🔥(api) remove possibility to force document id on creation

This feature poses security issues in the way it is implemented. We decide to remove it while clarifying the use case.
2024-09-08 23:29:08 +02:00
parent 1e432cfdc2
commit dec1a1a870
2 changed files with 0 additions and 38 deletions
--- a/src/backend/core/tests/documents/test_api_documents_create.py
+++ b/src/backend/core/tests/documents/test_api_documents_create.py
@@ -2,8 +2,6 @@
 Tests for Documents API endpoint in impress's core app: create
 """

-import uuid
-
 import pytest
 from rest_framework.test import APIClient

@@ -48,26 +46,3 @@ def test_api_documents_create_authenticated():
    document = Document.objects.get()
    assert document.title == "my document"
    assert document.accesses.filter(role="owner", user=user).exists()
-
-
-def test_api_documents_create_with_id_from_payload():
-    """
-    We should be able to create a document with an ID from the payload.
-    """
-    user = factories.UserFactory()
-
-    client = APIClient()
-    client.force_login(user)
-
-    doc_id = uuid.uuid4()
-    response = client.post(
-        "/api/v1.0/documents/",
-        {"title": "my document", "id": str(doc_id)},
-        format="json",
-    )
-
-    assert response.status_code == 201
-    document = Document.objects.get()
-    assert document.title == "my document"
-    assert document.id == doc_id
-    assert document.accesses.filter(role="owner", user=user).exists()