🐛(backend) fix dysfunctional permissions on document create

When creating a document access, users were benefitting on the targeted document from the highest access right they have among all documents. This is because we forgot to filter on the document ID when retrieving the role of the user. We improved all tests to secure this issue.
2024-10-11 20:42:16 +02:00
parent bbcb5e0cf1
commit 1fc3029d12
14 changed files with 114 additions and 93 deletions
--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -69,6 +69,7 @@ class BaseAccessSerializer(serializers.ModelSerializer):
            if not self.Meta.model.objects.filter(  # pylint: disable=no-member
                Q(user=user) | Q(team__in=user.teams),
                role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],
+                **{self.Meta.resource_field_name: resource_id},  # pylint: disable=no-member
            ).exists():
                raise exceptions.PermissionDenied(
                    "You are not allowed to manage accesses for this resource."