🐛(backend) fix invitations API endpoint access rights

Only users who have the rights to manage accesses on the document should be allowed to see and manipulate invitations. Other users can see access rights on the document but only when the corresponding user/team has actually been granted access. We added a parameter in document abilities so the frontend knows when the logged-in user can invite another user with the owner role or not.
2024-10-22 00:28:16 +02:00
parent 7fc59ed497
commit 0f0f812059
9 changed files with 701 additions and 505 deletions
--- a/src/backend/core/tests/documents/test_api_document_invitations.py
+++ b/src/backend/core/tests/documents/test_api_document_invitations.py
--- a/src/backend/core/tests/documents/test_api_documents_retrieve.py
+++ b/src/backend/core/tests/documents/test_api_documents_retrieve.py
@@ -25,6 +25,7 @@ def test_api_documents_retrieve_anonymous_public():
            "ai_translate": document.link_role == "editor",
            "attachment_upload": document.link_role == "editor",
            "destroy": False,
+            "invite_owner": False,
            "link_configuration": False,
            "manage_accesses": False,
            "partial_update": document.link_role == "editor",
@@ -82,6 +83,7 @@ def test_api_documents_retrieve_authenticated_unrelated_public_or_authenticated(
            "attachment_upload": document.link_role == "editor",
            "link_configuration": False,
            "destroy": False,
+            "invite_owner": False,
            "manage_accesses": False,
            "partial_update": document.link_role == "editor",
            "retrieve": True,