🔥(api) remove possibility to force document id on creation

This feature poses security issues in the way it is implemented. We decide to remove it while clarifying the use case.
2024-09-08 23:29:08 +02:00
parent 1e432cfdc2
commit dec1a1a870
2 changed files with 0 additions and 38 deletions
--- a/src/backend/core/api/viewsets.py
+++ b/src/backend/core/api/viewsets.py
@@ -321,19 +321,6 @@ class DocumentViewSet(
    queryset = models.Document.objects.all()
    ordering = ["-updated_at"]

-    def perform_create(self, serializer):
-        """
-        Override perform_create to use the provided ID in the payload if it exists
-        """
-        document_id = self.request.data.get("id")
-        document = serializer.save(id=document_id) if document_id else serializer.save()
-
-        self.access_model_class.objects.create(
-            user=self.request.user,
-            role=models.RoleChoices.OWNER,
-            **{self.resource_field_name: document},
-        )
-
    def list(self, request, *args, **kwargs):
        """Restrict resources returned by the list endpoint"""
        queryset = self.filter_queryset(self.get_queryset())
--- a/src/backend/core/tests/documents/test_api_documents_create.py
+++ b/src/backend/core/tests/documents/test_api_documents_create.py
@@ -2,8 +2,6 @@
 Tests for Documents API endpoint in impress's core app: create
 """

-import uuid
-
 import pytest
 from rest_framework.test import APIClient

@@ -48,26 +46,3 @@ def test_api_documents_create_authenticated():
    document = Document.objects.get()
    assert document.title == "my document"
    assert document.accesses.filter(role="owner", user=user).exists()
-
-
-def test_api_documents_create_with_id_from_payload():
-    """
-    We should be able to create a document with an ID from the payload.
-    """
-    user = factories.UserFactory()
-
-    client = APIClient()
-    client.force_login(user)
-
-    doc_id = uuid.uuid4()
-    response = client.post(
-        "/api/v1.0/documents/",
-        {"title": "my document", "id": str(doc_id)},
-        format="json",
-    )
-
-    assert response.status_code == 201
-    document = Document.objects.get()
-    assert document.title == "my document"
-    assert document.id == doc_id
-    assert document.accesses.filter(role="owner", user=user).exists()