From dec1a1a870a3a381f384e648fc301bf3e2d0f5a4 Mon Sep 17 00:00:00 2001
From: Samuel Paccoud - DINUM <samuel.paccoud@mail.numerique.gouv.fr>
Date: Sun, 8 Sep 2024 23:29:08 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A5(api)=20remove=20possibility=20to?=
 =?UTF-8?q?=20force=20document=20id=20on=20creation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This feature poses security issues in the way it is implemented.
We decide to remove it while clarifying the use case.
---
 src/backend/core/api/viewsets.py              | 13 ----------
 .../documents/test_api_documents_create.py    | 25 -------------------
 2 files changed, 38 deletions(-)

diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
index c895278a..86fdf059 100644
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -321,19 +321,6 @@ class DocumentViewSet(
     queryset = models.Document.objects.all()
     ordering = ["-updated_at"]
 
-    def perform_create(self, serializer):
-        """
-        Override perform_create to use the provided ID in the payload if it exists
-        """
-        document_id = self.request.data.get("id")
-        document = serializer.save(id=document_id) if document_id else serializer.save()
-
-        self.access_model_class.objects.create(
-            user=self.request.user,
-            role=models.RoleChoices.OWNER,
-            **{self.resource_field_name: document},
-        )
-
     def list(self, request, *args, **kwargs):
         """Restrict resources returned by the list endpoint"""
         queryset = self.filter_queryset(self.get_queryset())
diff --git a/src/backend/core/tests/documents/test_api_documents_create.py b/src/backend/core/tests/documents/test_api_documents_create.py
index 4f3673f9..84b97c94 100644
--- a/src/backend/core/tests/documents/test_api_documents_create.py
+++ b/src/backend/core/tests/documents/test_api_documents_create.py
@@ -2,8 +2,6 @@
 Tests for Documents API endpoint in impress's core app: create
 """
 
-import uuid
-
 import pytest
 from rest_framework.test import APIClient
 
@@ -48,26 +46,3 @@ def test_api_documents_create_authenticated():
     document = Document.objects.get()
     assert document.title == "my document"
     assert document.accesses.filter(role="owner", user=user).exists()
-
-
-def test_api_documents_create_with_id_from_payload():
-    """
-    We should be able to create a document with an ID from the payload.
-    """
-    user = factories.UserFactory()
-
-    client = APIClient()
-    client.force_login(user)
-
-    doc_id = uuid.uuid4()
-    response = client.post(
-        "/api/v1.0/documents/",
-        {"title": "my document", "id": str(doc_id)},
-        format="json",
-    )
-
-    assert response.status_code == 201
-    document = Document.objects.get()
-    assert document.title == "my document"
-    assert document.id == doc_id
-    assert document.accesses.filter(role="owner", user=user).exists()