src/backend/core/api/serializers.py

"""Client serializers for the impress core app."""
from django.db.models import Q
from django.utils.translation import gettext_lazy as _

from rest_framework import exceptions, serializers

from core import models


class UserSerializer(serializers.ModelSerializer):
    """Serialize users."""

    class Meta:
        model = models.User
        fields = ["id", "email"]
        read_only_fields = ["id", "email"]


class BaseAccessSerializer(serializers.ModelSerializer):
    """Serialize template accesses."""

    abilities = serializers.SerializerMethodField(read_only=True)

    def update(self, instance, validated_data):
        """Make "user" field is readonly but only on update."""
        validated_data.pop("user", None)
        return super().update(instance, validated_data)

    def get_abilities(self, access) -> dict:
        """Return abilities of the logged-in user on the instance."""
        request = self.context.get("request")
        if request:
            return access.get_abilities(request.user)
        return {}

    def validate(self, attrs):
        """
        Check access rights specific to writing (create/update)
        """
        request = self.context.get("request")
        user = getattr(request, "user", None)
        role = attrs.get("role")

        # Update
        if self.instance:
            can_set_role_to = self.instance.get_abilities(user)["set_role_to"]

            if role and role not in can_set_role_to:
                message = (
                    f"You are only allowed to set role to {', '.join(can_set_role_to)}"
                    if can_set_role_to
                    else "You are not allowed to set this role for this template."
                )
                raise exceptions.PermissionDenied(message)

        # Create
        else:
            try:
                resource_id = self.context["resource_id"]
            except KeyError as exc:
                raise exceptions.ValidationError(
                    "You must set a resource ID in kwargs to create a new access."
                ) from exc

            teams = user.get_teams()
            if not self.Meta.model.objects.filter(  # pylint: disable=no-member
                Q(user=user) | Q(team__in=teams),
                role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],
            ).exists():
                raise exceptions.PermissionDenied(
                    "You are not allowed to manage accesses for this resource."
                )

            if (
                role == models.RoleChoices.OWNER
                and not self.Meta.model.objects.filter(  # pylint: disable=no-member
                    Q(user=user) | Q(team__in=teams),
                    role=models.RoleChoices.OWNER,
                    **{self.Meta.resource_field_name: resource_id},  # pylint: disable=no-member
                ).exists()
            ):
                raise exceptions.PermissionDenied(
                    "Only owners of a resource can assign other users as owners."
                )

        # pylint: disable=no-member
        attrs[f"{self.Meta.resource_field_name}_id"] = self.context["resource_id"]
        return attrs


class DocumentAccessSerializer(BaseAccessSerializer):
    """Serialize document accesses."""

    user_id = serializers.PrimaryKeyRelatedField(
        queryset=models.User.objects.all(),
        write_only=True,
        source="user",
        required=False,
        allow_null=True,
    )
    user = UserSerializer(read_only=True)

    class Meta:
        model = models.DocumentAccess
        resource_field_name = "document"
        fields = ["id", "user", "user_id", "team", "role", "abilities"]
        read_only_fields = ["id", "abilities"]


class TemplateAccessSerializer(BaseAccessSerializer):
    """Serialize template accesses."""

    class Meta:
        model = models.TemplateAccess
        resource_field_name = "template"
        fields = ["id", "user", "team", "role", "abilities"]
        read_only_fields = ["id", "abilities"]


class BaseResourceSerializer(serializers.ModelSerializer):
    """Serialize documents."""

    abilities = serializers.SerializerMethodField(read_only=True)
    accesses = TemplateAccessSerializer(many=True, read_only=True)

    def get_abilities(self, document) -> dict:
        """Return abilities of the logged-in user on the instance."""
        request = self.context.get("request")
        if request:
            return document.get_abilities(request.user)
        return {}


class DocumentSerializer(BaseResourceSerializer):
    """Serialize documents."""

    content = serializers.CharField(required=False)
    accesses = DocumentAccessSerializer(many=True, read_only=True)

    class Meta:
        model = models.Document
        fields = ["id", "content", "title", "accesses", "abilities", "is_public"]
        read_only_fields = ["id", "accesses", "abilities"]


class TemplateSerializer(BaseResourceSerializer):
    """Serialize templates."""

    class Meta:
        model = models.Template
        fields = [
            "id",
            "title",
            "accesses",
            "abilities",
            "css",
            "code",
            "is_public",
        ]
        read_only_fields = ["id", "accesses", "abilities"]


# pylint: disable=abstract-method
class DocumentGenerationSerializer(serializers.Serializer):
    """Serializer to receive a request to generate a document on a template."""

    body = serializers.CharField(label=_("Body"))
    body_type = serializers.ChoiceField(
        choices=["html", "markdown"],
        label=_("Body type"),
        required=False,
        default="html",
    )


class InvitationSerializer(serializers.ModelSerializer):
    """Serialize invitations."""

    abilities = serializers.SerializerMethodField(read_only=True)

    class Meta:
        model = models.Invitation
        fields = [
            "id",
            "abilities",
            "created_at",
            "email",
            "document",
            "role",
            "issuer",
            "is_expired",
        ]
        read_only_fields = [
            "id",
            "abilities",
            "created_at",
            "document",
            "issuer",
            "is_expired",
        ]

    def get_abilities(self, invitation) -> dict:
        """Return abilities of the logged-in user on the instance."""
        request = self.context.get("request")
        if request:
            return invitation.get_abilities(request.user)
        return {}

    def validate(self, attrs):
        """Validate and restrict invitation to new user based on email."""

        request = self.context.get("request")
        user = getattr(request, "user", None)
        role = attrs.get("role")

        try:
            document_id = self.context["resource_id"]
        except KeyError as exc:
            raise exceptions.ValidationError(
                "You must set a document ID in kwargs to create a new document invitation."
            ) from exc

        if not user and user.is_authenticated:
            raise exceptions.PermissionDenied(
                "Anonymous users are not allowed to create invitations."
            )

        teams = user.get_teams()
        if not models.DocumentAccess.objects.filter(
            Q(user=user) | Q(team__in=teams),
            document=document_id,
            role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],
        ).exists():
            raise exceptions.PermissionDenied(
                "You are not allowed to manage invitations for this document."
            )

        if (
            role == models.RoleChoices.OWNER
            and not models.DocumentAccess.objects.filter(
                Q(user=user) | Q(team__in=teams),
                document=document_id,
                role=models.RoleChoices.OWNER,
            ).exists()
        ):
            raise exceptions.PermissionDenied(
                "Only owners of a document can invite other users as owners."
            )

        attrs["document_id"] = document_id
        attrs["issuer"] = user
        return attrs
♻️(project) rename project from "publish" to "impress" The repository was renamed to "impress" but the code was still mentionning "publish". 2024-03-07 19:46:46 +01:00			`"""Client serializers for the impress core app."""`
✨(models/api) add RBAC on templates linking accesses to a team name We want to be able to control who can access a template via roles. I added this feature on the TeamAccess model assuming that the teams to which a user belongs can be retrieved via a `get_teams` method on the user model. The idea is that this method will get the teams either via a call to an external API or directly from the OIDC token upon user login. This list of teams will probably have to be cached for each user. 2024-03-03 08:49:27 +01:00			`from django.db.models import Q`
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`from django.utils.translation import gettext_lazy as _`

✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`from rest_framework import exceptions, serializers`

			`from core import models`


			`class UserSerializer(serializers.ModelSerializer):`
			`"""Serialize users."""`

			`class Meta:`
			`model = models.User`
👔(backend) change field displayed on users endpoint Change the field displayed on the users endpoint. We need the email field to be displayed. 2024-05-29 21:26:01 +02:00			`fields = ["id", "email"]`
			`read_only_fields = ["id", "email"]`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`class BaseAccessSerializer(serializers.ModelSerializer):`
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`"""Serialize template accesses."""`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00
			`abilities = serializers.SerializerMethodField(read_only=True)`

			`def update(self, instance, validated_data):`
			`"""Make "user" field is readonly but only on update."""`
			`validated_data.pop("user", None)`
			`return super().update(instance, validated_data)`

			`def get_abilities(self, access) -> dict:`
			`"""Return abilities of the logged-in user on the instance."""`
			`request = self.context.get("request")`
			`if request:`
			`return access.get_abilities(request.user)`
			`return {}`

			`def validate(self, attrs):`
			`"""`
			`Check access rights specific to writing (create/update)`
			`"""`
			`request = self.context.get("request")`
			`user = getattr(request, "user", None)`
			`role = attrs.get("role")`

			`# Update`
			`if self.instance:`
			`can_set_role_to = self.instance.get_abilities(user)["set_role_to"]`

			`if role and role not in can_set_role_to:`
			`message = (`
			`f"You are only allowed to set role to {', '.join(can_set_role_to)}"`
			`if can_set_role_to`
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`else "You are not allowed to set this role for this template."`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`)`
			`raise exceptions.PermissionDenied(message)`

			`# Create`
			`else:`
			`try:`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`resource_id = self.context["resource_id"]`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`except KeyError as exc:`
			`raise exceptions.ValidationError(`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`"You must set a resource ID in kwargs to create a new access."`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`) from exc`

✨(models/api) allow inviting external users to a document by their email We want to be able to share a document with a person even if this person does not have an account in impress yet. This code is ported from https://github.com/numerique-gouv/people. 2024-05-13 23:31:00 +02:00			`teams = user.get_teams()`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`if not self.Meta.model.objects.filter( # pylint: disable=no-member`
✨(models/api) add RBAC on templates linking accesses to a team name We want to be able to control who can access a template via roles. I added this feature on the TeamAccess model assuming that the teams to which a user belongs can be retrieved via a `get_teams` method on the user model. The idea is that this method will get the teams either via a call to an external API or directly from the OIDC token upon user login. This list of teams will probably have to be cached for each user. 2024-03-03 08:49:27 +01:00			`Q(user=user) \| Q(team__in=teams),`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],`
			`).exists():`
			`raise exceptions.PermissionDenied(`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`"You are not allowed to manage accesses for this resource."`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`)`

			`if (`
			`role == models.RoleChoices.OWNER`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`and not self.Meta.model.objects.filter( # pylint: disable=no-member`
✨(models/api) add RBAC on templates linking accesses to a team name We want to be able to control who can access a template via roles. I added this feature on the TeamAccess model assuming that the teams to which a user belongs can be retrieved via a `get_teams` method on the user model. The idea is that this method will get the teams either via a call to an external API or directly from the OIDC token upon user login. This list of teams will probably have to be cached for each user. 2024-03-03 08:49:27 +01:00			`Q(user=user) \| Q(team__in=teams),`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`role=models.RoleChoices.OWNER,`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`**{self.Meta.resource_field_name: resource_id}, # pylint: disable=no-member`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`).exists()`
			`):`
			`raise exceptions.PermissionDenied(`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`"Only owners of a resource can assign other users as owners."`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`)`

✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`# pylint: disable=no-member`
			`attrs[f"{self.Meta.resource_field_name}_id"] = self.context["resource_id"]`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`return attrs`


✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`class DocumentAccessSerializer(BaseAccessSerializer):`
			`"""Serialize document accesses."""`

👔(backend) object user on DocumentAccessSerializer user field was displaying the userid, but we need to return the user object on the DocumentAccessSerializer, so we can show the user email on the frontend. We add the user_id field in write_only mode, so we can keep create and update. 2024-05-31 17:06:39 +02:00			`user_id = serializers.PrimaryKeyRelatedField(`
			`queryset=models.User.objects.all(),`
			`write_only=True,`
			`source="user",`
			`required=False,`
			`allow_null=True,`
			`)`
			`user = UserSerializer(read_only=True)`

✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`class Meta:`
			`model = models.DocumentAccess`
			`resource_field_name = "document"`
👔(backend) object user on DocumentAccessSerializer user field was displaying the userid, but we need to return the user object on the DocumentAccessSerializer, so we can show the user email on the frontend. We add the user_id field in write_only mode, so we can keep create and update. 2024-05-31 17:06:39 +02:00			`fields = ["id", "user", "user_id", "team", "role", "abilities"]`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`read_only_fields = ["id", "abilities"]`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00
			`class TemplateAccessSerializer(BaseAccessSerializer):`
			`"""Serialize template accesses."""`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00
			`class Meta:`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`model = models.TemplateAccess`
			`resource_field_name = "template"`
			`fields = ["id", "user", "team", "role", "abilities"]`
			`read_only_fields = ["id", "abilities"]`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00
			`class BaseResourceSerializer(serializers.ModelSerializer):`
			`"""Serialize documents."""`

			`abilities = serializers.SerializerMethodField(read_only=True)`
			`accesses = TemplateAccessSerializer(many=True, read_only=True)`

			`def get_abilities(self, document) -> dict:`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`"""Return abilities of the logged-in user on the instance."""`
			`request = self.context.get("request")`
			`if request:`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`return document.get_abilities(request.user)`
✨(project) first proof of concept printing pdf from markdown This is a boilerplate inspired from https://github.com/openfun/joanie 2024-01-09 15:30:36 +01:00			`return {}`
♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00

✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`class DocumentSerializer(BaseResourceSerializer):`
			`"""Serialize documents."""`

🏷️(backend) accept string as saved document Saved documents has to be a string now. Before it has to be a json object. 2024-05-21 14:46:23 +02:00			`content = serializers.CharField(required=False)`
👔(backend) object user on DocumentAccessSerializer user field was displaying the userid, but we need to return the user object on the DocumentAccessSerializer, so we can show the user email on the frontend. We add the user_id field in write_only mode, so we can keep create and update. 2024-05-31 17:06:39 +02:00			`accesses = DocumentAccessSerializer(many=True, read_only=True)`
✨(documents) add content field as an S3 object The content field is a writable property on the model which is persisted in object storage. We take advantage of the versioning, robustness and scalability of S3. 2024-04-06 09:09:46 +02:00
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`class Meta:`
			`model = models.Document`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`fields = ["id", "content", "title", "accesses", "abilities", "is_public"]`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`read_only_fields = ["id", "accesses", "abilities"]`


			`class TemplateSerializer(BaseResourceSerializer):`
			`"""Serialize templates."""`

			`class Meta:`
			`model = models.Template`
👔(backend) is_public in document and template serializer Add is_public field to document and template serializer. 2024-04-17 17:11:31 +02:00			`fields = [`
			`"id",`
			`"title",`
			`"accesses",`
			`"abilities",`
			`"css",`
			`"code",`
			`"is_public",`
			`]`
✨(models/api) add document model and API We do this by making copies of existing Template and TemplateAccess models and API. A little refactoring is done to try to limit duplicate code. 2024-04-03 18:50:28 +02:00			`read_only_fields = ["id", "accesses", "abilities"]`


♻️(backend) refactor post hackathon to a first working version This project was copied and hacked to make a POC in a 2-day hackathon. We need to clean and refactor things in order to get a first version of the product we want. 2024-02-09 19:32:12 +01:00			`# pylint: disable=abstract-method`
			`class DocumentGenerationSerializer(serializers.Serializer):`
			`"""Serializer to receive a request to generate a document on a template."""`

🏷️(backend) add body type on generate-document endpoint We were converting from markdown to html, but the frontend can provide the body in html format, so wa can avoid the conversion. Solution: Add body type on generate-document endpoint to allow to choose between markdown and html. 2024-04-16 10:30:10 +02:00			`body = serializers.CharField(label=_("Body"))`
			`body_type = serializers.ChoiceField(`
			`choices=["html", "markdown"],`
			`label=_("Body type"),`
			`required=False,`
			`default="html",`
			`)`
✨(models/api) allow inviting external users to a document by their email We want to be able to share a document with a person even if this person does not have an account in impress yet. This code is ported from https://github.com/numerique-gouv/people. 2024-05-13 23:31:00 +02:00

			`class InvitationSerializer(serializers.ModelSerializer):`
			`"""Serialize invitations."""`

			`abilities = serializers.SerializerMethodField(read_only=True)`

			`class Meta:`
			`model = models.Invitation`
			`fields = [`
			`"id",`
			`"abilities",`
			`"created_at",`
			`"email",`
			`"document",`
			`"role",`
			`"issuer",`
			`"is_expired",`
			`]`
			`read_only_fields = [`
			`"id",`
			`"abilities",`
			`"created_at",`
			`"document",`
			`"issuer",`
			`"is_expired",`
			`]`

			`def get_abilities(self, invitation) -> dict:`
			`"""Return abilities of the logged-in user on the instance."""`
			`request = self.context.get("request")`
			`if request:`
			`return invitation.get_abilities(request.user)`
			`return {}`

			`def validate(self, attrs):`
			`"""Validate and restrict invitation to new user based on email."""`

			`request = self.context.get("request")`
			`user = getattr(request, "user", None)`
			`role = attrs.get("role")`

			`try:`
			`document_id = self.context["resource_id"]`
			`except KeyError as exc:`
			`raise exceptions.ValidationError(`
			`"You must set a document ID in kwargs to create a new document invitation."`
			`) from exc`

			`if not user and user.is_authenticated:`
			`raise exceptions.PermissionDenied(`
			`"Anonymous users are not allowed to create invitations."`
			`)`

			`teams = user.get_teams()`
			`if not models.DocumentAccess.objects.filter(`
			`Q(user=user) \| Q(team__in=teams),`
			`document=document_id,`
			`role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],`
			`).exists():`
			`raise exceptions.PermissionDenied(`
			`"You are not allowed to manage invitations for this document."`
			`)`

			`if (`
			`role == models.RoleChoices.OWNER`
			`and not models.DocumentAccess.objects.filter(`
			`Q(user=user) \| Q(team__in=teams),`
			`document=document_id,`
			`role=models.RoleChoices.OWNER,`
			`).exists()`
			`):`
			`raise exceptions.PermissionDenied(`
			`"Only owners of a document can invite other users as owners."`
			`)`

			`attrs["document_id"] = document_id`
			`attrs["issuer"] = user`
			`return attrs`