From e82e6a1fcfd869178c89dc39e2a2e8e634b09767 Mon Sep 17 00:00:00 2001 From: Manuel Raynaud Date: Wed, 2 Jul 2025 13:45:50 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=82(back)=20restrict=20document's=20du?= =?UTF-8?q?plicate=20action=20to=20authenticated=20users?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The duplicate was also able for anonynous user if they can read it. We have to restrict it to at least reader authenticated otherwise no access will be created on the duplicated document. --- src/backend/core/models.py | 2 +- .../core/tests/documents/test_api_documents_duplicate.py | 2 +- .../core/tests/documents/test_api_documents_retrieve.py | 4 ++-- src/backend/core/tests/test_models_documents.py | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/backend/core/models.py b/src/backend/core/models.py index fb3443ce..9d8d2db5 100644 --- a/src/backend/core/models.py +++ b/src/backend/core/models.py @@ -842,7 +842,7 @@ class Document(MP_Node, BaseModel): "cors_proxy": can_get, "descendants": can_get, "destroy": is_owner, - "duplicate": can_get, + "duplicate": can_get and user.is_authenticated, "favorite": can_get and user.is_authenticated, "link_configuration": is_owner_or_admin, "invite_owner": is_owner, diff --git a/src/backend/core/tests/documents/test_api_documents_duplicate.py b/src/backend/core/tests/documents/test_api_documents_duplicate.py index 82acfa98..734c9a25 100644 --- a/src/backend/core/tests/documents/test_api_documents_duplicate.py +++ b/src/backend/core/tests/documents/test_api_documents_duplicate.py @@ -60,7 +60,7 @@ def test_api_documents_duplicate_forbidden(): def test_api_documents_duplicate_anonymous(): """Anonymous users should not be able to duplicate documents even with read access.""" - document = factories.DocumentFactory(link_reach="public") + document = factories.DocumentFactory(link_reach="public", link_role="reader") response = APIClient().post(f"/api/v1.0/documents/{document.id!s}/duplicate/") diff --git a/src/backend/core/tests/documents/test_api_documents_retrieve.py b/src/backend/core/tests/documents/test_api_documents_retrieve.py index 91e6ca0e..80b135d3 100644 --- a/src/backend/core/tests/documents/test_api_documents_retrieve.py +++ b/src/backend/core/tests/documents/test_api_documents_retrieve.py @@ -37,7 +37,7 @@ def test_api_documents_retrieve_anonymous_public_standalone(): "cors_proxy": True, "descendants": True, "destroy": False, - "duplicate": True, + "duplicate": False, # Anonymous user can't favorite a document even with read access "favorite": False, "invite_owner": False, @@ -105,7 +105,7 @@ def test_api_documents_retrieve_anonymous_public_parent(): "descendants": True, "cors_proxy": True, "destroy": False, - "duplicate": True, + "duplicate": False, # Anonymous user can't favorite a document even with read access "favorite": False, "invite_owner": False, diff --git a/src/backend/core/tests/test_models_documents.py b/src/backend/core/tests/test_models_documents.py index ae10fb55..1e81e83c 100644 --- a/src/backend/core/tests/test_models_documents.py +++ b/src/backend/core/tests/test_models_documents.py @@ -222,7 +222,7 @@ def test_models_documents_get_abilities_reader( "descendants": True, "cors_proxy": True, "destroy": False, - "duplicate": True, + "duplicate": is_authenticated, "favorite": is_authenticated, "invite_owner": False, "link_configuration": False, @@ -285,7 +285,7 @@ def test_models_documents_get_abilities_editor( "descendants": True, "cors_proxy": True, "destroy": False, - "duplicate": True, + "duplicate": is_authenticated, "favorite": is_authenticated, "invite_owner": False, "link_configuration": False,