✨(api) allow updating link configuration for a document

We open a specific endpoint to update documents link configuration because it makes it more secure and simple to limit access rights to administrators/owners whereas other document fields like title and content can be edited by anonymous or authenticated users with much less access rights.
2024-09-08 23:07:47 +02:00
parent f5c4106547
commit 1e432cfdc2
6 changed files with 195 additions and 0 deletions
--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -164,6 +164,20 @@ class DocumentSerializer(BaseResourceSerializer):
        ]


+class LinkDocumentSerializer(BaseResourceSerializer):
+    """
+    Serialize link configuration for documents.
+    We expose it separately from document in order to simplify and secure access control.
+    """
+
+    class Meta:
+        model = models.Document
+        fields = [
+            "link_role",
+            "link_reach",
+        ]
+
+
 # Suppress the warning about not implementing `create` and `update` methods
 # since we don't use a model and only rely on the serializer for validation
 # pylint: disable=abstract-method
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -451,6 +451,24 @@ class DocumentViewSet(
            }
        )

+    @decorators.action(detail=True, methods=["put"], url_path="link-configuration")
+    def link_configuration(self, request, *args, **kwargs):
+        """Update link configuration with specific rights (cf get_abilities)."""
+        # Check permissions first
+        document = self.get_object()
+
+        # Deserialize and validate the data
+        serializer = serializers.LinkDocumentSerializer(
+            document, data=request.data, partial=True
+        )
+        if not serializer.is_valid():
+            return drf_response.Response(
+                serializer.errors, status=status.HTTP_400_BAD_REQUEST
+            )
+
+        serializer.save()
+        return drf_response.Response(serializer.data, status=status.HTTP_200_OK)
+
    @decorators.action(detail=True, methods=["post"], url_path="attachment-upload")
    def attachment_upload(self, request, *args, **kwargs):
        """Upload a file related to a given document"""