From 5c5763a0efaabd75546588c848c653e9e2655101 Mon Sep 17 00:00:00 2001
From: Samuel Paccoud - DINUM <samuel.paccoud@mail.numerique.gouv.fr>
Date: Mon, 27 Jan 2025 21:20:16 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=97=83=EF=B8=8F(backend)=20make=20documen?=
 =?UTF-8?q?t/template=20creation=20atomic?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When creating a new document/template via the API, we add the
logged-in user as owner of the created object. This should be
done atomically with the object creation to make sure we don't
end-up with an orphan object that the creator can't access
anymore.
---
 src/backend/core/api/viewsets.py                      | 11 ++---------
 .../tests/documents/test_api_documents_trashbin.py    |  1 +
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
index d41a62f9..e9616aff 100644
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -14,15 +14,6 @@ from django.core.exceptions import ValidationError
 from django.core.files.storage import default_storage
 from django.db import models as db
 from django.db import transaction
-from django.db.models import (
-    Exists,
-    F,
-    Func,
-    OuterRef,
-    Q,
-    Subquery,
-    Value,
-)
 from django.db.models.expressions import RawSQL
 from django.db.models.functions import Left, Length
 from django.http import Http404
@@ -579,6 +570,7 @@ class DocumentViewSet(
 
         return drf.response.Response(serializer.data)
 
+    @transaction.atomic
     def perform_create(self, serializer):
         """Set the current user as creator and owner of the newly created object."""
         obj = models.Document.add_root(
@@ -1250,6 +1242,7 @@ class TemplateViewSet(
         serializer = self.get_serializer(queryset, many=True)
         return drf.response.Response(serializer.data)
 
+    @transaction.atomic
     def perform_create(self, serializer):
         """Set the current user as owner of the newly created object."""
         obj = serializer.save()
diff --git a/src/backend/core/tests/documents/test_api_documents_trashbin.py b/src/backend/core/tests/documents/test_api_documents_trashbin.py
index a05c6221..b1a8b3b5 100644
--- a/src/backend/core/tests/documents/test_api_documents_trashbin.py
+++ b/src/backend/core/tests/documents/test_api_documents_trashbin.py
@@ -85,6 +85,7 @@ def test_api_documents_trashbin_format():
             "media_auth": True,
             "move": False,  # Can't move a deleted document
             "partial_update": True,
+            "restore": True,
             "retrieve": True,
             "update": True,
             "versions_destroy": True,