🐛(backend) fix trashbin list

Fix listing of deleted documents in trashbin for
users without owner access

CHANGELOG.md

@@ -15,6 +15,7 @@ and this project adheres to
 
 - 🐛(frontend) fix duplicate document entries in grid #1479
 - 🐛(frontend) show full nested doc names with ajustable bar #1456
+- 🐛(backend) fix trashbin list
 
 ## [3.8.2] - 2025-10-17
 

src/backend/core/api/viewsets.py

@@ -636,6 +636,9 @@ class DocumentViewSet(
             .values_list("document__path", flat=True)
         )
 
+        if not access_documents_paths:
+            return self.get_response_for_queryset(self.queryset.none())
+
         children_clause = db.Q()
         for path in access_documents_paths:
             children_clause |= db.Q(path__startswith=path)

src/backend/core/tests/documents/test_api_documents_trashbin.py

@@ -293,3 +293,29 @@ def test_api_documents_trashbin_distinct():
     content = response.json()
     assert len(content["results"]) == 1
     assert content["results"][0]["id"] == str(document.id)
+
+
+def test_api_documents_trashbin_empty_queryset_bug():
+    """
+    Test that users with no owner role don't see documents.
+    """
+    # Create a new user with no owner access to any document
+    new_user = factories.UserFactory()
+    client = APIClient()
+    client.force_login(new_user)
+
+    # Create some deleted documents owned by other users
+    other_user = factories.UserFactory()
+    item1 = factories.DocumentFactory(users=[(other_user, "owner")])
+    item1.soft_delete()
+    item2 = factories.DocumentFactory(users=[(other_user, "owner")])
+    item2.soft_delete()
+    item3 = factories.DocumentFactory(users=[(other_user, "owner")])
+    item3.soft_delete()
+
+    response = client.get("/api/v1.0/documents/trashbin/")
+
+    assert response.status_code == 200
+    content = response.json()
+    assert content["count"] == 0
+    assert len(content["results"]) == 0