studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
95a55e780501746cc1503eb2e6b31e6807113019
docs/src/backend/core/api/serializers.py

738 lines
24 KiB
Python
Raw Normal View History

♻️(project) rename project from "publish" to "impress" The repository was renamed to "impress" but the code was still mentionning "publish".
2024-03-07 19:46:46 +01:00
"""Client serializers for the impress core app."""
🚨(backend) fix linting issues after upgrading The last upgrades introduced some linting issues. This commit fixes them.
2024-08-20 16:42:27 +02:00
🐛(back) validate document content in serializer We recently extract images url in the content. For this, we assume that the document content is always in base64. We enforce this assumption by checking if it's a valide base64 in the serializer.
2025-03-28 18:15:20 +01:00
import binascii
✨(backend) allow uploading images as attachments to a document We only rely on S3 to store attachments for a document. Nothing is persisted in the database as the image media urls will be stored in the document json.
2024-08-19 22:35:48 +02:00
import mimetypes
🐛(back) validate document content in serializer We recently extract images url in the content. For this, we assume that the document content is always in base64. We enforce this assumption by checking if it's a valide base64 in the serializer.
2025-03-28 18:15:20 +01:00
from base64 import b64decode
✨(backend) allow uploading images as attachments to a document We only rely on S3 to store attachments for a document. Nothing is persisted in the database as the image media urls will be stored in the document json.
2024-08-19 22:35:48 +02:00
from django.conf import settings
✨(models/api) add RBAC on templates linking accesses to a team name We want to be able to control who can access a template via roles. I added this feature on the TeamAccess model assuming that the teams to which a user belongs can be retrieved via a `get_teams` method on the user model. The idea is that this method will get the teams either via a call to an external API or directly from the OIDC token upon user login. This list of teams will probably have to be cached for each user.
2024-03-03 08:49:27 +01:00
from django.db.models import Q
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
from django.utils.functional import lazy
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want.
2024-02-09 19:32:12 +01:00
from django.utils.translation import gettext_lazy as _
✨(backend) allow uploading more types of attachments We want to allow users to upload files to a document, not just images. We try to enforce coherence between the file extension and the real mime type of its content. If a file is deemed unsafe, it is still accepted during upload and the information is stored as metadata on the object for display to readers.
2024-10-07 20:10:42 +02:00
import magic
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
from rest_framework import exceptions, serializers
✨(backend) extract attachment keys from updated content for access We can't prevent document editors from copy/pasting content to from one document to another. The problem is that copying content, will copy the urls pointing to attachments but if we don't do anything, the reader of the document to which the content is being pasted, may not be allowed to access the attachment files from the original document. Using the work from the previous commit, we can grant access to the readers of the target document by extracting the attachment keys from the content and adding themto the target document's "attachments" field. Before doing this, we check that the current user can indeed access the attachment files extracted from the content and that they are allowed to edit the current document.
2025-01-21 23:56:50 +01:00
from core import enums, models, utils
✨(backend) create ai endpoint We created 2 new action endpoints on the document to perform AI operations: - POST /api/v1.0/documents/{uuid}/ai-transform - POST /api/v1.0/documents/{uuid}/ai-translate
2024-09-20 22:42:46 +02:00
from core.services.ai_services import AI_ACTIONS
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
from core.services.converter_services import (
ConversionError,
YdocConverter,
)
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
class UserSerializer(serializers.ModelSerializer):
"""Serialize users."""
class Meta:
model = models.User
✨(backend) add API access for 'language' attribute on User model - allow the language attribute on the user to be updated via API - add frontend function to update the user language via API - extend defaults on the test users, to have fixed language in E2E tests - extend types and variables using the types with the new field
2025-03-04 14:00:22 +01:00
fields = ["id", "email", "full_name", "short_name", "language"]
✨(backend) add full_name and short_name to user model and API The full_name and short_name field are synchronized with the OIDC token upon each login.
2024-09-30 15:13:42 +02:00
read_only_fields = ["id", "email", "full_name", "short_name"]
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want.
2024-02-09 19:32:12 +01:00
🔒️(back) restrict accesss to document accesses Every user having an access to a document, no matter its role have access to the entire accesses list with all the user details. Only owner or admin should be able to have the entire list, for the other roles, they have access to the list containing only owner and administrator with less information on the username. The email and its id is removed
2025-03-24 23:36:24 +01:00
class UserLightSerializer(UserSerializer):
"""Serialize users with limited fields."""
id = serializers.SerializerMethodField(read_only=True)
email = serializers.SerializerMethodField(read_only=True)
def get_id(self, _user):
"""Return always None. Here to have the same fields than in UserSerializer."""
return None
def get_email(self, _user):
"""Return always None. Here to have the same fields than in UserSerializer."""
return None
class Meta:
model = models.User
fields = ["id", "email", "full_name", "short_name"]
read_only_fields = ["id", "email", "full_name", "short_name"]
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
class BaseAccessSerializer(serializers.ModelSerializer):
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want.
2024-02-09 19:32:12 +01:00
"""Serialize template accesses."""
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
abilities = serializers.SerializerMethodField(read_only=True)
def update(self, instance, validated_data):
"""Make "user" field is readonly but only on update."""
validated_data.pop("user", None)
return super().update(instance, validated_data)
def get_abilities(self, access) -> dict:
"""Return abilities of the logged-in user on the instance."""
request = self.context.get("request")
if request:
return access.get_abilities(request.user)
return {}
def validate(self, attrs):
"""
Check access rights specific to writing (create/update)
"""
request = self.context.get("request")
user = getattr(request, "user", None)
role = attrs.get("role")
# Update
if self.instance:
can_set_role_to = self.instance.get_abilities(user)["set_role_to"]
if role and role not in can_set_role_to:
message = (
f"You are only allowed to set role to {', '.join(can_set_role_to)}"
if can_set_role_to
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want.
2024-02-09 19:32:12 +01:00
else "You are not allowed to set this role for this template."
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
)
raise exceptions.PermissionDenied(message)
# Create
else:
try:
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
resource_id = self.context["resource_id"]
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
except KeyError as exc:
raise exceptions.ValidationError(
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
"You must set a resource ID in kwargs to create a new access."
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
) from exc
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
if not self.Meta.model.objects.filter( # pylint: disable=no-member
🛂(backend) stop to list public doc to everyone Everybody could see the full list of public docs. Now only members can see their public docs. They can still access to any specific public doc.
2024-09-06 16:12:02 +02:00
Q(user=user) | Q(team__in=user.teams),
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],
🐛(backend) fix dysfunctional permissions on document create When creating a document access, users were benefitting on the targeted document from the highest access right they have among all documents. This is because we forgot to filter on the document ID when retrieving the role of the user. We improved all tests to secure this issue.
2024-10-11 20:42:16 +02:00
**{self.Meta.resource_field_name: resource_id}, # pylint: disable=no-member
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
).exists():
raise exceptions.PermissionDenied(
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
"You are not allowed to manage accesses for this resource."
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
)
if (
role == models.RoleChoices.OWNER
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
and not self.Meta.model.objects.filter( # pylint: disable=no-member
🛂(backend) stop to list public doc to everyone Everybody could see the full list of public docs. Now only members can see their public docs. They can still access to any specific public doc.
2024-09-06 16:12:02 +02:00
Q(user=user) | Q(team__in=user.teams),
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
role=models.RoleChoices.OWNER,
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
**{self.Meta.resource_field_name: resource_id}, # pylint: disable=no-member
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
).exists()
):
raise exceptions.PermissionDenied(
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
"Only owners of a resource can assign other users as owners."
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
)
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
# pylint: disable=no-member
attrs[f"{self.Meta.resource_field_name}_id"] = self.context["resource_id"]
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
return attrs
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
class DocumentAccessSerializer(BaseAccessSerializer):
"""Serialize document accesses."""
👔(backend) object user on DocumentAccessSerializer user field was displaying the userid, but we need to return the user object on the DocumentAccessSerializer, so we can show the user email on the frontend. We add the user_id field in write_only mode, so we can keep create and update.
2024-05-31 17:06:39 +02:00
user_id = serializers.PrimaryKeyRelatedField(
queryset=models.User.objects.all(),
write_only=True,
source="user",
required=False,
allow_null=True,
)
user = UserSerializer(read_only=True)
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
class Meta:
model = models.DocumentAccess
resource_field_name = "document"
👔(backend) object user on DocumentAccessSerializer user field was displaying the userid, but we need to return the user object on the DocumentAccessSerializer, so we can show the user email on the frontend. We add the user_id field in write_only mode, so we can keep create and update.
2024-05-31 17:06:39 +02:00
fields = ["id", "user", "user_id", "team", "role", "abilities"]
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
read_only_fields = ["id", "abilities"]
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
🔒️(back) restrict accesss to document accesses Every user having an access to a document, no matter its role have access to the entire accesses list with all the user details. Only owner or admin should be able to have the entire list, for the other roles, they have access to the list containing only owner and administrator with less information on the username. The email and its id is removed
2025-03-24 23:36:24 +01:00
class DocumentAccessLightSerializer(DocumentAccessSerializer):
"""Serialize document accesses with limited fields."""
user = UserLightSerializer(read_only=True)
class Meta:
model = models.DocumentAccess
fields = ["id", "user", "team", "role", "abilities"]
read_only_fields = ["id", "team", "role", "abilities"]
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
class TemplateAccessSerializer(BaseAccessSerializer):
"""Serialize template accesses."""
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
class Meta:
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
model = models.TemplateAccess
resource_field_name = "template"
fields = ["id", "user", "team", "role", "abilities"]
read_only_fields = ["id", "abilities"]
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie
2024-01-09 15:30:36 +01:00
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
✨(backend) add "tree" action on document API endpoint We want to display the tree structure to which a document belongs on the left side panel of its detail view. For this, we need an endpoint to retrieve the list view of the document's ancestors opened. By opened, we mean that when display the document, we also need to display its siblings. When displaying the parent of the current document, we also need to display the siblings of the parent...
2025-02-16 17:26:51 +01:00
class ListDocumentSerializer(serializers.ModelSerializer):
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
"""Serialize documents with limited fields for display in lists."""
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
✨(backend) allow users to mark/unmark documents as favorite A user can now mark/unmark documents as favorite. This is done via a new action of the document API endpoint: /api/v1.0/documents/{document_id}/favorite POST to mark as favorite / DELETE to unmark
2024-11-09 10:45:38 +01:00
is_favorite = serializers.BooleanField(read_only=True)
✨(backend) add number of direct accesses related to a document The "nb_accesses" field was displaying the number of access instances related to a document or any of its ancestors. Some features on the frontend require to know how many of these access instances are related to the document directly.
2025-02-26 09:27:00 +01:00
nb_accesses_ancestors = serializers.IntegerField(read_only=True)
nb_accesses_direct = serializers.IntegerField(read_only=True)
✨(backend) add user roles as field in the document API representation user roles were already computed as an annotation on the query for performance as we must look at all the document's ancestors to determine the roles that apply recursively. We can easily expose them as readonly via the serializer.
2025-01-02 14:02:03 +01:00
user_roles = serializers.SerializerMethodField(read_only=True)
✨(backend) add "tree" action on document API endpoint We want to display the tree structure to which a document belongs on the left side panel of its detail view. For this, we need an endpoint to retrieve the list view of the document's ancestors opened. By opened, we mean that when display the document, we also need to display its siblings. When displaying the parent of the current document, we also need to display the siblings of the parent...
2025-02-16 17:26:51 +01:00
abilities = serializers.SerializerMethodField(read_only=True)
✨(documents) add content field as an S3 object The content field is a writable property on the model which is persisted in object storage. We take advantage of the versioning, robustness and scalability of S3.
2024-04-06 09:09:46 +02:00
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
class Meta:
model = models.Document
♻️(backend) add more info to doc Update the serializer to include more info about the doc: - created date - updated date
2024-07-02 12:47:22 +02:00
fields = [
"id",
✨(backend) retrieve & update a document taking into account ancestors A document should inherit the access rights a user has on any of its ancestors.
2024-12-17 07:47:23 +01:00
"abilities",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
"created_at",
✨(backend) add creator field on document and allow filtering on it We want to be able to limit the documents displayed on a logged-in user's list view by the documents they created or by the documents that other users created. This is different from having the "owner" role on a document because this can be acquired and even lost. What we want here is to be able to identify documents by the user who created them so we add a new field.
2024-11-12 16:28:34 +01:00
"creator",
✨(backend) add depth, path and numchild to serialized document This information is useful for the frontend to display the document tree structure and is cheap to expose.
2024-12-17 17:53:05 +01:00
"depth",
♻️(backend) remove content from list serializer and introduce excerpt Including the content field in the list view is not efficient as we need to query the object storage to retrieve it. We want to display an excerpt of the content on the list view so we should store it in database. We let the frontend compute it and save it for us in the new "excerpt" field because we are not supposed to have access to the content (E2EE feature coming)
2024-12-18 11:37:01 +01:00
"excerpt",
✨(backend) allow users to mark/unmark documents as favorite A user can now mark/unmark documents as favorite. This is done via a new action of the document API endpoint: /api/v1.0/documents/{document_id}/favorite POST to mark as favorite / DELETE to unmark
2024-11-09 10:45:38 +01:00
"is_favorite",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
"link_role",
"link_reach",
✨(backend) add number of direct accesses related to a document The "nb_accesses" field was displaying the number of access instances related to a document or any of its ancestors. Some features on the frontend require to know how many of these access instances are related to the document directly.
2025-02-26 09:27:00 +01:00
"nb_accesses_ancestors",
"nb_accesses_direct",
✨(backend) add depth, path and numchild to serialized document This information is useful for the frontend to display the document tree structure and is cheap to expose.
2024-12-17 17:53:05 +01:00
"numchild",
"path",
♻️(backend) add more info to doc Update the serializer to include more info about the doc: - created date - updated date
2024-07-02 12:47:22 +02:00
"title",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
"updated_at",
✨(backend) add user roles as field in the document API representation user roles were already computed as an annotation on the query for performance as we must look at all the document's ancestors to determine the roles that apply recursively. We can easily expose them as readonly via the serializer.
2025-01-02 14:02:03 +01:00
"user_roles",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
]
read_only_fields = [
"id",
♻️(backend) add more info to doc Update the serializer to include more info about the doc: - created date - updated date
2024-07-02 12:47:22 +02:00
"abilities",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
"created_at",
✨(backend) add creator field on document and allow filtering on it We want to be able to limit the documents displayed on a logged-in user's list view by the documents they created or by the documents that other users created. This is different from having the "owner" role on a document because this can be acquired and even lost. What we want here is to be able to identify documents by the user who created them so we add a new field.
2024-11-12 16:28:34 +01:00
"creator",
✨(backend) add depth, path and numchild to serialized document This information is useful for the frontend to display the document tree structure and is cheap to expose.
2024-12-17 17:53:05 +01:00
"depth",
♻️(backend) remove content from list serializer and introduce excerpt Including the content field in the list view is not efficient as we need to query the object storage to retrieve it. We want to display an excerpt of the content on the list view so we should store it in database. We let the frontend compute it and save it for us in the new "excerpt" field because we are not supposed to have access to the content (E2EE feature coming)
2024-12-18 11:37:01 +01:00
"excerpt",
✨(backend) allow users to mark/unmark documents as favorite A user can now mark/unmark documents as favorite. This is done via a new action of the document API endpoint: /api/v1.0/documents/{document_id}/favorite POST to mark as favorite / DELETE to unmark
2024-11-09 10:45:38 +01:00
"is_favorite",
✨(models/api) add link access reach and role Link access was either public or private and was only allowing readers. This commit makes link access more powerful: - link reach can be private (users need to obtain specific access by document's administrators), restricted (any authenticated user) or public (anybody including anonymous users) - link role can be reader or editor. It is thus now possible to give editor access to an anonymous user or any authenticated user.
2024-09-08 23:37:49 +02:00
"link_role",
"link_reach",
✨(backend) add number of direct accesses related to a document The "nb_accesses" field was displaying the number of access instances related to a document or any of its ancestors. Some features on the frontend require to know how many of these access instances are related to the document directly.
2025-02-26 09:27:00 +01:00
"nb_accesses_ancestors",
"nb_accesses_direct",
✨(backend) add depth, path and numchild to serialized document This information is useful for the frontend to display the document tree structure and is cheap to expose.
2024-12-17 17:53:05 +01:00
"numchild",
"path",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
"updated_at",
✨(backend) add user roles as field in the document API representation user roles were already computed as an annotation on the query for performance as we must look at all the document's ancestors to determine the roles that apply recursively. We can easily expose them as readonly via the serializer.
2025-01-02 14:02:03 +01:00
"user_roles",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
]
✨(backend) add "tree" action on document API endpoint We want to display the tree structure to which a document belongs on the left side panel of its detail view. For this, we need an endpoint to retrieve the list view of the document's ancestors opened. By opened, we mean that when display the document, we also need to display its siblings. When displaying the parent of the current document, we also need to display the siblings of the parent...
2025-02-16 17:26:51 +01:00
def get_abilities(self, document) -> dict:
"""Return abilities of the logged-in user on the instance."""
request = self.context.get("request")
if request:
✨(backend) add new "descendants" action to document API endpoint We want to be able to make a search query inside a hierchical document. It's elegant to do it as a document detail action so that we benefit from access control.
2025-02-17 10:25:07 +01:00
paths_links_mapping = self.context.get("paths_links_mapping", None)
# Retrieve ancestor links from paths_links_mapping (if provided)
ancestors_links = (
paths_links_mapping.get(document.path[: -document.steplen])
if paths_links_mapping
else None
)
return document.get_abilities(request.user, ancestors_links=ancestors_links)
✨(backend) add "tree" action on document API endpoint We want to display the tree structure to which a document belongs on the left side panel of its detail view. For this, we need an endpoint to retrieve the list view of the document's ancestors opened. By opened, we mean that when display the document, we also need to display its siblings. When displaying the parent of the current document, we also need to display the siblings of the parent...
2025-02-16 17:26:51 +01:00
return {}
✨(backend) add user roles as field in the document API representation user roles were already computed as an annotation on the query for performance as we must look at all the document's ancestors to determine the roles that apply recursively. We can easily expose them as readonly via the serializer.
2025-01-02 14:02:03 +01:00
def get_user_roles(self, document):
"""
Return roles of the logged-in user for the current document,
taking into account ancestors.
"""
request = self.context.get("request")
if request:
return document.get_roles(request.user)
return []
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
class DocumentSerializer(ListDocumentSerializer):
"""Serialize documents with all fields for display in detail views."""
content = serializers.CharField(required=False)
class Meta:
model = models.Document
fields = [
"id",
"abilities",
"content",
✨(models/api) add link access reach and role Link access was either public or private and was only allowing readers. This commit makes link access more powerful: - link reach can be private (users need to obtain specific access by document's administrators), restricted (any authenticated user) or public (anybody including anonymous users) - link role can be reader or editor. It is thus now possible to give editor access to an anonymous user or any authenticated user.
2024-09-08 23:37:49 +02:00
"created_at",
✨(backend) add creator field on document and allow filtering on it We want to be able to limit the documents displayed on a logged-in user's list view by the documents they created or by the documents that other users created. This is different from having the "owner" role on a document because this can be acquired and even lost. What we want here is to be able to identify documents by the user who created them so we add a new field.
2024-11-12 16:28:34 +01:00
"creator",
✨(backend) add depth, path and numchild to serialized document This information is useful for the frontend to display the document tree structure and is cheap to expose.
2024-12-17 17:53:05 +01:00
"depth",
♻️(backend) remove content from list serializer and introduce excerpt Including the content field in the list view is not efficient as we need to query the object storage to retrieve it. We want to display an excerpt of the content on the list view so we should store it in database. We let the frontend compute it and save it for us in the new "excerpt" field because we are not supposed to have access to the content (E2EE feature coming)
2024-12-18 11:37:01 +01:00
"excerpt",
✨(backend) allow users to mark/unmark documents as favorite A user can now mark/unmark documents as favorite. This is done via a new action of the document API endpoint: /api/v1.0/documents/{document_id}/favorite POST to mark as favorite / DELETE to unmark
2024-11-09 10:45:38 +01:00
"is_favorite",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
"link_role",
"link_reach",
✨(backend) add number of direct accesses related to a document The "nb_accesses" field was displaying the number of access instances related to a document or any of its ancestors. Some features on the frontend require to know how many of these access instances are related to the document directly.
2025-02-26 09:27:00 +01:00
"nb_accesses_ancestors",
"nb_accesses_direct",
✨(backend) add depth, path and numchild to serialized document This information is useful for the frontend to display the document tree structure and is cheap to expose.
2024-12-17 17:53:05 +01:00
"numchild",
"path",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
"title",
✨(models/api) add link access reach and role Link access was either public or private and was only allowing readers. This commit makes link access more powerful: - link reach can be private (users need to obtain specific access by document's administrators), restricted (any authenticated user) or public (anybody including anonymous users) - link role can be reader or editor. It is thus now possible to give editor access to an anonymous user or any authenticated user.
2024-09-08 23:37:49 +02:00
"updated_at",
✨(backend) add user roles as field in the document API representation user roles were already computed as an annotation on the query for performance as we must look at all the document's ancestors to determine the roles that apply recursively. We can easily expose them as readonly via the serializer.
2025-01-02 14:02:03 +01:00
"user_roles",
✨(models/api) add link access reach and role Link access was either public or private and was only allowing readers. This commit makes link access more powerful: - link reach can be private (users need to obtain specific access by document's administrators), restricted (any authenticated user) or public (anybody including anonymous users) - link role can be reader or editor. It is thus now possible to give editor access to an anonymous user or any authenticated user.
2024-09-08 23:37:49 +02:00
]
read_only_fields = [
"id",
"abilities",
⚡️(backend) optimize number of queries on document list view I realized most of the database queries made when getting a document list view were to include nested accesses. This detailed information about accesses in only necessary for the document detail view. I introduced a specific serializer for the document list view with less fields. For a list of 20 documents with 5 accesses, we go down from 3x5x20= 300 queries to just 3 queries.
2024-11-09 10:27:21 +01:00
"created_at",
✨(backend) add creator field on document and allow filtering on it We want to be able to limit the documents displayed on a logged-in user's list view by the documents they created or by the documents that other users created. This is different from having the "owner" role on a document because this can be acquired and even lost. What we want here is to be able to identify documents by the user who created them so we add a new field.
2024-11-12 16:28:34 +01:00
"creator",
✨(backend) add depth, path and numchild to serialized document This information is useful for the frontend to display the document tree structure and is cheap to expose.
2024-12-17 17:53:05 +01:00
"depth",
✏️(backend) fix read_only_fields is_favorite is_favorite has a typo error. This commit fixes it.
2025-01-15 11:57:32 +01:00
"is_favorite",
✨(models/api) add link access reach and role Link access was either public or private and was only allowing readers. This commit makes link access more powerful: - link reach can be private (users need to obtain specific access by document's administrators), restricted (any authenticated user) or public (anybody including anonymous users) - link role can be reader or editor. It is thus now possible to give editor access to an anonymous user or any authenticated user.
2024-09-08 23:37:49 +02:00
"link_role",
"link_reach",
✨(backend) add number of direct accesses related to a document The "nb_accesses" field was displaying the number of access instances related to a document or any of its ancestors. Some features on the frontend require to know how many of these access instances are related to the document directly.
2025-02-26 09:27:00 +01:00
"nb_accesses_ancestors",
"nb_accesses_direct",
✨(backend) add depth, path and numchild to serialized document This information is useful for the frontend to display the document tree structure and is cheap to expose.
2024-12-17 17:53:05 +01:00
"numchild",
"path",
♻️(backend) add more info to doc Update the serializer to include more info about the doc: - created date - updated date
2024-07-02 12:47:22 +02:00
"updated_at",
✨(backend) add user roles as field in the document API representation user roles were already computed as an annotation on the query for performance as we must look at all the document's ancestors to determine the roles that apply recursively. We can easily expose them as readonly via the serializer.
2025-01-02 14:02:03 +01:00
"user_roles",
♻️(backend) add more info to doc Update the serializer to include more info about the doc: - created date - updated date
2024-07-02 12:47:22 +02:00
]
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
✨(api) allow forcing ID when creating a document via API endpoint We need to be able to force the ID when creating a document via the API endpoint. This is usefull for documents that are created offline as synchronization is achieved by replaying stacked requests. We do it via the serializer, making sure that we don't override an existing document.
2024-09-09 19:31:26 +02:00
def get_fields(self):
"""Dynamically make `id` read-only on PUT requests but writable on POST requests."""
fields = super().get_fields()
request = self.context.get("request")
if request and request.method == "POST":
fields["id"].read_only = False
return fields
def validate_id(self, value):
"""Ensure the provided ID does not already exist when creating a new document."""
request = self.context.get("request")
# Only check this on POST (creation)
if request and request.method == "POST":
if models.Document.objects.filter(id=value).exists():
raise serializers.ValidationError(
"A document with this ID already exists. You cannot override it."
)
return value
🐛(back) validate document content in serializer We recently extract images url in the content. For this, we assume that the document content is always in base64. We enforce this assumption by checking if it's a valide base64 in the serializer.
2025-03-28 18:15:20 +01:00
def validate_content(self, value):
"""Validate the content field."""
if not value:
return None
try:
b64decode(value, validate=True)
except binascii.Error as err:
raise serializers.ValidationError("Invalid base64 content.") from err
return value
✨(backend) extract attachment keys from updated content for access We can't prevent document editors from copy/pasting content to from one document to another. The problem is that copying content, will copy the urls pointing to attachments but if we don't do anything, the reader of the document to which the content is being pasted, may not be allowed to access the attachment files from the original document. Using the work from the previous commit, we can grant access to the readers of the target document by extracting the attachment keys from the content and adding themto the target document's "attachments" field. Before doing this, we check that the current user can indeed access the attachment files extracted from the content and that they are allowed to edit the current document.
2025-01-21 23:56:50 +01:00
def save(self, **kwargs):
"""
Process the content field to extract attachment keys and update the document's
"attachments" field for access control.
"""
content = self.validated_data.get("content", "")
extracted_attachments = set(utils.extract_attachments(content))
existing_attachments = (
set(self.instance.attachments or []) if self.instance else set()
)
new_attachments = extracted_attachments - existing_attachments
if new_attachments:
attachments_documents = (
models.Document.objects.filter(
attachments__overlap=list(new_attachments)
)
.only("path", "attachments")
.order_by("path")
)
user = self.context["request"].user
readable_per_se_paths = (
models.Document.objects.readable_per_se(user)
.order_by("path")
.values_list("path", flat=True)
)
readable_attachments_paths = utils.filter_descendants(
[doc.path for doc in attachments_documents],
readable_per_se_paths,
skip_sorting=True,
)
readable_attachments = set()
for document in attachments_documents:
if document.path not in readable_attachments_paths:
continue
readable_attachments.update(set(document.attachments) & new_attachments)
# Update attachments with readable keys
self.validated_data["attachments"] = list(
existing_attachments | readable_attachments
)
return super().save(**kwargs)
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
class ServerCreateDocumentSerializer(serializers.Serializer):
"""
Serializer for creating a document from a server-to-server request.
Expects 'content' as a markdown string, which is converted to our internal format
via a Node.js microservice. The conversion is handled automatically, so third parties
only need to provide markdown.
Both "sub" and "email" are required because the external app calling doesn't know
if the user will pre-exist in Docs database. If the user pre-exist, we will ignore the
submitted "email" field and use the email address set on the user account in our database
"""
# Document
title = serializers.CharField(required=True)
content = serializers.CharField(required=True)
# User
sub = serializers.CharField(
required=True, validators=[models.User.sub_validator], max_length=255
)
email = serializers.EmailField(required=True)
language = serializers.ChoiceField(
required=False, choices=lazy(lambda: settings.LANGUAGES, tuple)()
)
# Invitation
message = serializers.CharField(required=False)
subject = serializers.CharField(required=False)
def create(self, validated_data):
"""Create the document and associate it with the user or send an invitation."""
language = validated_data.get("language", settings.LANGUAGE_CODE)
🐛(backend) fix create document for user when sub does not match When creating a document on behalf of a user via the server-to-server API, a special edge case was broken that should should never happen but happens in our OIDC federation because one of the provider modifies the users "sub" each time they login. We end-up with existing users for who the email matches but not the sub. They were not correctly handled. I made a few additional fixes and improvements to the endpoint.
2025-01-10 09:50:48 +01:00
# Get the user on its sub (unique identifier). Default on email if allowed in settings
email = validated_data["email"]
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
try:
🐛(backend) fix create document for user when sub does not match When creating a document on behalf of a user via the server-to-server API, a special edge case was broken that should should never happen but happens in our OIDC federation because one of the provider modifies the users "sub" each time they login. We end-up with existing users for who the email matches but not the sub. They were not correctly handled. I made a few additional fixes and improvements to the endpoint.
2025-01-10 09:50:48 +01:00
user = models.User.objects.get_user_by_sub_or_email(
validated_data["sub"], email
)
except models.DuplicateEmailError as err:
raise serializers.ValidationError({"email": [err.message]}) from err
if user:
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
email = user.email
language = user.language or language
try:
🐛(backend) fix issues with conversion microservice integration Minor adjustments were needed after working in parallel on two PRs. The microservice now accepts an API key without requiring it as a Bearer token. A mistake in reading the microservice response was corrected after refactoring the serializer to delegate logic to the converter microservice.
2024-12-13 12:21:55 +01:00
document_content = YdocConverter().convert_markdown(
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
validated_data["content"]
)
except ConversionError as err:
🐛(backend) fix create document for user when sub does not match When creating a document on behalf of a user via the server-to-server API, a special edge case was broken that should should never happen but happens in our OIDC federation because one of the provider modifies the users "sub" each time they login. We end-up with existing users for who the email matches but not the sub. They were not correctly handled. I made a few additional fixes and improvements to the endpoint.
2025-01-10 09:50:48 +01:00
raise serializers.ValidationError(
{"content": ["Could not convert content"]}
) from err
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
✨(backend) add django-treebeard to allow tree structure on documents We choose to use Django-treebeard for its quality, performance and stability. Adding tree structure to documents is as simple as inheriting from the MP_Node class.
2024-12-16 16:58:14 +01:00
document = models.Document.add_root(
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
title=validated_data["title"],
🐛(backend) fix issues with conversion microservice integration Minor adjustments were needed after working in parallel on two PRs. The microservice now accepts an API key without requiring it as a Bearer token. A mistake in reading the microservice response was corrected after refactoring the serializer to delegate logic to the converter microservice.
2024-12-13 12:21:55 +01:00
content=document_content,
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
creator=user,
)
if user:
# Associate the document with the pre-existing user
models.DocumentAccess.objects.create(
document=document,
role=models.RoleChoices.OWNER,
user=user,
)
else:
# The user doesn't exist in our database: we need to invite him/her
models.Invitation.objects.create(
document=document,
email=email,
role=models.RoleChoices.OWNER,
)
🐛(backend) fix create document for user when sub does not match When creating a document on behalf of a user via the server-to-server API, a special edge case was broken that should should never happen but happens in our OIDC federation because one of the provider modifies the users "sub" each time they login. We end-up with existing users for who the email matches but not the sub. They were not correctly handled. I made a few additional fixes and improvements to the endpoint.
2025-01-10 09:50:48 +01:00
self._send_email_notification(document, validated_data, email, language)
return document
def _send_email_notification(self, document, validated_data, email, language):
"""Notify the user about the newly created document."""
✨(backend) add server-to-server API endpoint to create documents We want trusted external applications to be able to create documents via the API on behalf of any user. The user may or may not pre-exist in our database and should be notified of the document creation by email.
2024-12-01 11:25:01 +01:00
subject = validated_data.get("subject") or _(
"A new document was created on your behalf!"
)
context = {
"message": validated_data.get("message")
or _("You have been granted ownership of a new document:"),
"title": subject,
}
document.send_email(subject, [email], context, language)
def update(self, instance, validated_data):
"""
This serializer does not support updates.
"""
raise NotImplementedError("Update is not supported for this serializer.")
✨(backend) add "tree" action on document API endpoint We want to display the tree structure to which a document belongs on the left side panel of its detail view. For this, we need an endpoint to retrieve the list view of the document's ancestors opened. By opened, we mean that when display the document, we also need to display its siblings. When displaying the parent of the current document, we also need to display the siblings of the parent...
2025-02-16 17:26:51 +01:00
class LinkDocumentSerializer(serializers.ModelSerializer):
✨(api) allow updating link configuration for a document We open a specific endpoint to update documents link configuration because it makes it more secure and simple to limit access rights to administrators/owners whereas other document fields like title and content can be edited by anonymous or authenticated users with much less access rights.
2024-09-08 23:07:47 +02:00
"""
Serialize link configuration for documents.
We expose it separately from document in order to simplify and secure access control.
"""
class Meta:
model = models.Document
fields = [
"link_role",
"link_reach",
]
✨(backend) add duplicate action to the document API endpoint We took this opportunity to refactor the way access is controlled on media attachments. We now add the media key to a list on the document instance each time a media is uploaded to a document. This list is passed along when a document is duplicated, allowing us to grant access to readers on the new document, even if they don't have or lost access to the original document. We also propose an option to reproduce the same access rights on the duplicate document as what was in place on the original document. This can be requested by passing the "with_accesses=true" option in the query string. The tricky point is that we need to extract attachment keys from the existing documents and set them on the new "attachments" field that is now used to track access rights on media files.
2025-01-20 10:23:18 +01:00
class DocumentDuplicationSerializer(serializers.Serializer):
"""
Serializer for duplicating a document.
Allows specifying whether to keep access permissions.
"""
with_accesses = serializers.BooleanField(default=False)
def create(self, validated_data):
"""
This serializer is not intended to create objects.
"""
raise NotImplementedError("This serializer does not support creation.")
def update(self, instance, validated_data):
"""
This serializer is not intended to update objects.
"""
raise NotImplementedError("This serializer does not support updating.")
✨(backend) allow uploading images as attachments to a document We only rely on S3 to store attachments for a document. Nothing is persisted in the database as the image media urls will be stored in the document json.
2024-08-19 22:35:48 +02:00
# Suppress the warning about not implementing `create` and `update` methods
# since we don't use a model and only rely on the serializer for validation
# pylint: disable=abstract-method
class FileUploadSerializer(serializers.Serializer):
"""Receive file upload requests."""
file = serializers.FileField()
def validate_file(self, file):
"""Add file size and type constraints as defined in settings."""
# Validate file size
if file.size > settings.DOCUMENT_IMAGE_MAX_SIZE:
max_size = settings.DOCUMENT_IMAGE_MAX_SIZE // (1024 * 1024)
raise serializers.ValidationError(
f"File size exceeds the maximum limit of {max_size:d} MB."
)
✨(backend) allow uploading more types of attachments We want to allow users to upload files to a document, not just images. We try to enforce coherence between the file extension and the real mime type of its content. If a file is deemed unsafe, it is still accepted during upload and the information is stored as metadata on the object for display to readers.
2024-10-07 20:10:42 +02:00
extension = file.name.rpartition(".")[-1] if "." in file.name else None
# Read the first few bytes to determine the MIME type accurately
mime = magic.Magic(mime=True)
magic_mime_type = mime.from_buffer(file.read(1024))
file.seek(0) # Reset file pointer to the beginning after reading
self.context["is_unsafe"] = (
magic_mime_type in settings.DOCUMENT_UNSAFE_MIME_TYPES
)
extension_mime_type, _ = mimetypes.guess_type(file.name)
# Try guessing a coherent extension from the mimetype
if extension_mime_type != magic_mime_type:
self.context["is_unsafe"] = True
guessed_ext = mimetypes.guess_extension(magic_mime_type)
# Missing extensions or extensions longer than 5 characters (it's as long as an extension
# can be) are replaced by the extension we eventually guessed from mimetype.
if (extension is None or len(extension) > 5) and guessed_ext:
extension = guessed_ext[1:]
if extension is None:
raise serializers.ValidationError("Could not determine file extension.")
self.context["expected_extension"] = extension
🏷️(backend) add content-type to uploaded files All the uploaded files had the content-type set to `application/octet-stream`. It create issues when the file is downloaded from the frontend because the browser doesn't know how to handle the file. We now determine the content-type of the file and set it to the file object.
2025-01-15 15:58:46 +01:00
self.context["content_type"] = magic_mime_type
🔒️(back) set ContentDisposition on media upload On the media upload endpoint, we want to set the content-disposition header. Its value is based on the uploaded file mime-type and if flagged as unsafe. If the file is not an image or is unsafe then the contentDisposition is set to attachment to force its download. Otherwise, we set it to inline.
2025-02-27 16:19:17 +01:00
self.context["file_name"] = file.name
✨(backend) allow uploading images as attachments to a document We only rely on S3 to store attachments for a document. Nothing is persisted in the database as the image media urls will be stored in the document json.
2024-08-19 22:35:48 +02:00
return file
✨(backend) allow uploading more types of attachments We want to allow users to upload files to a document, not just images. We try to enforce coherence between the file extension and the real mime type of its content. If a file is deemed unsafe, it is still accepted during upload and the information is stored as metadata on the object for display to readers.
2024-10-07 20:10:42 +02:00
def validate(self, attrs):
"""Override validate to add the computed extension to validated_data."""
attrs["expected_extension"] = self.context["expected_extension"]
attrs["is_unsafe"] = self.context["is_unsafe"]
🏷️(backend) add content-type to uploaded files All the uploaded files had the content-type set to `application/octet-stream`. It create issues when the file is downloaded from the frontend because the browser doesn't know how to handle the file. We now determine the content-type of the file and set it to the file object.
2025-01-15 15:58:46 +01:00
attrs["content_type"] = self.context["content_type"]
🔒️(back) set ContentDisposition on media upload On the media upload endpoint, we want to set the content-disposition header. Its value is based on the uploaded file mime-type and if flagged as unsafe. If the file is not an image or is unsafe then the contentDisposition is set to attachment to force its download. Otherwise, we set it to inline.
2025-02-27 16:19:17 +01:00
attrs["file_name"] = self.context["file_name"]
✨(backend) allow uploading more types of attachments We want to allow users to upload files to a document, not just images. We try to enforce coherence between the file extension and the real mime type of its content. If a file is deemed unsafe, it is still accepted during upload and the information is stored as metadata on the object for display to readers.
2024-10-07 20:10:42 +02:00
return attrs
✨(backend) allow uploading images as attachments to a document We only rely on S3 to store attachments for a document. Nothing is persisted in the database as the image media urls will be stored in the document json.
2024-08-19 22:35:48 +02:00
✨(backend) add "tree" action on document API endpoint We want to display the tree structure to which a document belongs on the left side panel of its detail view. For this, we need an endpoint to retrieve the list view of the document's ancestors opened. By opened, we mean that when display the document, we also need to display its siblings. When displaying the parent of the current document, we also need to display the siblings of the parent...
2025-02-16 17:26:51 +01:00
class TemplateSerializer(serializers.ModelSerializer):
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
"""Serialize templates."""
✨(backend) add "tree" action on document API endpoint We want to display the tree structure to which a document belongs on the left side panel of its detail view. For this, we need an endpoint to retrieve the list view of the document's ancestors opened. By opened, we mean that when display the document, we also need to display its siblings. When displaying the parent of the current document, we also need to display the siblings of the parent...
2025-02-16 17:26:51 +01:00
abilities = serializers.SerializerMethodField(read_only=True)
accesses = TemplateAccessSerializer(many=True, read_only=True)
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
class Meta:
model = models.Template
👔(backend) is_public in document and template serializer Add is_public field to document and template serializer.
2024-04-17 17:11:31 +02:00
fields = [
"id",
"title",
"accesses",
"abilities",
"css",
"code",
"is_public",
]
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
read_only_fields = ["id", "accesses", "abilities"]
✨(backend) add "tree" action on document API endpoint We want to display the tree structure to which a document belongs on the left side panel of its detail view. For this, we need an endpoint to retrieve the list view of the document's ancestors opened. By opened, we mean that when display the document, we also need to display its siblings. When displaying the parent of the current document, we also need to display the siblings of the parent...
2025-02-16 17:26:51 +01:00
def get_abilities(self, document) -> dict:
"""Return abilities of the logged-in user on the instance."""
request = self.context.get("request")
if request:
return document.get_abilities(request.user)
return {}
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code.
2024-04-03 18:50:28 +02:00
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want.
2024-02-09 19:32:12 +01:00
# pylint: disable=abstract-method
class DocumentGenerationSerializer(serializers.Serializer):
"""Serializer to receive a request to generate a document on a template."""
🏷️(backend) add body type on generate-document endpoint We were converting from markdown to html, but the frontend can provide the body in html format, so wa can avoid the conversion. Solution: Add body type on generate-document endpoint to allow to choose between markdown and html.
2024-04-16 10:30:10 +02:00
body = serializers.CharField(label=_("Body"))
body_type = serializers.ChoiceField(
choices=["html", "markdown"],
label=_("Body type"),
required=False,
default="html",
)
🗃️(backend) export to docx We can now export our document to a docx file. This is done by converting the html to a docx file using the pypandoc and pandoc library. We added the "format" param to the generate-document endpoint, "format" accept "pdf" or "docx" as value.
2024-08-07 14:44:18 +02:00
format = serializers.ChoiceField(
choices=["pdf", "docx"],
label=_("Format"),
required=False,
default="pdf",
)
✨(models/api) allow inviting external users to a document by their email We want to be able to share a document with a person even if this person does not have an account in impress yet. This code is ported from https://github.com/numerique-gouv/people.
2024-05-13 23:31:00 +02:00
class InvitationSerializer(serializers.ModelSerializer):
"""Serialize invitations."""
abilities = serializers.SerializerMethodField(read_only=True)
class Meta:
model = models.Invitation
fields = [
"id",
"abilities",
"created_at",
"email",
"document",
"role",
"issuer",
"is_expired",
]
read_only_fields = [
"id",
"abilities",
"created_at",
"document",
"issuer",
"is_expired",
]
def get_abilities(self, invitation) -> dict:
"""Return abilities of the logged-in user on the instance."""
request = self.context.get("request")
if request:
return invitation.get_abilities(request.user)
return {}
def validate(self, attrs):
🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not.
2024-10-22 00:28:16 +02:00
"""Validate invitation data."""
✨(models/api) allow inviting external users to a document by their email We want to be able to share a document with a person even if this person does not have an account in impress yet. This code is ported from https://github.com/numerique-gouv/people.
2024-05-13 23:31:00 +02:00
request = self.context.get("request")
user = getattr(request, "user", None)
🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not.
2024-10-22 00:28:16 +02:00
attrs["document_id"] = self.context["resource_id"]
✨(models/api) allow inviting external users to a document by their email We want to be able to share a document with a person even if this person does not have an account in impress yet. This code is ported from https://github.com/numerique-gouv/people.
2024-05-13 23:31:00 +02:00
🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not.
2024-10-22 00:28:16 +02:00
# Only set the issuer if the instance is being created
if self.instance is None:
attrs["issuer"] = user
✨(models/api) allow inviting external users to a document by their email We want to be able to share a document with a person even if this person does not have an account in impress yet. This code is ported from https://github.com/numerique-gouv/people.
2024-05-13 23:31:00 +02:00
🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not.
2024-10-22 00:28:16 +02:00
return attrs
✨(models/api) allow inviting external users to a document by their email We want to be able to share a document with a person even if this person does not have an account in impress yet. This code is ported from https://github.com/numerique-gouv/people.
2024-05-13 23:31:00 +02:00
🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not.
2024-10-22 00:28:16 +02:00
def validate_role(self, role):
"""Custom validation for the role field."""
request = self.context.get("request")
user = getattr(request, "user", None)
document_id = self.context["resource_id"]
# If the role is OWNER, check if the user has OWNER access
if role == models.RoleChoices.OWNER:
if not models.DocumentAccess.objects.filter(
🛂(backend) stop to list public doc to everyone Everybody could see the full list of public docs. Now only members can see their public docs. They can still access to any specific public doc.
2024-09-06 16:12:02 +02:00
Q(user=user) | Q(team__in=user.teams),
✨(models/api) allow inviting external users to a document by their email We want to be able to share a document with a person even if this person does not have an account in impress yet. This code is ported from https://github.com/numerique-gouv/people.
2024-05-13 23:31:00 +02:00
document=document_id,
role=models.RoleChoices.OWNER,
🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not.
2024-10-22 00:28:16 +02:00
).exists():
raise serializers.ValidationError(
"Only owners of a document can invite other users as owners."
)
✨(models/api) allow inviting external users to a document by their email We want to be able to share a document with a person even if this person does not have an account in impress yet. This code is ported from https://github.com/numerique-gouv/people.
2024-05-13 23:31:00 +02:00
🐛(backend) fix invitations API endpoint access rights Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not.
2024-10-22 00:28:16 +02:00
return role
👔(backend) add document version serializer Add document version serializer to get the pagination with the document version list.
2024-07-17 09:10:05 +02:00
♻️(api) refactor getting versions to expose pagination Getting versions was not working properly. Some versions returned were not accessible by the user requesting the list of available versions. We refactor the code to make it simpler and let the frontend handle pagination (load more style).
2024-09-16 19:27:48 +02:00
class VersionFilterSerializer(serializers.Serializer):
"""Validate version filters applied to the list endpoint."""
👔(backend) add document version serializer Add document version serializer to get the pagination with the document version list.
2024-07-17 09:10:05 +02:00
♻️(api) refactor getting versions to expose pagination Getting versions was not working properly. Some versions returned were not accessible by the user requesting the list of available versions. We refactor the code to make it simpler and let the frontend handle pagination (load more style).
2024-09-16 19:27:48 +02:00
version_id = serializers.CharField(required=False, allow_blank=True)
page_size = serializers.IntegerField(
required=False, min_value=1, max_value=50, default=20
)
✨(backend) create ai endpoint We created 2 new action endpoints on the document to perform AI operations: - POST /api/v1.0/documents/{uuid}/ai-transform - POST /api/v1.0/documents/{uuid}/ai-translate
2024-09-20 22:42:46 +02:00
class AITransformSerializer(serializers.Serializer):
"""Serializer for AI transform requests."""
action = serializers.ChoiceField(choices=AI_ACTIONS, required=True)
text = serializers.CharField(required=True)
def validate_text(self, value):
"""Ensure the text field is not empty."""
if len(value.strip()) == 0:
raise serializers.ValidationError("Text field cannot be empty.")
return value
class AITranslateSerializer(serializers.Serializer):
"""Serializer for AI translate requests."""
language = serializers.ChoiceField(
choices=tuple(enums.ALL_LANGUAGES.items()), required=True
)
text = serializers.CharField(required=True)
def validate_text(self, value):
"""Ensure the text field is not empty."""
if len(value.strip()) == 0:
raise serializers.ValidationError("Text field cannot be empty.")
return value
✨(backend) add API endpoint to move a document in the document tree Only administrators or owners of a document can move it to a target document for which they are also administrator or owner. We allow different moving modes: - first-child: move the document as the first child of the target - last-child: move the document as the last child of the target - first-sibling: move the document as the first sibling of the target - last-sibling: move the document as the last sibling of the target - left: move the document as sibling ordered just before the target - right: move the document as sibling ordered just after the target The whole subtree below the document that is being moved, moves as well and remains below the document after it is moved.
2025-01-02 23:15:03 +01:00
class MoveDocumentSerializer(serializers.Serializer):
"""
Serializer for validating input data to move a document within the tree structure.
Fields:
- target_document_id (UUIDField): The ID of the target parent document where the
document should be moved. This field is required and must be a valid UUID.
- position (ChoiceField): Specifies the position of the document in relation to
the target parent's children.
Choices:
- "first-child": Place the document as the first child of the target parent.
- "last-child": Place the document as the last child of the target parent (default).
- "left": Place the document as the left sibling of the target parent.
- "right": Place the document as the right sibling of the target parent.
Example:
Input payload for moving a document:
{
"target_document_id": "123e4567-e89b-12d3-a456-426614174000",
"position": "first-child"
}
Notes:
- The `target_document_id` is mandatory.
- The `position` defaults to "last-child" if not provided.
"""
target_document_id = serializers.UUIDField(required=True)
position = serializers.ChoiceField(
choices=enums.MoveNodePositionChoices.choices,
default=enums.MoveNodePositionChoices.LAST_CHILD,
)
Reference in New Issue Copy Permalink