From 195ebc793edcb37775989202f344fa2f4c4ba519 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20P=C3=B6ttker?= Date: Sat, 9 May 2026 10:50:48 +0200 Subject: [PATCH] fix: scope barcode template permissions to specific endpoints instead of the entire controller --- .../src/barcode/barcode-templates.controller.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/paperless-backend/src/barcode/barcode-templates.controller.ts b/paperless-backend/src/barcode/barcode-templates.controller.ts index f79d697..6e67607 100644 --- a/paperless-backend/src/barcode/barcode-templates.controller.ts +++ b/paperless-backend/src/barcode/barcode-templates.controller.ts @@ -72,7 +72,6 @@ function validate(dto: UpsertDto, partial = false): void { } @Controller('api/barcode-templates') -@RequirePermissions(Permission.MANAGE_SETTINGS) export class BarcodeTemplatesController { private readonly logger = new Logger(BarcodeTemplatesController.name); @@ -89,11 +88,13 @@ export class BarcodeTemplatesController { } @Get() + @RequirePermissions(Permission.VIEW_INBOX) async list() { return this.repo.find({ order: { Id: 'ASC' } }); } @Post() + @RequirePermissions(Permission.MANAGE_SETTINGS) async create(@Body() dto: UpsertDto) { validate(dto); const entity = this.repo.create({ @@ -118,6 +119,7 @@ export class BarcodeTemplatesController { } @Put(':id') + @RequirePermissions(Permission.MANAGE_SETTINGS) async update(@Param('id', ParseIntPipe) id: number, @Body() dto: UpsertDto) { validate(dto, true); const existing = await this.repo.findOneBy({ Id: id }); @@ -149,6 +151,7 @@ export class BarcodeTemplatesController { } @Delete(':id') + @RequirePermissions(Permission.MANAGE_SETTINGS) async remove(@Param('id', ParseIntPipe) id: number) { const res = await this.repo.delete(id); if (!res.affected) throw new NotFoundException('Vorlage nicht gefunden');