From 3c1b82d171e4f0473efa8d90d6414c9f95823669 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Wed, 24 Jun 2026 01:09:38 +0200 Subject: [PATCH] ensure permission erros knock through --- src/backend/InvenTree/InvenTree/models.py | 3 ++- src/backend/InvenTree/plugin/base/barcodes/api.py | 2 ++ src/backend/InvenTree/plugin/base/barcodes/test_barcode.py | 6 +++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/backend/InvenTree/InvenTree/models.py b/src/backend/InvenTree/InvenTree/models.py index 71a9dd4c6d..31c68e8730 100644 --- a/src/backend/InvenTree/InvenTree/models.py +++ b/src/backend/InvenTree/InvenTree/models.py @@ -8,7 +8,7 @@ from typing import Any, Optional from django.contrib.auth import get_user_model from django.contrib.contenttypes.fields import GenericRelation from django.contrib.contenttypes.models import ContentType -from django.core.exceptions import PermissionDenied, ValidationError +from django.core.exceptions import ValidationError from django.db import models, transaction from django.db.models import QuerySet from django.db.models.signals import post_save @@ -23,6 +23,7 @@ from django_q.models import Task from error_report.models import Error from mptt.exceptions import InvalidMove from mptt.models import MPTTModel, TreeForeignKey +from rest_framework.exceptions import PermissionDenied from stdimage.models import StdImageField from taggit.managers import TaggableManager diff --git a/src/backend/InvenTree/plugin/base/barcodes/api.py b/src/backend/InvenTree/plugin/base/barcodes/api.py index 69014a3610..af84a5b4e8 100644 --- a/src/backend/InvenTree/plugin/base/barcodes/api.py +++ b/src/backend/InvenTree/plugin/base/barcodes/api.py @@ -154,6 +154,8 @@ class BarcodeView(CreateAPIView): for current_plugin in plugins: try: result = current_plugin.scan(barcode, user=request.user, **kwargs) + except PermissionDenied as exc: + raise exc except Exception: log_error('BarcodeView.scan_barcode', plugin=current_plugin.slug) continue diff --git a/src/backend/InvenTree/plugin/base/barcodes/test_barcode.py b/src/backend/InvenTree/plugin/base/barcodes/test_barcode.py index 2a73564dd1..667ef8d4ed 100644 --- a/src/backend/InvenTree/plugin/base/barcodes/test_barcode.py +++ b/src/backend/InvenTree/plugin/base/barcodes/test_barcode.py @@ -345,10 +345,14 @@ class SOAllocateTest(InvenTreeAPITestCase): # Test with barcode which points to a *part* instance item.part.assign_barcode(barcode_data='abcde') + # missing permission for viewing the part - error + self.postBarcode('abcde', sales_order=self.sales_order.pk, expected_code=403) + + # Add part.view role and test again + self.assignRole('part.view') result = self.postBarcode( 'abcde', sales_order=self.sales_order.pk, expected_code=400 ) - self.assertIn('does not match an existing stock item', str(result['error'])) def test_submit(self):