🛂(back) restrict document's duplicate action to authenticated users

The duplicate was also able for anonynous user if they can read it. We have to restrict it to at least reader authenticated otherwise no access will be created on the duplicated document.
2025-07-02 13:45:50 +02:00
parent fc1678d0c2
commit e82e6a1fcf
4 changed files with 6 additions and 6 deletions
--- a/src/backend/core/models.py
+++ b/src/backend/core/models.py
@@ -842,7 +842,7 @@ class Document(MP_Node, BaseModel):
            "cors_proxy": can_get,
            "descendants": can_get,
            "destroy": is_owner,
-            "duplicate": can_get,
+            "duplicate": can_get and user.is_authenticated,
            "favorite": can_get and user.is_authenticated,
            "link_configuration": is_owner_or_admin,
            "invite_owner": is_owner,
--- a/src/backend/core/tests/documents/test_api_documents_duplicate.py
+++ b/src/backend/core/tests/documents/test_api_documents_duplicate.py
@@ -60,7 +60,7 @@ def test_api_documents_duplicate_forbidden():
 def test_api_documents_duplicate_anonymous():
    """Anonymous users should not be able to duplicate documents even with read access."""

-    document = factories.DocumentFactory(link_reach="public")
+    document = factories.DocumentFactory(link_reach="public", link_role="reader")

    response = APIClient().post(f"/api/v1.0/documents/{document.id!s}/duplicate/")

--- a/src/backend/core/tests/documents/test_api_documents_retrieve.py
+++ b/src/backend/core/tests/documents/test_api_documents_retrieve.py
@@ -37,7 +37,7 @@ def test_api_documents_retrieve_anonymous_public_standalone():
            "cors_proxy": True,
            "descendants": True,
            "destroy": False,
-            "duplicate": True,
+            "duplicate": False,
            # Anonymous user can't favorite a document even with read access
            "favorite": False,
            "invite_owner": False,
@@ -105,7 +105,7 @@ def test_api_documents_retrieve_anonymous_public_parent():
            "descendants": True,
            "cors_proxy": True,
            "destroy": False,
-            "duplicate": True,
+            "duplicate": False,
            # Anonymous user can't favorite a document even with read access
            "favorite": False,
            "invite_owner": False,
--- a/src/backend/core/tests/test_models_documents.py
+++ b/src/backend/core/tests/test_models_documents.py
@@ -222,7 +222,7 @@ def test_models_documents_get_abilities_reader(
        "descendants": True,
        "cors_proxy": True,
        "destroy": False,
-        "duplicate": True,
+        "duplicate": is_authenticated,
        "favorite": is_authenticated,
        "invite_owner": False,
        "link_configuration": False,
@@ -285,7 +285,7 @@ def test_models_documents_get_abilities_editor(
        "descendants": True,
        "cors_proxy": True,
        "destroy": False,
-        "duplicate": True,
+        "duplicate": is_authenticated,
        "favorite": is_authenticated,
        "invite_owner": False,
        "link_configuration": False,