From 30d799dbc64aeed79981a86859a91085a11c2b30 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Mon, 9 May 2022 21:43:12 +1000 Subject: [PATCH] Fix permissions for global settings API --- InvenTree/InvenTree/api_version.py | 6 +++++- InvenTree/common/api.py | 8 +++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/InvenTree/InvenTree/api_version.py b/InvenTree/InvenTree/api_version.py index 2046b97281..86f41816b2 100644 --- a/InvenTree/InvenTree/api_version.py +++ b/InvenTree/InvenTree/api_version.py @@ -4,11 +4,15 @@ InvenTree API version information # InvenTree API version -INVENTREE_API_VERSION = 45 +INVENTREE_API_VERSION = 46 """ Increment this API version number whenever there is a significant change to the API that any clients need to know about +v46 -> 2022-05-09 + - Fixes read permissions on settings API + - Allows non-staff users to read global settings via the API + v45 -> 2022-05-08 : https://github.com/inventree/InvenTree/pull/2944 - Settings are now accessed via the API using their unique key, not their PK - This allows the settings to be accessed without prior knowledge of the PK diff --git a/InvenTree/common/api.py b/InvenTree/common/api.py index 22dcf4ac14..1996a4bdbf 100644 --- a/InvenTree/common/api.py +++ b/InvenTree/common/api.py @@ -146,7 +146,12 @@ class GlobalSettingsPermissions(permissions.BasePermission): try: user = request.user - return user.is_staff + if request.method in ['GET', 'HEAD', 'OPTIONS']: + return True + else: + # Any other methods require staff access permissions + return user.is_staff + except AttributeError: # pragma: no cover return False @@ -175,6 +180,7 @@ class GlobalSettingsDetail(generics.RetrieveUpdateAPIView): return common.models.InvenTreeSetting.get_setting_object(key) permission_classes = [ + permissions.IsAuthenticated, GlobalSettingsPermissions, ]