🐛(backend) fix invitations API endpoint access rights

Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not.
2024-10-22 00:28:16 +02:00
parent 7fc59ed497
commit 0f0f812059
9 changed files with 701 additions and 505 deletions
--- a/src/backend/core/tests/documents/test_api_document_invitations.py
+++ b/src/backend/core/tests/documents/test_api_document_invitations.py
--- a/src/backend/core/tests/documents/test_api_documents_retrieve.py
+++ b/src/backend/core/tests/documents/test_api_documents_retrieve.py
@@ -25,6 +25,7 @@ def test_api_documents_retrieve_anonymous_public():
            "ai_translate": document.link_role == "editor",
            "attachment_upload": document.link_role == "editor",
            "destroy": False,
+            "invite_owner": False,
            "link_configuration": False,
            "manage_accesses": False,
            "partial_update": document.link_role == "editor",
@@ -82,6 +83,7 @@ def test_api_documents_retrieve_authenticated_unrelated_public_or_authenticated(
            "attachment_upload": document.link_role == "editor",
            "link_configuration": False,
            "destroy": False,
+            "invite_owner": False,
            "manage_accesses": False,
            "partial_update": document.link_role == "editor",
            "retrieve": True,
--- a/src/backend/core/tests/test_models_documents.py
+++ b/src/backend/core/tests/test_models_documents.py
@@ -88,6 +88,7 @@ def test_models_documents_get_abilities_forbidden(is_authenticated, reach, role)
        "attachment_upload": False,
        "link_configuration": False,
        "destroy": False,
+        "invite_owner": False,
        "manage_accesses": False,
        "partial_update": False,
        "retrieve": False,
@@ -120,6 +121,7 @@ def test_models_documents_get_abilities_reader(is_authenticated, reach):
        "attachment_upload": False,
        "destroy": False,
        "link_configuration": False,
+        "invite_owner": False,
        "manage_accesses": False,
        "partial_update": False,
        "retrieve": True,
@@ -152,6 +154,7 @@ def test_models_documents_get_abilities_editor(is_authenticated, reach):
        "attachment_upload": True,
        "destroy": False,
        "link_configuration": False,
+        "invite_owner": False,
        "manage_accesses": False,
        "partial_update": True,
        "retrieve": True,
@@ -173,6 +176,7 @@ def test_models_documents_get_abilities_owner():
        "attachment_upload": True,
        "destroy": True,
        "link_configuration": True,
+        "invite_owner": True,
        "manage_accesses": True,
        "partial_update": True,
        "retrieve": True,
@@ -193,6 +197,7 @@ def test_models_documents_get_abilities_administrator():
        "attachment_upload": True,
        "destroy": False,
        "link_configuration": True,
+        "invite_owner": False,
        "manage_accesses": True,
        "partial_update": True,
        "retrieve": True,
@@ -216,6 +221,7 @@ def test_models_documents_get_abilities_editor_user(django_assert_num_queries):
        "attachment_upload": True,
        "destroy": False,
        "link_configuration": False,
+        "invite_owner": False,
        "manage_accesses": False,
        "partial_update": True,
        "retrieve": True,
@@ -241,6 +247,7 @@ def test_models_documents_get_abilities_reader_user(django_assert_num_queries):
        "attachment_upload": False,
        "destroy": False,
        "link_configuration": False,
+        "invite_owner": False,
        "manage_accesses": False,
        "partial_update": False,
        "retrieve": True,
@@ -267,6 +274,7 @@ def test_models_documents_get_abilities_preset_role(django_assert_num_queries):
        "attachment_upload": False,
        "destroy": False,
        "link_configuration": False,
+        "invite_owner": False,
        "manage_accesses": False,
        "partial_update": False,
        "retrieve": True,
--- a/src/backend/core/tests/test_models_invitations.py
+++ b/src/backend/core/tests/test_models_invitations.py
@@ -2,10 +2,12 @@
 Unit tests for the Invitation model
 """

-import time
+from datetime import timedelta
+from unittest import mock

 from django.contrib.auth.models import AnonymousUser
 from django.core import exceptions
+from django.utils import timezone

 import pytest
 from faker import Faker
@@ -60,7 +62,7 @@ def test_models_invitations_role_among_choices():
        factories.InvitationFactory(role="boss")


-def test_models_invitations__is_expired(settings):
+def test_models_invitations_is_expired():
    """
    The 'is_expired' property should return False until validity duration
    is exceeded and True afterwards.
@@ -68,13 +70,16 @@ def test_models_invitations__is_expired(settings):
    expired_invitation = factories.InvitationFactory()
    assert expired_invitation.is_expired is False

-    settings.INVITATION_VALIDITY_DURATION = 1
-    time.sleep(1)
+    not_late = timezone.now() + timedelta(seconds=604799)
+    with mock.patch("django.utils.timezone.now", return_value=not_late):
+        assert expired_invitation.is_expired is False

-    assert expired_invitation.is_expired is True
+    too_late = timezone.now() + timedelta(seconds=604800)  # 7 days
+    with mock.patch("django.utils.timezone.now", return_value=too_late):
+        assert expired_invitation.is_expired is True


-def test_models_invitation__new_user__convert_invitations_to_accesses():
+def test_models_invitationd_new_userd_convert_invitations_to_accesses():
    """
    Upon creating a new user, invitations linked to the email
    should be converted to accesses and then deleted.
@@ -109,7 +114,7 @@ def test_models_invitation__new_user__convert_invitations_to_accesses():
    ).exists()  # the other invitation remains


-def test_models_invitation__new_user__filter_expired_invitations():
+def test_models_invitationd_new_user_filter_expired_invitations():
    """
    Upon creating a new identity, valid invitations should be converted into accesses
    and expired invitations should remain unchanged.
@@ -140,7 +145,7 @@ def test_models_invitation__new_user__filter_expired_invitations():


@pytest.mark.parametrize("num_invitations, num_queries", [(0, 3), (1, 6), (20, 6)])
-def test_models_invitation__new_user__user_creation_constant_num_queries(
+def test_models_invitationd_new_userd_user_creation_constant_num_queries(
    django_assert_num_queries, num_invitations, num_queries
 ):
    """
@@ -235,7 +240,7 @@ def test_models_document_invitations_get_abilities_reader(via, mock_user_teams):

    assert abilities == {
        "destroy": False,
-        "retrieve": True,
+        "retrieve": False,
        "partial_update": False,
        "update": False,
    }
@@ -260,7 +265,7 @@ def test_models_document_invitations_get_abilities_editor(via, mock_user_teams):

    assert abilities == {
        "destroy": False,
-        "retrieve": True,
+        "retrieve": False,
        "partial_update": False,
        "update": False,
    }