♻️(backend) remove different reach for authenticated and anonymous

If anonymous users have reader access on a parent, we were considering that an edge use case was interesting: allowing an authenticated user to still be editor on the child. Although this use case could be interesting, we consider, as a first approach, that the value it carries is not big enough to justify the complexity for the user to understand this complex access right heritage.
2025-04-11 19:09:48 +02:00
parent 26c7af0dbf
commit 0a5887c162
2 changed files with 7 additions and 10 deletions
--- a/src/backend/core/models.py
+++ b/src/backend/core/models.py
@@ -115,16 +115,16 @@ class LinkReachChoices(models.TextChoices):
        if LinkRoleChoices.EDITOR in reach_roles.get(cls.PUBLIC, set()):
            return {cls.PUBLIC: [LinkRoleChoices.EDITOR]}

-        # Rule 2: public/reader
-        if LinkRoleChoices.READER in reach_roles.get(cls.PUBLIC, set()):
-            result.get(cls.AUTHENTICATED, set()).discard(LinkRoleChoices.READER)
-            result.pop(cls.RESTRICTED, None)
-
-        # Rule 3: authenticated/editor
+        # Rule 2: authenticated/editor
        if LinkRoleChoices.EDITOR in reach_roles.get(cls.AUTHENTICATED, set()):
            result[cls.AUTHENTICATED].discard(LinkRoleChoices.READER)
            result.pop(cls.RESTRICTED, None)

+        # Rule 3: public/reader
+        if LinkRoleChoices.READER in reach_roles.get(cls.PUBLIC, set()):
+            result.pop(cls.AUTHENTICATED, None)
+            result.pop(cls.RESTRICTED, None)
+
        # Rule 4: authenticated/reader
        if LinkRoleChoices.READER in reach_roles.get(cls.AUTHENTICATED, set()):
            result.pop(cls.RESTRICTED, None)
--- a/src/backend/core/tests/test_models_documents.py
+++ b/src/backend/core/tests/test_models_documents.py
@@ -1198,7 +1198,6 @@ def test_models_documents_restore_complex_bis(django_assert_num_queries):
        (
            [{"link_reach": "public", "link_role": "reader"}],
            {
-                "authenticated": ["editor"],
                "public": ["reader", "editor"],
            },
        ),
@@ -1263,7 +1262,6 @@ def test_models_documents_restore_complex_bis(django_assert_num_queries):
                {"link_reach": "public", "link_role": "reader"},
            ],
            {
-                "authenticated": ["editor"],
                "public": ["reader", "editor"],
            },
        ),
@@ -1274,7 +1272,6 @@ def test_models_documents_restore_complex_bis(django_assert_num_queries):
                {"link_reach": "public", "link_role": "reader"},
            ],
            {
-                "authenticated": ["editor"],
                "public": ["reader", "editor"],
            },
        ),
@@ -1284,7 +1281,7 @@ def test_models_documents_restore_complex_bis(django_assert_num_queries):
                {"link_reach": "authenticated", "link_role": "editor"},
                {"link_reach": "public", "link_role": "reader"},
            ],
-            {"authenticated": ["editor"], "public": ["reader", "editor"]},
+            {"public": ["reader", "editor"]},
        ),
        (
            [