Merge pull request #2956 from SchrodingersGat/settings-api-fix

Fix permissions for global settings API
2025-11-04 07:05:41 +00:00 · 2022-05-09 22:13:51 +10:00
parent cfaef06b9c 30d799dbc6
commit 583f8faf66
2 changed files with 12 additions and 2 deletions
--- a/InvenTree/InvenTree/api_version.py
+++ b/InvenTree/InvenTree/api_version.py
@@ -4,11 +4,15 @@ InvenTree API version information
 # InvenTree API version
-INVENTREE_API_VERSION = 45
+INVENTREE_API_VERSION = 46
 """
 Increment this API version number whenever there is a significant change to the API that any clients need to know about
 v46 -> 2022-05-09
    - Fixes read permissions on settings API
    - Allows non-staff users to read global settings via the API
 v45 -> 2022-05-08 : https://github.com/inventree/InvenTree/pull/2944
    - Settings are now accessed via the API using their unique key, not their PK
    - This allows the settings to be accessed without prior knowledge of the PK
--- a/InvenTree/common/api.py
+++ b/InvenTree/common/api.py
@@ -146,7 +146,12 @@ class GlobalSettingsPermissions(permissions.BasePermission):
        try:
            user = request.user
-            return user.is_staff
+            if request.method in ['GET', 'HEAD', 'OPTIONS']:
                return True
            else:
                # Any other methods require staff access permissions
                return user.is_staff
        except AttributeError:  # pragma: no cover
            return False
@@ -175,6 +180,7 @@ class GlobalSettingsDetail(generics.RetrieveUpdateAPIView):
        return common.models.InvenTreeSetting.get_setting_object(key)
    permission_classes = [
        permissions.IsAuthenticated,
        GlobalSettingsPermissions,
    ]