🔒️(back) restrict accesss to document accesses

Every user having an access to a document, no matter its role have access to the entire accesses list with all the user details. Only owner or admin should be able to have the entire list, for the other roles, they have access to the list containing only owner and administrator with less information on the username. The email and its id is removed
2025-03-24 23:36:24 +01:00
parent 2929e98260
commit a4452784e1
6 changed files with 267 additions and 35 deletions
--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -27,6 +27,26 @@ class UserSerializer(serializers.ModelSerializer):
        read_only_fields = ["id", "email", "full_name", "short_name"]


+class UserLightSerializer(UserSerializer):
+    """Serialize users with limited fields."""
+
+    id = serializers.SerializerMethodField(read_only=True)
+    email = serializers.SerializerMethodField(read_only=True)
+
+    def get_id(self, _user):
+        """Return always None. Here to have the same fields than in UserSerializer."""
+        return None
+
+    def get_email(self, _user):
+        """Return always None. Here to have the same fields than in UserSerializer."""
+        return None
+
+    class Meta:
+        model = models.User
+        fields = ["id", "email", "full_name", "short_name"]
+        read_only_fields = ["id", "email", "full_name", "short_name"]
+
+
 class BaseAccessSerializer(serializers.ModelSerializer):
    """Serialize template accesses."""

@@ -118,6 +138,17 @@ class DocumentAccessSerializer(BaseAccessSerializer):
        read_only_fields = ["id", "abilities"]


+class DocumentAccessLightSerializer(DocumentAccessSerializer):
+    """Serialize document accesses with limited fields."""
+
+    user = UserLightSerializer(read_only=True)
+
+    class Meta:
+        model = models.DocumentAccess
+        fields = ["id", "user", "team", "role", "abilities"]
+        read_only_fields = ["id", "team", "role", "abilities"]
+
+
 class TemplateAccessSerializer(BaseAccessSerializer):
    """Serialize template accesses."""

--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -1420,12 +1420,7 @@ class DocumentViewSet(

 class DocumentAccessViewSet(
    ResourceAccessViewsetMixin,
-    drf.mixins.CreateModelMixin,
-    drf.mixins.DestroyModelMixin,
-    drf.mixins.ListModelMixin,
-    drf.mixins.RetrieveModelMixin,
-    drf.mixins.UpdateModelMixin,
-    viewsets.GenericViewSet,
+    viewsets.ModelViewSet,
 ):
    """
    API ViewSet for all interactions with document accesses.
@@ -1457,6 +1452,32 @@ class DocumentAccessViewSet(
    queryset = models.DocumentAccess.objects.select_related("user").all()
    resource_field_name = "document"
    serializer_class = serializers.DocumentAccessSerializer
+    is_current_user_owner_or_admin = False
+
+    def get_queryset(self):
+        """Return the queryset according to the action."""
+        queryset = super().get_queryset()
+
+        if self.action == "list":
+            try:
+                document = models.Document.objects.get(pk=self.kwargs["resource_id"])
+            except models.Document.DoesNotExist:
+                return queryset.none()
+
+            roles = set(document.get_roles(self.request.user))
+            is_owner_or_admin = bool(roles.intersection(set(models.PRIVILEGED_ROLES)))
+            self.is_current_user_owner_or_admin = is_owner_or_admin
+            if not is_owner_or_admin:
+                # Return only the document owner access
+                queryset = queryset.filter(role__in=models.PRIVILEGED_ROLES)
+
+        return queryset
+
+    def get_serializer_class(self):
+        if self.action == "list" and not self.is_current_user_owner_or_admin:
+            return serializers.DocumentAccessLightSerializer
+
+        return super().get_serializer_class()

    def perform_create(self, serializer):
        """Add a new access to the document and send an email to the new added user."""