[bug] Data import fix (#9962)

* Permission fix for data importer endpoint * Add playwright tests * Bump API version
2025-09-14 06:31:27 +00:00 · 2025-07-06 18:22:37 +10:00
parent 945cb46f32
commit 042039754b
7 changed files with 107 additions and 12 deletions
--- a/src/backend/InvenTree/InvenTree/api_version.py
+++ b/src/backend/InvenTree/InvenTree/api_version.py
@@ -1,12 +1,15 @@
 """InvenTree API version information."""

 # InvenTree API version
-INVENTREE_API_VERSION = 363
+INVENTREE_API_VERSION = 364

 """Increment this API version number whenever there is a significant change to the API that any clients need to know about."""

 INVENTREE_API_TEXT = """

+v364 -> 2025-07-06 : https://github.com/inventree/InvenTree/pull/9962
+    - Fix permissions for the DataImportSession API endpoints
+
 v363 -> 2025-07-04 : https://github.com/inventree/InvenTree/pull/9954
    - Adds "user_detail" field to the ApiToken serializer

--- a/src/backend/InvenTree/importer/api.py
+++ b/src/backend/InvenTree/importer/api.py
@@ -30,7 +30,7 @@ class DataImporterPermission(permissions.BasePermission):

    def has_permission(self, request, view):
        """Class level permission checks are handled via InvenTree.permissions.IsAuthenticatedOrReadScope."""
-        return True
+        return request.user and request.user.is_authenticated

    def has_object_permission(self, request, view, obj):
        """Check if the user has permission to access the imported object."""
@@ -91,25 +91,25 @@ class DataImporterModelList(APIView):
        return Response(models)


-class DataImportSessionList(DataImporterPermission, BulkDeleteMixin, ListCreateAPI):
-    """API endpoint for accessing a list of DataImportSession objects."""
+class DataImportSessionMixin:
+    """Mixin class for DataImportSession API views."""

    queryset = importer.models.DataImportSession.objects.all()
    serializer_class = importer.serializers.DataImportSessionSerializer
+    permission_classes = [DataImporterPermission]
+
+
+class DataImportSessionList(BulkDeleteMixin, DataImportSessionMixin, ListCreateAPI):
+    """API endpoint for accessing a list of DataImportSession objects."""

    filter_backends = SEARCH_ORDER_FILTER
-
    filterset_fields = ['model_type', 'status', 'user']
-
    ordering_fields = ['timestamp', 'status', 'model_type']


-class DataImportSessionDetail(DataImporterPermission, RetrieveUpdateDestroyAPI):
+class DataImportSessionDetail(DataImportSessionMixin, RetrieveUpdateDestroyAPI):
    """Detail endpoint for a single DataImportSession object."""

-    queryset = importer.models.DataImportSession.objects.all()
-    serializer_class = importer.serializers.DataImportSessionSerializer
-

 class DataImportSessionAcceptFields(APIView):
    """API endpoint to accept the field mapping for a DataImportSession."""