🐛(backend) fix create document for user when sub does not match

When creating a document on behalf of a user via the server-to-server API, a special edge case was broken that should should never happen but happens in our OIDC federation because one of the provider modifies the users "sub" each time they login. We end-up with existing users for who the email matches but not the sub. They were not correctly handled. I made a few additional fixes and improvements to the endpoint.
2025-01-10 09:50:48 +01:00
parent 96bb99d6ec
commit 610948cd16
8 changed files with 409 additions and 42 deletions
--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -264,13 +264,17 @@ class ServerCreateDocumentSerializer(serializers.Serializer):
        """Create the document and associate it with the user or send an invitation."""
        language = validated_data.get("language", settings.LANGUAGE_CODE)

-        # Get the user based on the sub (unique identifier)
+        # Get the user on its sub (unique identifier). Default on email if allowed in settings
+        email = validated_data["email"]
+
        try:
-            user = models.User.objects.get(sub=validated_data["sub"])
-        except (models.User.DoesNotExist, KeyError):
-            user = None
-            email = validated_data["email"]
-        else:
+            user = models.User.objects.get_user_by_sub_or_email(
+                validated_data["sub"], email
+            )
+        except models.DuplicateEmailError as err:
+            raise serializers.ValidationError({"email": [err.message]}) from err
+
+        if user:
            email = user.email
            language = user.language or language

@@ -279,7 +283,9 @@ class ServerCreateDocumentSerializer(serializers.Serializer):
                validated_data["content"]
            )
        except ConversionError as err:
-            raise exceptions.APIException(detail="could not convert content") from err
+            raise serializers.ValidationError(
+                {"content": ["Could not convert content"]}
+            ) from err

        document = models.Document.objects.create(
            title=validated_data["title"],
@@ -302,7 +308,11 @@ class ServerCreateDocumentSerializer(serializers.Serializer):
                role=models.RoleChoices.OWNER,
            )

-        # Notify the user about the newly created document
+        self._send_email_notification(document, validated_data, email, language)
+        return document
+
+    def _send_email_notification(self, document, validated_data, email, language):
+        """Notify the user about the newly created document."""
        subject = validated_data.get("subject") or _(
            "A new document was created on your behalf!"
        )
@@ -313,8 +323,6 @@ class ServerCreateDocumentSerializer(serializers.Serializer):
        }
        document.send_email(subject, [email], context, language)

-        return document
-
    def update(self, instance, validated_data):
        """
        This serializer does not support updates.