid the expensive per-document label scan when nothing
-        # has changed.  Requires a prior training run to have populated both
-        # last_doc_change_time and last_auto_label_set_digest.
-        if (
-            self.last_doc_change_time is not None
-            and self.last_auto_label_set_digest is not None
-        ):
-            latest_mod = Document.objects.exclude(
-                tags__is_inbox_tag=True,
-            ).aggregate(Max("modified"))["modified__max"]
-            if latest_mod is not None and latest_mod <= self.last_doc_change_time:
-                current_digest = self._compute_auto_label_set_digest()
-                if current_digest == self.last_auto_label_set_digest:
-                    logger.info("No updates since last training")
-                    cache.set(
-                        CLASSIFIER_MODIFIED_KEY,
-                        self.last_doc_change_time,
-                        CACHE_50_MINUTES,
-                    )
-                    cache.set(
-                        CLASSIFIER_HASH_KEY,
-                        self.last_auto_type_hash.hex()
-                        if self.last_auto_type_hash
-                        else "",
-                        CACHE_50_MINUTES,
-                    )
-                    cache.set(
-                        CLASSIFIER_VERSION_KEY,
-                        self.FORMAT_VERSION,
-                        CACHE_50_MINUTES,
-                    )
-                    return False
-
        # Get non-inbox documents
        docs_queryset = (
            Document.objects.exclude(
@@ -303,15 +242,12 @@ class DocumentClassifier:
        labels_correspondent = []
        labels_document_type = []
        labels_storage_path = []
-        doc_contents: list[str] = []

-        # Step 1: Extract labels and capture content in a single pass.
+        # Step 1: Extract and preprocess training data from the database.
        logger.debug("Gathering data from database...")
        notify(f"Gathering data from {docs_queryset.count()} document(s)...")
        hasher = sha256()
        for doc in docs_queryset:
-            doc_contents.append(doc.content)
-
            y = -1
            dt = doc.document_type
            if dt and dt.matching_algorithm == MatchingModel.MATCH_AUTO:
@@ -346,7 +282,25 @@ class DocumentClassifier:

        num_tags = len(labels_tags_unique)

+        # Check if retraining is actually required.
+        # A document has been updated since the classifier was trained
+        # New auto tags, types, correspondent, storage paths exist
        latest_doc_change = docs_queryset.latest("modified").modified
+        if (
+            self.last_doc_change_time is not None
+            and self.last_doc_change_time >= latest_doc_change
+        ) and self.last_auto_type_hash == hasher.digest():
+            logger.info("No updates since last training")
+            # Set the classifier information into the cache
+            # Caching for 50 minutes, so slightly less than the normal retrain time
+            cache.set(
+                CLASSIFIER_MODIFIED_KEY,
+                self.last_doc_change_time,
+                CACHE_50_MINUTES,
+            )
+            cache.set(CLASSIFIER_HASH_KEY, hasher.hexdigest(), CACHE_50_MINUTES)
+            cache.set(CLASSIFIER_VERSION_KEY, self.FORMAT_VERSION, CACHE_50_MINUTES)
+            return False

        # subtract 1 since -1 (null) is also part of the classes.

@@ -363,16 +317,21 @@ class DocumentClassifier:
        )

        from sklearn.feature_extraction.text import CountVectorizer
-        from sklearn.multiclass import OneVsRestClassifier
        from sklearn.neural_network import MLPClassifier
        from sklearn.preprocessing import LabelBinarizer
        from sklearn.preprocessing import MultiLabelBinarizer
-        from sklearn.svm import LinearSVC

        # Step 2: vectorize data
        logger.debug("Vectorizing data...")
        notify("Vectorizing document content...")

+        def content_generator() -> Iterator[str]:
+            """
+            Generates the content for documents, but once at a time
+            """
+            for doc in docs_queryset:
+                yield self.preprocess_content(doc.content, shared_cache=False)
+
        self.data_vectorizer = CountVectorizer(
            analyzer="word",
            ngram_range=(1, 2),
@@ -380,8 +339,7 @@ class DocumentClassifier:
        )

        data_vectorized: ndarray = self.data_vectorizer.fit_transform(
-            self.preprocess_content(content, shared_cache=False)
-            for content in doc_contents
+            content_generator(),
        )

        # See the notes here:
@@ -395,10 +353,8 @@ class DocumentClassifier:
            notify(f"Training tags classifier ({num_tags} tag(s))...")

            if num_tags == 1:
-                # Special case: only one AUTO tag — use binary classification.
-                # MLPClassifier is used here because LinearSVC requires at least
-                # 2 distinct classes in training data, which cannot be guaranteed
-                # when all documents share the single AUTO tag.
+                # Special case where only one tag has auto:
+                # Fallback to binary classification.
                labels_tags = [
                    label[0] if len(label) == 1 else -1 for label in labels_tags
                ]
@@ -406,15 +362,11 @@ class DocumentClassifier:
                labels_tags_vectorized: ndarray = self.tags_binarizer.fit_transform(
                    labels_tags,
                ).ravel()
-                self.tags_classifier = MLPClassifier(tol=0.01)
            else:
-                # General multi-label case: LinearSVC via OneVsRestClassifier.
-                # Vastly more memory- and time-efficient than MLPClassifier for
-                # large class counts (e.g. hundreds of AUTO tags).
                self.tags_binarizer = MultiLabelBinarizer()
                labels_tags_vectorized = self.tags_binarizer.fit_transform(labels_tags)
-                self.tags_classifier = OneVsRestClassifier(LinearSVC())

+            self.tags_classifier = MLPClassifier(tol=0.01)
            self.tags_classifier.fit(data_vectorized, labels_tags_vectorized)
        else:
            self.tags_classifier = None
@@ -464,7 +416,6 @@ class DocumentClassifier:

        self.last_doc_change_time = latest_doc_change
        self.last_auto_type_hash = hasher.digest()
-        self.last_auto_label_set_digest = self._compute_auto_label_set_digest()
        self._update_data_vectorizer_hash()

        # Set the classifier information into the cache
--- a/src/documents/permissions.py
+++ b/src/documents/permissions.py
@@ -56,6 +56,26 @@ class PaperlessAdminPermissions(BasePermission):
        return request.user.is_staff


+def has_global_statistics_permission(user: User | None) -> bool:
+    if user is None or not getattr(user, "is_authenticated", False):
+        return False
+
+    return getattr(user, "is_superuser", False) or user.has_perm(
+        "paperless.view_global_statistics",
+    )
+
+
+def has_system_status_permission(user: User | None) -> bool:
+    if user is None or not getattr(user, "is_authenticated", False):
+        return False
+
+    return (
+        getattr(user, "is_superuser", False)
+        or getattr(user, "is_staff", False)
+        or user.has_perm("paperless.view_system_status")
+    )
+
+
 def get_groups_with_only_permission(obj, codename):
    ctype = ContentType.objects.get_for_model(obj)
    permission = Permission.objects.get(content_type=ctype, codename=codename)
--- a/src/documents/tests/test_api_app_config.py
+++ b/src/documents/tests/test_api_app_config.py
@@ -6,6 +6,8 @@ from unittest.mock import patch
 from django.contrib.auth.models import User
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.test import override_settings
+from PIL import Image
+from PIL.PngImagePlugin import PngInfo
 from rest_framework import status
 from rest_framework.test import APITestCase

@@ -201,6 +203,125 @@ class TestApiAppConfig(DirectoriesMixin, APITestCase):
        )
        self.assertFalse(Path(old_logo.path).exists())

+    def test_api_strips_exif_data_from_uploaded_logo(self) -> None:
+        """
+        GIVEN:
+            - A JPEG logo upload containing EXIF metadata
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - Stored logo image has EXIF metadata removed
+        """
+        image = Image.new("RGB", (12, 12), "blue")
+        exif = Image.Exif()
+        exif[315] = "Paperless Test Author"
+
+        logo = BytesIO()
+        image.save(logo, format="JPEG", exif=exif)
+        logo.seek(0)
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {
+                "app_logo": SimpleUploadedFile(
+                    name="logo-with-exif.jpg",
+                    content=logo.getvalue(),
+                    content_type="image/jpeg",
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        config = ApplicationConfiguration.objects.first()
+        with Image.open(config.app_logo.path) as stored_logo:
+            stored_exif = stored_logo.getexif()
+
+        self.assertEqual(len(stored_exif), 0)
+
+    def test_api_strips_png_metadata_from_uploaded_logo(self) -> None:
+        """
+        GIVEN:
+            - A PNG logo upload containing text metadata
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - Stored logo image has metadata removed
+        """
+        image = Image.new("RGB", (12, 12), "green")
+        pnginfo = PngInfo()
+        pnginfo.add_text("Author", "Paperless Test Author")
+
+        logo = BytesIO()
+        image.save(logo, format="PNG", pnginfo=pnginfo)
+        logo.seek(0)
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {
+                "app_logo": SimpleUploadedFile(
+                    name="logo-with-metadata.png",
+                    content=logo.getvalue(),
+                    content_type="image/png",
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        config = ApplicationConfiguration.objects.first()
+        with Image.open(config.app_logo.path) as stored_logo:
+            stored_text = stored_logo.text
+
+        self.assertEqual(stored_text, {})
+
+    def test_api_accepts_valid_gif_logo(self) -> None:
+        """
+        GIVEN:
+            - A valid GIF logo upload
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - Upload succeeds
+        """
+        image = Image.new("RGB", (12, 12), "red")
+
+        logo = BytesIO()
+        image.save(logo, format="GIF", comment=b"Paperless Test Comment")
+        logo.seek(0)
+
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {
+                "app_logo": SimpleUploadedFile(
+                    name="logo.gif",
+                    content=logo.getvalue(),
+                    content_type="image/gif",
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_api_rejects_invalid_raster_logo(self) -> None:
+        """
+        GIVEN:
+            - A file named as a JPEG but containing non-image payload data
+        WHEN:
+            - Uploaded via PATCH to app config
+        THEN:
+            - Upload is rejected with 400
+        """
+        response = self.client.patch(
+            f"{self.ENDPOINT}1/",
+            {
+                "app_logo": SimpleUploadedFile(
+                    name="not-an-image.jpg",
+                    content=b"<script>alert('xss')</script>",
+                    content_type="image/jpeg",
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("invalid logo image", str(response.data).lower())
+
    def test_api_rejects_malicious_svg_logo(self) -> None:
        """
        GIVEN:
--- a/src/documents/tests/test_api_custom_fields.py
+++ b/src/documents/tests/test_api_custom_fields.py
@@ -1309,7 +1309,7 @@ class TestCustomFieldsAPI(DirectoriesMixin, APITestCase):
        # Test as user without access to the document
        non_superuser = User.objects.create_user(username="non_superuser")
        non_superuser.user_permissions.add(
-            *Permission.objects.all(),
+            *Permission.objects.exclude(codename="view_global_statistics"),
        )
        non_superuser.save()
        self.client.force_authenticate(user=non_superuser)
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@@ -1314,6 +1314,41 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
        self.assertEqual(response.status_code, status.HTTP_200_OK)
        self.assertEqual(response.data["documents_inbox"], 0)

+    def test_statistics_with_statistics_permission(self) -> None:
+        owner = User.objects.create_user("owner")
+        stats_user = User.objects.create_user("stats-user")
+        stats_user.user_permissions.add(
+            Permission.objects.get(codename="view_global_statistics"),
+        )
+
+        inbox_tag = Tag.objects.create(
+            name="stats_inbox",
+            is_inbox_tag=True,
+            owner=owner,
+        )
+        Document.objects.create(
+            title="owned-doc",
+            checksum="stats-A",
+            mime_type="application/pdf",
+            content="abcdef",
+            owner=owner,
+        ).tags.add(inbox_tag)
+        Correspondent.objects.create(name="stats-correspondent", owner=owner)
+        DocumentType.objects.create(name="stats-type", owner=owner)
+        StoragePath.objects.create(name="stats-path", path="archive", owner=owner)
+
+        self.client.force_authenticate(user=stats_user)
+        response = self.client.get("/api/statistics/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["documents_total"], 1)
+        self.assertEqual(response.data["documents_inbox"], 1)
+        self.assertEqual(response.data["inbox_tags"], [inbox_tag.pk])
+        self.assertEqual(response.data["character_count"], 6)
+        self.assertEqual(response.data["correspondent_count"], 1)
+        self.assertEqual(response.data["document_type_count"], 1)
+        self.assertEqual(response.data["storage_path_count"], 1)
+
    def test_upload(self) -> None:
        self.consume_file_mock.return_value = celery.result.AsyncResult(
            id=str(uuid.uuid4()),
--- a/src/documents/tests/test_api_status.py
+++ b/src/documents/tests/test_api_status.py
@@ -5,12 +5,14 @@ from pathlib import Path
 from unittest import mock

 from celery import states
+from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.test import override_settings
 from rest_framework import status
 from rest_framework.test import APITestCase

 from documents.models import PaperlessTask
+from documents.permissions import has_system_status_permission
 from paperless import version


@@ -91,6 +93,22 @@ class TestSystemStatus(APITestCase):
        self.client.force_login(normal_user)
        response = self.client.get(self.ENDPOINT)
        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        # test the permission helper function directly for good measure
+        self.assertFalse(has_system_status_permission(None))
+
+    def test_system_status_with_system_status_permission(self) -> None:
+        response = self.client.get(self.ENDPOINT)
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+        user = User.objects.create_user(username="status_user")
+        user.user_permissions.add(
+            Permission.objects.get(codename="view_system_status"),
+        )
+
+        self.client.force_login(user)
+        response = self.client.get(self.ENDPOINT)
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)

    def test_system_status_with_bad_basic_auth_challenges(self) -> None:
        self.client.credentials(HTTP_AUTHORIZATION="Basic invalid")
--- a/src/documents/tests/test_classifier_single_pass.py
+++ b/src/documents/tests/test_classifier_single_pass.py
@@ -1,134 +0,0 @@
-"""
-Phase 2 — Single queryset pass in DocumentClassifier.train()
-
-The document queryset must be iterated exactly once: during the label
-extraction loop, which now also captures doc.content for vectorization.
-The previous content_generator() caused a second full table scan.
-"""
-
-from __future__ import annotations
-
-from unittest import mock
-
-import pytest
-from django.db.models.query import QuerySet
-
-from documents.classifier import DocumentClassifier
-from documents.models import Correspondent
-from documents.models import Document
-from documents.models import DocumentType
-from documents.models import MatchingModel
-from documents.models import StoragePath
-from documents.models import Tag
-
-# ---------------------------------------------------------------------------
-# Fixtures (mirrors test_classifier_train_skip.py)
-# ---------------------------------------------------------------------------
-
-
-@pytest.fixture()
-def classifier_settings(settings, tmp_path):
-    settings.MODEL_FILE = tmp_path / "model.pickle"
-    return settings
-
-
-@pytest.fixture()
-def classifier(classifier_settings):
-    return DocumentClassifier()
-
-
-@pytest.fixture()
-def label_corpus(classifier_settings):
-    c_auto = Correspondent.objects.create(
-        name="Auto Corp",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    dt_auto = DocumentType.objects.create(
-        name="Invoice",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    t_auto = Tag.objects.create(
-        name="finance",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    sp_auto = StoragePath.objects.create(
-        name="Finance Path",
-        path="finance/{correspondent}",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-
-    doc_a = Document.objects.create(
-        title="Invoice A",
-        content="quarterly invoice payment tax financial statement revenue",
-        correspondent=c_auto,
-        document_type=dt_auto,
-        storage_path=sp_auto,
-        checksum="aaa",
-        mime_type="application/pdf",
-        filename="invoice_a.pdf",
-    )
-    doc_a.tags.set([t_auto])
-
-    doc_b = Document.objects.create(
-        title="Invoice B",
-        content="monthly invoice billing statement account balance due",
-        correspondent=c_auto,
-        document_type=dt_auto,
-        storage_path=sp_auto,
-        checksum="bbb",
-        mime_type="application/pdf",
-        filename="invoice_b.pdf",
-    )
-    doc_b.tags.set([t_auto])
-
-    doc_c = Document.objects.create(
-        title="Notes",
-        content="meeting notes agenda discussion summary action items follow",
-        checksum="ccc",
-        mime_type="application/pdf",
-        filename="notes_c.pdf",
-    )
-
-    return {"doc_a": doc_a, "doc_b": doc_b, "doc_c": doc_c}
-
-
-# ---------------------------------------------------------------------------
-# Tests
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db()
-class TestSingleQuerysetPass:
-    def test_train_iterates_document_queryset_once(self, classifier, label_corpus):
-        """
-        train() must iterate the Document queryset exactly once.
-
-        Before Phase 2 there were two iterations: one in the label extraction
-        loop and a second inside content_generator() for CountVectorizer.
-        After Phase 2 content is captured during the label loop; the second
-        iteration is eliminated.
-        """
-        original_iter = QuerySet.__iter__
-        doc_iter_count = 0
-
-        def counting_iter(qs):
-            nonlocal doc_iter_count
-            if qs.model is Document:
-                doc_iter_count += 1
-            return original_iter(qs)
-
-        with mock.patch.object(QuerySet, "__iter__", counting_iter):
-            classifier.train()
-
-        assert doc_iter_count == 1, (
-            f"Expected 1 Document queryset iteration, got {doc_iter_count}. "
-            "content_generator() may still be re-fetching from the DB."
-        )
-
-    def test_train_result_unchanged(self, classifier, label_corpus):
-        """
-        Collapsing to a single pass must not change what the classifier learns:
-        a second train() with no changes still returns False.
-        """
-        assert classifier.train() is True
-        assert classifier.train() is False
--- a/src/documents/tests/test_classifier_tags_correctness.py
+++ b/src/documents/tests/test_classifier_tags_correctness.py
@@ -1,300 +0,0 @@
-"""
-Tags classifier correctness test — Phase 3b gate.
-
-This test must pass both BEFORE and AFTER the MLPClassifier → LinearSVC swap.
-It verifies that the tags classifier correctly learns discriminative signal and
-predicts the right tags on held-out documents.
-
-Run before the swap to establish a baseline, then run again after to confirm
-the new algorithm is at least as correct.
-
-Two scenarios are tested:
-  1. Multi-tag (num_tags > 1) — the common case; uses MultiLabelBinarizer
-  2. Single-tag (num_tags == 1) — special binary path; uses LabelBinarizer
-
-Corpus design: each tag has a distinct vocabulary cluster.  Each training
-document contains words from exactly one cluster (or two for multi-tag docs).
-Held-out test documents contain the same cluster words; correct classification
-requires the model to learn the vocabulary → tag mapping.
-"""
-
-from __future__ import annotations
-
-import pytest
-
-from documents.classifier import DocumentClassifier
-from documents.models import Correspondent
-from documents.models import Document
-from documents.models import DocumentType
-from documents.models import MatchingModel
-from documents.models import StoragePath
-from documents.models import Tag
-
-# ---------------------------------------------------------------------------
-# Vocabulary clusters — intentionally non-overlapping so both MLP and SVM
-# should learn them perfectly or near-perfectly.
-# ---------------------------------------------------------------------------
-
-FINANCE_WORDS = (
-    "invoice payment tax revenue billing statement account receivable "
-    "quarterly budget expense ledger debit credit profit loss fiscal"
-)
-LEGAL_WORDS = (
-    "contract agreement terms conditions clause liability indemnity "
-    "jurisdiction arbitration compliance regulation statute obligation"
-)
-MEDICAL_WORDS = (
-    "prescription diagnosis treatment patient health symptom dosage "
-    "physician referral therapy clinical examination procedure chronic"
-)
-HR_WORDS = (
-    "employee salary onboarding performance review appraisal benefits "
-    "recruitment hiring resignation termination payroll department staff"
-)
-
-
-# ---------------------------------------------------------------------------
-# Fixtures
-# ---------------------------------------------------------------------------
-
-
-@pytest.fixture()
-def classifier_settings(settings, tmp_path):
-    settings.MODEL_FILE = tmp_path / "model.pickle"
-    return settings
-
-
-@pytest.fixture()
-def classifier(classifier_settings):
-    return DocumentClassifier()
-
-
-def _make_doc(title, content, checksum, tags=(), **kwargs):
-    doc = Document.objects.create(
-        title=title,
-        content=content,
-        checksum=checksum,
-        mime_type="application/pdf",
-        filename=f"{checksum}.pdf",
-        **kwargs,
-    )
-    if tags:
-        doc.tags.set(tags)
-    return doc
-
-
-def _words(cluster, extra=""):
-    """Repeat cluster words enough times to clear min_df=0.01 at ~40 docs."""
-    return f"{cluster} {cluster} {extra}".strip()
-
-
-# ---------------------------------------------------------------------------
-# Multi-tag correctness
-# ---------------------------------------------------------------------------
-
-
-@pytest.fixture()
-def multi_tag_corpus(classifier_settings):
-    """
-    40 training documents across 4 AUTO tags with distinct vocabulary.
-    10 single-tag docs per tag + 5 two-tag docs.  Total: 45 docs.
-
-    A non-AUTO correspondent and doc type are included to keep the
-    other classifiers happy and not raise ValueError.
-    """
-    t_finance = Tag.objects.create(
-        name="finance",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    t_legal = Tag.objects.create(
-        name="legal",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    t_medical = Tag.objects.create(
-        name="medical",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    t_hr = Tag.objects.create(name="hr", matching_algorithm=MatchingModel.MATCH_AUTO)
-
-    # non-AUTO labels to keep the other classifiers from raising
-    c = Correspondent.objects.create(
-        name="org",
-        matching_algorithm=MatchingModel.MATCH_NONE,
-    )
-    dt = DocumentType.objects.create(
-        name="doc",
-        matching_algorithm=MatchingModel.MATCH_NONE,
-    )
-    sp = StoragePath.objects.create(
-        name="archive",
-        path="archive",
-        matching_algorithm=MatchingModel.MATCH_NONE,
-    )
-
-    checksum = 0
-
-    def make(title, content, tags):
-        nonlocal checksum
-        checksum += 1
-        return _make_doc(
-            title,
-            content,
-            f"{checksum:04d}",
-            tags=tags,
-            correspondent=c,
-            document_type=dt,
-            storage_path=sp,
-        )
-
-    # 10 single-tag training docs per tag
-    for i in range(10):
-        make(f"finance-{i}", _words(FINANCE_WORDS, f"doc{i}"), [t_finance])
-        make(f"legal-{i}", _words(LEGAL_WORDS, f"doc{i}"), [t_legal])
-        make(f"medical-{i}", _words(MEDICAL_WORDS, f"doc{i}"), [t_medical])
-        make(f"hr-{i}", _words(HR_WORDS, f"doc{i}"), [t_hr])
-
-    # 5 two-tag training docs
-    for i in range(5):
-        make(
-            f"finance-legal-{i}",
-            _words(FINANCE_WORDS + " " + LEGAL_WORDS, f"combo{i}"),
-            [t_finance, t_legal],
-        )
-
-    return {
-        "t_finance": t_finance,
-        "t_legal": t_legal,
-        "t_medical": t_medical,
-        "t_hr": t_hr,
-    }
-
-
-@pytest.mark.django_db()
-class TestMultiTagCorrectness:
-    """
-    The tags classifier must correctly predict tags on held-out documents whose
-    content clearly belongs to one or two vocabulary clusters.
-
-    A prediction is "correct" if the expected tag is present in the result.
-    """
-
-    def test_single_cluster_docs_predicted_correctly(
-        self,
-        classifier,
-        multi_tag_corpus,
-    ):
-        """Each single-cluster held-out doc gets exactly the right tag."""
-        classifier.train()
-        tags = multi_tag_corpus
-
-        cases = [
-            (FINANCE_WORDS + " unique alpha", [tags["t_finance"].pk]),
-            (LEGAL_WORDS + " unique beta", [tags["t_legal"].pk]),
-            (MEDICAL_WORDS + " unique gamma", [tags["t_medical"].pk]),
-            (HR_WORDS + " unique delta", [tags["t_hr"].pk]),
-        ]
-
-        for content, expected_pks in cases:
-            predicted = classifier.predict_tags(content)
-            for pk in expected_pks:
-                assert pk in predicted, (
-                    f"Expected tag pk={pk} in predictions for content starting "
-                    f"'{content[:40]}…', got {predicted}"
-                )
-
-    def test_multi_cluster_doc_gets_both_tags(self, classifier, multi_tag_corpus):
-        """A document with finance + legal vocabulary gets both tags."""
-        classifier.train()
-        tags = multi_tag_corpus
-
-        content = FINANCE_WORDS + " " + LEGAL_WORDS + " unique epsilon"
-        predicted = classifier.predict_tags(content)
-
-        assert tags["t_finance"].pk in predicted, f"Expected finance tag in {predicted}"
-        assert tags["t_legal"].pk in predicted, f"Expected legal tag in {predicted}"
-
-    def test_unrelated_content_predicts_no_trained_tags(
-        self,
-        classifier,
-        multi_tag_corpus,
-    ):
-        """
-        Completely alien content should not confidently fire any learned tag.
-        This is a soft check — we only assert no false positives on a document
-        that shares zero vocabulary with the training corpus.
-        """
-        classifier.train()
-
-        alien = (
-            "xyzzyx qwerty asdfgh zxcvbn plokij unique zeta "
-            "xyzzyx qwerty asdfgh zxcvbn plokij unique zeta"
-        )
-        predicted = classifier.predict_tags(alien)
-        # Not a hard requirement — just log for human inspection
-        # Both MLP and SVM may or may not produce false positives on OOV content
-        assert isinstance(predicted, list)
-
-
-# ---------------------------------------------------------------------------
-# Single-tag (binary) correctness
-# ---------------------------------------------------------------------------
-
-
-@pytest.fixture()
-def single_tag_corpus(classifier_settings):
-    """
-    Corpus with exactly ONE AUTO tag, exercising the LabelBinarizer +
-    binary classification path.  Documents either have the tag or don't.
-    """
-    t_finance = Tag.objects.create(
-        name="finance",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    c = Correspondent.objects.create(
-        name="org",
-        matching_algorithm=MatchingModel.MATCH_NONE,
-    )
-    dt = DocumentType.objects.create(
-        name="doc",
-        matching_algorithm=MatchingModel.MATCH_NONE,
-    )
-
-    checksum = 0
-
-    def make(title, content, tags):
-        nonlocal checksum
-        checksum += 1
-        return _make_doc(
-            title,
-            content,
-            f"s{checksum:04d}",
-            tags=tags,
-            correspondent=c,
-            document_type=dt,
-        )
-
-    for i in range(10):
-        make(f"finance-{i}", _words(FINANCE_WORDS, f"s{i}"), [t_finance])
-        make(f"other-{i}", _words(LEGAL_WORDS, f"s{i}"), [])
-
-    return {"t_finance": t_finance}
-
-
-@pytest.mark.django_db()
-class TestSingleTagCorrectness:
-    def test_finance_content_predicts_finance_tag(self, classifier, single_tag_corpus):
-        """Finance vocabulary → finance tag predicted."""
-        classifier.train()
-        tags = single_tag_corpus
-
-        predicted = classifier.predict_tags(FINANCE_WORDS + " unique alpha single")
-        assert tags["t_finance"].pk in predicted, (
-            f"Expected finance tag pk={tags['t_finance'].pk} in {predicted}"
-        )
-
-    def test_non_finance_content_predicts_no_tag(self, classifier, single_tag_corpus):
-        """Non-finance vocabulary → no tag predicted."""
-        classifier.train()
-
-        predicted = classifier.predict_tags(LEGAL_WORDS + " unique beta single")
-        assert predicted == [], f"Expected no tags, got {predicted}"
--- a/src/documents/tests/test_classifier_train_skip.py
+++ b/src/documents/tests/test_classifier_train_skip.py
@@ -1,325 +0,0 @@
-"""
-Phase 1 — fast-skip optimisation in DocumentClassifier.train()
-
-The goal: when nothing has changed since the last training run, train() should
-return False after at most 5 DB queries (1x MAX(modified) + 4x MATCH_AUTO pk
-lists), not after a full per-document label scan.
-
-Correctness invariant: the skip must NOT fire when the set of AUTO-matching
-labels has changed, even if no Document.modified timestamp has advanced (e.g.
-a Tag's matching_algorithm was flipped to MATCH_AUTO after the last train).
-"""
-
-from __future__ import annotations
-
-from typing import TYPE_CHECKING
-
-import pytest
-from django.db import connection
-from django.test.utils import CaptureQueriesContext
-
-from documents.classifier import DocumentClassifier
-from documents.models import Correspondent
-from documents.models import Document
-from documents.models import DocumentType
-from documents.models import MatchingModel
-from documents.models import StoragePath
-from documents.models import Tag
-
-if TYPE_CHECKING:
-    from pathlib import Path
-
-
-# ---------------------------------------------------------------------------
-# Fixtures
-# ---------------------------------------------------------------------------
-
-
-@pytest.fixture()
-def classifier_settings(settings, tmp_path: Path):
-    """Point MODEL_FILE at a temp directory so tests are hermetic."""
-    settings.MODEL_FILE = tmp_path / "model.pickle"
-    return settings
-
-
-@pytest.fixture()
-def classifier(classifier_settings):
-    """Fresh DocumentClassifier instance with test settings active."""
-    return DocumentClassifier()
-
-
-@pytest.fixture()
-def label_corpus(classifier_settings):
-    """
-    Minimal label + document corpus that produces a trainable classifier.
-
-    Creates
-    -------
-    Correspondents
-        c_auto   — MATCH_AUTO, assigned to two docs
-        c_none   — MATCH_NONE (control)
-    DocumentTypes
-        dt_auto  — MATCH_AUTO, assigned to two docs
-        dt_none  — MATCH_NONE (control)
-    Tags
-        t_auto   — MATCH_AUTO, applied to two docs
-        t_none   — MATCH_NONE (control, applied to one doc but never learned)
-    StoragePaths
-        sp_auto  — MATCH_AUTO, assigned to two docs
-        sp_none  — MATCH_NONE (control)
-
-    Documents
-        doc_a, doc_b — assigned AUTO labels above
-        doc_c        — control doc (MATCH_NONE labels only)
-
-    The fixture returns a dict with all created objects for direct mutation in
-    individual tests.
-    """
-    c_auto = Correspondent.objects.create(
-        name="Auto Corp",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    c_none = Correspondent.objects.create(
-        name="Manual Corp",
-        matching_algorithm=MatchingModel.MATCH_NONE,
-    )
-
-    dt_auto = DocumentType.objects.create(
-        name="Invoice",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    dt_none = DocumentType.objects.create(
-        name="Other",
-        matching_algorithm=MatchingModel.MATCH_NONE,
-    )
-
-    t_auto = Tag.objects.create(
-        name="finance",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    t_none = Tag.objects.create(
-        name="misc",
-        matching_algorithm=MatchingModel.MATCH_NONE,
-    )
-
-    sp_auto = StoragePath.objects.create(
-        name="Finance Path",
-        path="finance/{correspondent}",
-        matching_algorithm=MatchingModel.MATCH_AUTO,
-    )
-    sp_none = StoragePath.objects.create(
-        name="Other Path",
-        path="other/{correspondent}",
-        matching_algorithm=MatchingModel.MATCH_NONE,
-    )
-
-    doc_a = Document.objects.create(
-        title="Invoice from Auto Corp Jan",
-        content="quarterly invoice payment tax financial statement revenue",
-        correspondent=c_auto,
-        document_type=dt_auto,
-        storage_path=sp_auto,
-        checksum="aaa",
-        mime_type="application/pdf",
-        filename="invoice_a.pdf",
-    )
-    doc_a.tags.set([t_auto])
-
-    doc_b = Document.objects.create(
-        title="Invoice from Auto Corp Feb",
-        content="monthly invoice billing statement account balance due",
-        correspondent=c_auto,
-        document_type=dt_auto,
-        storage_path=sp_auto,
-        checksum="bbb",
-        mime_type="application/pdf",
-        filename="invoice_b.pdf",
-    )
-    doc_b.tags.set([t_auto])
-
-    # Control document — no AUTO labels, but has enough content to vectorize
-    doc_c = Document.objects.create(
-        title="Miscellaneous Notes",
-        content="meeting notes agenda discussion summary action items follow",
-        correspondent=c_none,
-        document_type=dt_none,
-        checksum="ccc",
-        mime_type="application/pdf",
-        filename="notes_c.pdf",
-    )
-    doc_c.tags.set([t_none])
-
-    return {
-        "c_auto": c_auto,
-        "c_none": c_none,
-        "dt_auto": dt_auto,
-        "dt_none": dt_none,
-        "t_auto": t_auto,
-        "t_none": t_none,
-        "sp_auto": sp_auto,
-        "sp_none": sp_none,
-        "doc_a": doc_a,
-        "doc_b": doc_b,
-        "doc_c": doc_c,
-    }
-
-
-# ---------------------------------------------------------------------------
-# Happy-path skip tests
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db()
-class TestFastSkipFires:
-    """The no-op path: nothing changed, so the second train() is skipped."""
-
-    def test_first_train_returns_true(self, classifier, label_corpus):
-        """First train on a fresh classifier must return True (did work)."""
-        assert classifier.train() is True
-
-    def test_second_train_returns_false(self, classifier, label_corpus):
-        """Second train with no changes must return False (skipped)."""
-        classifier.train()
-        assert classifier.train() is False
-
-    def test_fast_skip_runs_minimal_queries(self, classifier, label_corpus):
-        """
-        The no-op path must use at most 5 DB queries:
-          1x Document.objects.aggregate(Max('modified'))
-          4x MATCH_AUTO pk lists  (Correspondent / DocumentType / Tag / StoragePath)
-
-        The current implementation (before Phase 1) iterates every document
-        to build the label hash BEFORE it can decide to skip, which is O(N).
-        This test verifies the fast path is in place.
-        """
-        classifier.train()
-        with CaptureQueriesContext(connection) as ctx:
-            result = classifier.train()
-        assert result is False
-        assert len(ctx.captured_queries) <= 5, (
-            f"Fast skip used {len(ctx.captured_queries)} queries; expected ≤5.\n"
-            + "\n".join(q["sql"] for q in ctx.captured_queries)
-        )
-
-    def test_fast_skip_refreshes_cache_keys(self, classifier, label_corpus):
-        """
-        Even on a skip, the cache keys must be refreshed so that the task
-        scheduler can detect the classifier is still current.
-        """
-        from django.core.cache import cache
-
-        from documents.caching import CLASSIFIER_HASH_KEY
-        from documents.caching import CLASSIFIER_MODIFIED_KEY
-        from documents.caching import CLASSIFIER_VERSION_KEY
-
-        classifier.train()
-        # Evict the keys to prove skip re-populates them
-        cache.delete(CLASSIFIER_MODIFIED_KEY)
-        cache.delete(CLASSIFIER_HASH_KEY)
-        cache.delete(CLASSIFIER_VERSION_KEY)
-
-        result = classifier.train()
-
-        assert result is False
-        assert cache.get(CLASSIFIER_MODIFIED_KEY) is not None
-        assert cache.get(CLASSIFIER_HASH_KEY) is not None
-        assert cache.get(CLASSIFIER_VERSION_KEY) is not None
-
-
-# ---------------------------------------------------------------------------
-# Correctness tests — skip must NOT fire when the world has changed
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.django_db()
-class TestFastSkipDoesNotFire:
-    """The skip guard must yield to a full retrain whenever labels change."""
-
-    def test_document_content_modification_triggers_retrain(
-        self,
-        classifier,
-        label_corpus,
-    ):
-        """Updating a document's content updates modified → retrain required."""
-        classifier.train()
-        doc_a = label_corpus["doc_a"]
-        doc_a.content = "completely different words here now nothing same"
-        doc_a.save()
-        assert classifier.train() is True
-
-    def test_document_label_reassignment_triggers_retrain(
-        self,
-        classifier,
-        label_corpus,
-    ):
-        """
-        Reassigning a document to a different AUTO correspondent (touching
-        doc.modified) must trigger a retrain.
-        """
-        c_auto2 = Correspondent.objects.create(
-            name="Second Auto Corp",
-            matching_algorithm=MatchingModel.MATCH_AUTO,
-        )
-        classifier.train()
-        doc_a = label_corpus["doc_a"]
-        doc_a.correspondent = c_auto2
-        doc_a.save()
-        assert classifier.train() is True
-
-    def test_matching_algorithm_change_on_assigned_tag_triggers_retrain(
-        self,
-        classifier,
-        label_corpus,
-    ):
-        """
-        Flipping a tag's matching_algorithm to MATCH_AUTO after it is already
-        assigned to documents must trigger a retrain — even though no
-        Document.modified timestamp advances.
-
-        This is the key correctness case for the auto-label-set digest:
-        the tag is already on doc_a and doc_b, so once it becomes MATCH_AUTO
-        the classifier needs to learn it.
-        """
-        # t_none is applied to doc_c (a control doc) via the fixture.
-        # We flip it to MATCH_AUTO; the set of learnable AUTO tags grows.
-        classifier.train()
-        t_none = label_corpus["t_none"]
-        t_none.matching_algorithm = MatchingModel.MATCH_AUTO
-        t_none.save(update_fields=["matching_algorithm"])
-        # Document.modified is NOT touched — this test specifically verifies
-        # that the auto-label-set digest catches the change.
-        assert classifier.train() is True
-
-    def test_new_auto_correspondent_triggers_retrain(self, classifier, label_corpus):
-        """
-        Adding a brand-new MATCH_AUTO correspondent (unassigned to any doc)
-        must trigger a retrain: the auto-label-set has grown.
-        """
-        classifier.train()
-        Correspondent.objects.create(
-            name="New Auto Corp",
-            matching_algorithm=MatchingModel.MATCH_AUTO,
-        )
-        assert classifier.train() is True
-
-    def test_removing_auto_label_triggers_retrain(self, classifier, label_corpus):
-        """
-        Deleting a MATCH_AUTO correspondent shrinks the auto-label-set and
-        must trigger a retrain.
-        """
-        classifier.train()
-        label_corpus["c_auto"].delete()
-        assert classifier.train() is True
-
-    def test_fresh_classifier_always_trains(self, classifier, label_corpus):
-        """
-        A classifier that has never been trained (last_doc_change_time is None)
-        must always perform a full train, regardless of corpus state.
-        """
-        assert classifier.last_doc_change_time is None
-        assert classifier.train() is True
-
-    def test_no_documents_raises_value_error(self, classifier, classifier_settings):
-        """train() with an empty database must raise ValueError."""
-        with pytest.raises(ValueError, match="No training data"):
-            classifier.train()
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -165,7 +165,9 @@ from documents.permissions import ViewDocumentsPermissions
 from documents.permissions import annotate_document_count_for_related_queryset
 from documents.permissions import get_document_count_filter_for_user
 from documents.permissions import get_objects_for_user_owner_aware
+from documents.permissions import has_global_statistics_permission
 from documents.permissions import has_perms_owner_aware
+from documents.permissions import has_system_status_permission
 from documents.permissions import set_permissions_for_object
 from documents.plugins.date_parsing import get_date_parser
 from documents.schema import generate_object_with_permissions_schema
@@ -3265,10 +3267,11 @@ class StatisticsView(GenericAPIView):

    def get(self, request, format=None):
        user = request.user if request.user is not None else None
+        can_view_global_stats = has_global_statistics_permission(user) or user is None

        documents = (
            Document.objects.all()
-            if user is None
+            if can_view_global_stats
            else get_objects_for_user_owner_aware(
                user,
                "documents.view_document",
@@ -3277,12 +3280,12 @@ class StatisticsView(GenericAPIView):
        )
        tags = (
            Tag.objects.all()
-            if user is None
+            if can_view_global_stats
            else get_objects_for_user_owner_aware(user, "documents.view_tag", Tag)
        ).only("id", "is_inbox_tag")
        correspondent_count = (
            Correspondent.objects.count()
-            if user is None
+            if can_view_global_stats
            else get_objects_for_user_owner_aware(
                user,
                "documents.view_correspondent",
@@ -3291,7 +3294,7 @@ class StatisticsView(GenericAPIView):
        )
        document_type_count = (
            DocumentType.objects.count()
-            if user is None
+            if can_view_global_stats
            else get_objects_for_user_owner_aware(
                user,
                "documents.view_documenttype",
@@ -3300,7 +3303,7 @@ class StatisticsView(GenericAPIView):
        )
        storage_path_count = (
            StoragePath.objects.count()
-            if user is None
+            if can_view_global_stats
            else get_objects_for_user_owner_aware(
                user,
                "documents.view_storagepath",
@@ -4257,7 +4260,7 @@ class SystemStatusView(PassUserMixin):
    permission_classes = (IsAuthenticated,)

    def get(self, request, format=None):
-        if not request.user.is_staff:
+        if not has_system_status_permission(request.user):
            return HttpResponseForbidden("Insufficient permissions")

        current_version = version.__full_version_str__
--- a/src/locale/en_US/LC_MESSAGES/django.po
+++ b/src/locale/en_US/LC_MESSAGES/django.po
@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: paperless-ngx\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-06 22:51+0000\n"
+"POT-Creation-Date: 2026-04-08 15:41+0000\n"
 "PO-Revision-Date: 2022-02-17 04:17\n"
 "Last-Translator: \n"
 "Language-Team: English\n"
@@ -1308,8 +1308,8 @@ msgid "workflow runs"
 msgstr ""

 #: documents/serialisers.py:463 documents/serialisers.py:815
-#: documents/serialisers.py:2545 documents/views.py:2120
-#: documents/views.py:2175 paperless_mail/serialisers.py:143
+#: documents/serialisers.py:2545 documents/views.py:2122
+#: documents/views.py:2177 paperless_mail/serialisers.py:143
 msgid "Insufficient permissions."
 msgstr ""

@@ -1349,7 +1349,7 @@ msgstr ""
 msgid "Duplicate document identifiers are not allowed."
 msgstr ""

-#: documents/serialisers.py:2631 documents/views.py:3784
+#: documents/serialisers.py:2631 documents/views.py:3787
 #, python-format
 msgid "Documents not found: %(ids)s"
 msgstr ""
@@ -1617,28 +1617,28 @@ msgstr ""
 msgid "Unable to parse URI {value}"
 msgstr ""

-#: documents/views.py:2077
+#: documents/views.py:2079
 msgid "Specify only one of text, title_search, query, or more_like_id."
 msgstr ""

-#: documents/views.py:2113 documents/views.py:2172
+#: documents/views.py:2115 documents/views.py:2174
 msgid "Invalid more_like_id"
 msgstr ""

-#: documents/views.py:3796
+#: documents/views.py:3799
 #, python-format
 msgid "Insufficient permissions to share document %(id)s."
 msgstr ""

-#: documents/views.py:3839
+#: documents/views.py:3842
 msgid "Bundle is already being processed."
 msgstr ""

-#: documents/views.py:3896
+#: documents/views.py:3899
 msgid "The share link bundle is still being prepared. Please try again later."
 msgstr ""

-#: documents/views.py:3906
+#: documents/views.py:3909
 msgid "The share link bundle is unavailable."
 msgstr ""

--- a/src/paperless/migrations/0009_alter_applicationconfiguration_options.py
+++ b/src/paperless/migrations/0009_alter_applicationconfiguration_options.py
@@ -0,0 +1,22 @@
+# Generated by Django 5.2.12 on 2026-04-07 23:13
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("paperless", "0008_replace_skip_archive_file"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="applicationconfiguration",
+            options={
+                "permissions": [
+                    ("view_global_statistics", "Can view global object counts"),
+                    ("view_system_status", "Can view system status information"),
+                ],
+                "verbose_name": "paperless application settings",
+            },
+        ),
+    ]
--- a/src/paperless/models.py
+++ b/src/paperless/models.py
@@ -341,6 +341,10 @@ class ApplicationConfiguration(AbstractSingletonModel):

    class Meta:
        verbose_name = _("paperless application settings")
+        permissions = [
+            ("view_global_statistics", "Can view global object counts"),
+            ("view_system_status", "Can view system status information"),
+        ]

    def __str__(self) -> str:  # pragma: no cover
        return "ApplicationConfiguration"
--- a/src/paperless/serialisers.py
+++ b/src/paperless/serialisers.py
@@ -1,4 +1,5 @@
 import logging
+from io import BytesIO

 import magic
 from allauth.mfa.adapter import get_adapter as get_mfa_adapter
@@ -11,13 +12,16 @@ from django.contrib.auth.models import Group
 from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.contrib.auth.password_validation import validate_password
+from django.core.files.uploadedfile import InMemoryUploadedFile
 from django.core.files.uploadedfile import UploadedFile
+from PIL import Image
 from rest_framework import serializers
 from rest_framework.authtoken.serializers import AuthTokenSerializer

 from paperless.models import ApplicationConfiguration
 from paperless.network import validate_outbound_http_url
 from paperless.validators import reject_dangerous_svg
+from paperless.validators import validate_raster_image
 from paperless_mail.serialisers import ObfuscatedPasswordField

 logger = logging.getLogger("paperless.settings")
@@ -233,9 +237,43 @@ class ApplicationConfigurationSerializer(serializers.ModelSerializer):
            instance.app_logo.delete()
        return super().update(instance, validated_data)

+    def _sanitize_raster_image(self, file: UploadedFile) -> UploadedFile:
+        try:
+            data = BytesIO()
+            image = Image.open(file)
+            image.save(data, format=image.format)
+            data.seek(0)
+
+            return InMemoryUploadedFile(
+                file=data,
+                field_name=file.field_name,
+                name=file.name,
+                content_type=file.content_type,
+                size=data.getbuffer().nbytes,
+                charset=getattr(file, "charset", None),
+            )
+        finally:
+            image.close()
+
    def validate_app_logo(self, file: UploadedFile):
-        if file and magic.from_buffer(file.read(2048), mime=True) == "image/svg+xml":
+        """
+        Validates and sanitizes the uploaded app logo image. Model field already restricts to
+        jpg/png/gif/svg see src/paperless/models.py#L200
+        """
+        if not file:
+            return file
+
+        mime_type = magic.from_buffer(file.read(2048), mime=True)
+
+        if mime_type == "image/svg+xml":
            reject_dangerous_svg(file)
+            return file
+
+        validate_raster_image(file)
+
+        if mime_type in {"image/jpeg", "image/png"}:
+            file = self._sanitize_raster_image(file)
+
        return file

    def validate_llm_endpoint(self, value: str | None) -> str | None:
--- a/src/paperless/validators.py
+++ b/src/paperless/validators.py
@@ -1,6 +1,10 @@
+from io import BytesIO
+
+from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.core.files.uploadedfile import UploadedFile
 from lxml import etree
+from PIL import Image

 ALLOWED_SVG_TAGS: set[str] = {
    # Basic shapes
@@ -254,3 +258,30 @@ def reject_dangerous_svg(file: UploadedFile) -> None:
                    raise ValidationError(
                        f"URI scheme not allowed in {attr_name}: must be #anchor, relative path, or data:image/*",
                    )
+
+
+def validate_raster_image(file: UploadedFile) -> None:
+    """
+    Validates that the uploaded file is a valid raster image (JPEG, PNG, etc.)
+    and does not exceed maximum pixel limits.
+    Raises ValidationError if the image is invalid or exceeds the allowed size.
+    """
+
+    file.seek(0)
+    image_data = file.read()
+    try:
+        with Image.open(BytesIO(image_data)) as image:
+            image.verify()
+
+            if (
+                settings.MAX_IMAGE_PIXELS is not None
+                and settings.MAX_IMAGE_PIXELS > 0
+                and image.width * image.height > settings.MAX_IMAGE_PIXELS
+            ):
+                raise ValidationError(
+                    "Uploaded logo exceeds the maximum allowed image size.",
+                )
+            if image.format is None:
+                raise ValidationError("Invalid logo image.")
+    except (OSError, Image.DecompressionBombError) as e:
+        raise ValidationError("Invalid logo image.") from e
--- a/uv.lock
+++ b/uv.lock