studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🔒️(backend) remove owner as valid role for ask_for_access serializer

Browse Source 
When a ask_for_access creation is made, we explicitly remove the owner
role to prevent role escalation.
This commit is contained in:
Manuel Raynaud
2025-11-12 11:58:50 +01:00
parent 8799b4aa2f
commit bf68a5ae40
3 changed files with 33 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/backend/core/api/serializers.py
View File

@@ -786,7 +786,9 @@ class DocumentAskForAccessCreateSerializer(serializers.Serializer):
"""Serializer for creating a document ask for access."""
role = serializers.ChoiceField(
choices=models.RoleChoices.choices,
choices=[
role for role in choices.RoleChoices if role != models.RoleChoices.OWNER
],
required=False,
default=models.RoleChoices.READER,
)
@@ -810,11 +812,11 @@ class DocumentAskForAccessSerializer(serializers.ModelSerializer):
]
read_only_fields = ["id", "document", "user", "role", "created_at", "abilities"]
def get_abilities(self, invitation) -> dict:
def get_abilities(self, instance) -> dict:
"""Return abilities of the logged-in user on the instance."""
request = self.context.get("request")
if request:
return invitation.get_abilities(request.user)
return instance.get_abilities(request.user)
return {}