diff --git a/src/backend/core/models.py b/src/backend/core/models.py index d5e8cf9a..941c72ec 100644 --- a/src/backend/core/models.py +++ b/src/backend/core/models.py @@ -721,7 +721,7 @@ class Document(MP_Node, BaseModel): # Characteristics that are based only on specific access is_owner = role == RoleChoices.OWNER - is_deleted = self.ancestors_deleted_at and not is_owner + is_deleted = self.ancestors_deleted_at is_owner_or_admin = (is_owner or role == RoleChoices.ADMIN) and not is_deleted # Compute access roles before adding link roles because we don't @@ -750,6 +750,7 @@ class Document(MP_Node, BaseModel): role = RoleChoices.max(role, link_definition["link_role"]) can_get = bool(role) and not is_deleted + retrieve = can_get or is_owner can_update = ( is_owner_or_admin or role == RoleChoices.EDITOR ) and not is_deleted @@ -758,7 +759,7 @@ class Document(MP_Node, BaseModel): is_owner if self.is_root() else (is_owner_or_admin or (user.is_authenticated and self.creator == user)) - ) + ) and not is_deleted ai_allow_reach_from = settings.AI_ALLOW_REACH_FROM ai_access = any( @@ -790,15 +791,15 @@ class Document(MP_Node, BaseModel): "duplicate": can_get and user.is_authenticated, "favorite": can_get and user.is_authenticated, "link_configuration": is_owner_or_admin, - "invite_owner": is_owner, + "invite_owner": is_owner and not is_deleted, "mask": can_get and user.is_authenticated, - "move": is_owner_or_admin and not self.ancestors_deleted_at, + "move": is_owner_or_admin and not is_deleted, "partial_update": can_update, "restore": is_owner, - "retrieve": can_get, + "retrieve": retrieve, "media_auth": can_get, "link_select_options": link_select_options, - "tree": can_get, + "tree": retrieve, "update": can_update, "versions_destroy": is_owner_or_admin, "versions_list": has_access_role, diff --git a/src/backend/core/tests/documents/test_api_documents_trashbin.py b/src/backend/core/tests/documents/test_api_documents_trashbin.py index 0d82602b..fbcc2317 100644 --- a/src/backend/core/tests/documents/test_api_documents_trashbin.py +++ b/src/backend/core/tests/documents/test_api_documents_trashbin.py @@ -70,40 +70,40 @@ def test_api_documents_trashbin_format(): assert results[0] == { "id": str(document.id), "abilities": { - "accesses_manage": True, - "accesses_view": True, - "ai_transform": True, - "ai_translate": True, - "attachment_upload": True, - "can_edit": True, - "children_create": True, - "children_list": True, - "collaboration_auth": True, - "descendants": True, - "cors_proxy": True, - "content": True, - "destroy": True, - "duplicate": True, - "favorite": True, - "invite_owner": True, - "link_configuration": True, + "accesses_manage": False, + "accesses_view": False, + "ai_transform": False, + "ai_translate": False, + "attachment_upload": False, + "can_edit": False, + "children_create": False, + "children_list": False, + "collaboration_auth": False, + "descendants": False, + "cors_proxy": False, + "content": False, + "destroy": False, + "duplicate": False, + "favorite": False, + "invite_owner": False, + "link_configuration": False, "link_select_options": { "authenticated": ["reader", "editor"], "public": ["reader", "editor"], "restricted": None, }, - "mask": True, - "media_auth": True, - "media_check": True, + "mask": False, + "media_auth": False, + "media_check": False, "move": False, # Can't move a deleted document - "partial_update": True, + "partial_update": False, "restore": True, "retrieve": True, "tree": True, - "update": True, - "versions_destroy": True, - "versions_list": True, - "versions_retrieve": True, + "update": False, + "versions_destroy": False, + "versions_list": False, + "versions_retrieve": False, }, "ancestors_link_reach": None, "ancestors_link_role": None, diff --git a/src/backend/core/tests/test_models_documents.py b/src/backend/core/tests/test_models_documents.py index cc760aff..69236b6e 100644 --- a/src/backend/core/tests/test_models_documents.py +++ b/src/backend/core/tests/test_models_documents.py @@ -375,8 +375,42 @@ def test_models_documents_get_abilities_owner(django_assert_num_queries): document.soft_delete() document.refresh_from_db() - expected_abilities["move"] = False - assert document.get_abilities(user) == expected_abilities + assert document.get_abilities(user) == { + "accesses_manage": False, + "accesses_view": False, + "ai_transform": False, + "ai_translate": False, + "attachment_upload": False, + "can_edit": False, + "children_create": False, + "children_list": False, + "collaboration_auth": False, + "descendants": False, + "cors_proxy": False, + "content": False, + "destroy": False, + "duplicate": False, + "favorite": False, + "invite_owner": False, + "link_configuration": False, + "link_select_options": { + "authenticated": ["reader", "editor"], + "public": ["reader", "editor"], + "restricted": None, + }, + "mask": False, + "media_auth": False, + "media_check": False, + "move": False, + "partial_update": False, + "restore": True, + "retrieve": True, + "tree": True, + "update": False, + "versions_destroy": False, + "versions_list": False, + "versions_retrieve": False, + } @override_settings(