Make sure to require the checkedout detail view permission for the checked out document detail API view.

Signed-off-by: Michael Price <loneviking72@gmail.com>
2018-03-03 04:03:46 -04:00
parent b4bf9bfaee
commit 938093db6f
1 changed files with 6 additions and 2 deletions
--- a/mayan/apps/checkouts/api_views.py
+++ b/mayan/apps/checkouts/api_views.py
@@ -14,8 +14,8 @@ from documents.permissions import permission_document_view

 from .models import DocumentCheckout
 from .permissions import (
-    permission_document_checkout, permission_document_checkin,
-    permission_document_checkin_override
+    permission_document_checkin, permission_document_checkin_override,
+    permission_document_checkout, permission_document_checkout_detail_view
 )
 from .serializers import (
    DocumentCheckoutSerializer, NewDocumentCheckoutSerializer
@@ -95,6 +95,10 @@ class APICheckedoutDocumentView(generics.RetrieveDestroyAPIView):
                permission=permission_document_view, user=self.request.user,
                queryset=DocumentCheckout.objects.checked_out_documents()
            )
+            filtered_documents = AccessControlList.objects.filter_by_access(
+                permission=permission_document_checkout_detail_view, user=self.request.user,
+                queryset=filtered_documents
+            )

            return DocumentCheckout.objects.filter(
                document__pk__in=filtered_documents.values_list(