[BUG] All users can delete documents by default.

[Raymoz101]

Describe the bug Additional users (made by the superuser), who are assigned only VIEW permissions can delete documents.

To Reproduce Steps to reproduce the behavior:

1. Create additional user
2. Assign ONLY "Documents | Document | Can view document" in the "Chosen user permissions" > Click SAVE
3. Login as newly made user
4. Edit a document
5. Click Delete, accept warning
6. Document is actually deleted...

Expected behavior The user has only been granted view permissions, but they able to delete as well.

Screenshots If applicable, add screenshots to help explain your problem.

Webserver logs

If available, post any logs from the web server related to your issue.

Relevant information

• Host OS of the machine running paperless: Synology DSM 6.2.4 / Docker
• Browser - Chrome and Edge
• Version - 1.5.0
• Installation method: Docker
• Any configuration changes you made in docker-compose.yml, docker-compose.env or paperless.conf.
• Set PUID, PGID and Timezone.

[abctje]

I can confirm this. I have created a user with no rights at all. The user can still see and remove documents.

[bbesmer]

Paperless-ng as of today is not a multi-user application. The user management is only turned on to have the admin user. It is currently the top voted discussion #52