✨(models/api) add link access reach and role

Link access was either public or private and was only allowing readers. This commit makes link access more powerful: - link reach can be private (users need to obtain specific access by document's administrators), restricted (any authenticated user) or public (anybody including anonymous users) - link role can be reader or editor. It is thus now possible to give editor access to an anonymous user or any authenticated user.
2024-09-08 23:37:49 +02:00
parent 41260de1c3
commit 494638d306
21 changed files with 744 additions and 326 deletions
--- a/src/backend/core/tests/templates/test_api_templates_generate_document.py
+++ b/src/backend/core/tests/templates/test_api_templates_generate_document.py
@@ -44,8 +44,10 @@ def test_api_templates_generate_document_anonymous_not_public():
        format="json",
    )

-    assert response.status_code == 404
-    assert response.json() == {"detail": "No Template matches the given query."}
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }


 def test_api_templates_generate_document_authenticated_public():
--- a/src/backend/core/tests/templates/test_api_templates_list.py
+++ b/src/backend/core/tests/templates/test_api_templates_list.py
@@ -14,21 +14,24 @@ pytestmark = pytest.mark.django_db


 def test_api_templates_list_anonymous():
-    """Anonymous users should not be able to list templates, public or not."""
+    """Anonymous users should only be able to list public templates."""
    factories.TemplateFactory.create_batch(2, is_public=False)
-    factories.TemplateFactory.create_batch(2, is_public=True)
+    public_templates = factories.TemplateFactory.create_batch(2, is_public=True)
+    expected_ids = {str(template.id) for template in public_templates}

    response = APIClient().get("/api/v1.0/templates/")

    assert response.status_code == 200
    results = response.json()["results"]
-    assert len(results) == 0
+    assert len(results) == 2
+    results_id = {result["id"] for result in results}
+    assert expected_ids == results_id


 def test_api_templates_list_authenticated_direct():
    """
    Authenticated users should be able to list templates they are a direct
-    owner/administrator/member of.
+    owner/administrator/member of or that are public.
    """
    user = factories.UserFactory()

@@ -39,10 +42,12 @@ def test_api_templates_list_authenticated_direct():
        access.template
        for access in factories.UserTemplateAccessFactory.create_batch(5, user=user)
    ]
-    factories.TemplateFactory.create_batch(2, is_public=True)
+    public_templates = factories.TemplateFactory.create_batch(2, is_public=True)
    factories.TemplateFactory.create_batch(2, is_public=False)

-    expected_ids = {str(template.id) for template in related_templates}
+    expected_ids = {
+        str(template.id) for template in related_templates + public_templates
+    }

    response = client.get(
        "/api/v1.0/templates/",
@@ -50,7 +55,7 @@ def test_api_templates_list_authenticated_direct():

    assert response.status_code == 200
    results = response.json()["results"]
-    assert len(results) == 5
+    assert len(results) == 7
    results_id = {result["id"] for result in results}
    assert expected_ids == results_id

@@ -58,7 +63,7 @@ def test_api_templates_list_authenticated_direct():
 def test_api_templates_list_authenticated_via_team(mock_user_teams):
    """
    Authenticated users should be able to list templates they are a
-    owner/administrator/member of via a team.
+    owner/administrator/member of via a team or that are public.
    """
    user = factories.UserFactory()

@@ -75,16 +80,19 @@ def test_api_templates_list_authenticated_via_team(mock_user_teams):
        access.template
        for access in factories.TeamTemplateAccessFactory.create_batch(3, team="team2")
    ]
-    factories.TemplateFactory.create_batch(2, is_public=True)
+    public_templates = factories.TemplateFactory.create_batch(2, is_public=True)
    factories.TemplateFactory.create_batch(2, is_public=False)

-    expected_ids = {str(template.id) for template in templates_team1 + templates_team2}
+    expected_ids = {
+        str(template.id)
+        for template in templates_team1 + templates_team2 + public_templates
+    }

    response = client.get("/api/v1.0/templates/")

    assert response.status_code == 200
    results = response.json()["results"]
-    assert len(results) == 5
+    assert len(results) == 7
    results_id = {result["id"] for result in results}
    assert expected_ids == results_id

--- a/src/backend/core/tests/templates/test_api_templates_retrieve.py
+++ b/src/backend/core/tests/templates/test_api_templates_retrieve.py
@@ -41,8 +41,10 @@ def test_api_templates_retrieve_anonymous_not_public():

    response = APIClient().get(f"/api/v1.0/templates/{template.id!s}/")

-    assert response.status_code == 404
-    assert response.json() == {"detail": "No Template matches the given query."}
+    assert response.status_code == 401
+    assert response.json() == {
+        "detail": "Authentication credentials were not provided."
+    }


 def test_api_templates_retrieve_authenticated_unrelated_public():