✨(backend) introduce Recording model with independent access control

The Recording model is introduced to track recording lifecycle within rooms, while maintaining strict separation of access controls between rooms and recordings. Recordings follow the BaseAccess pattern (similar to Documents in Impress), providing independent access control from room permissions. This ensures that joining a room doesn't automatically grant access to previous recordings, allowing for more flexible permission management. The implementation was driven by TDD, particularly for the get_abilities function, resulting in reduced nesting levels and improved readability. The Recording model is deliberately kept minimal to serve as a foundation for upcoming AI features while maintaining flexibility for future extensions. I have avoided LiveKit-specific terminology for better abstraction. Note: Room access control remains unchanged in this commit, pending future refactor to use BaseAccess pattern (discussed IRL with @sampaccoud).
2024-11-05 10:15:18 +01:00
parent 3b3816b333
commit c504b5262b
5 changed files with 901 additions and 0 deletions
--- a/src/backend/core/tests/test_models_recording.py
+++ b/src/backend/core/tests/test_models_recording.py
@@ -0,0 +1,212 @@
+"""
+Unit tests for the Recording model
+"""
+
+from django.core.exceptions import ValidationError
+
+import pytest
+
+from core.factories import (
+    RecordingFactory,
+    RoomFactory,
+    UserFactory,
+    UserRecordingAccessFactory,
+)
+from core.models import Recording, RecordingStatusChoices
+
+pytestmark = pytest.mark.django_db
+
+
+def test_models_recording_str():
+    """The str representation should be the recording ID."""
+    recording = RecordingFactory()
+    assert str(recording) == f"Recording {recording.id} (initiated)"
+
+
+def test_models_recording_ordering():
+    """Recordings should be returned ordered by created_at in descending order."""
+    RecordingFactory.create_batch(3)
+    recordings = Recording.objects.all()
+    assert recordings[0].created_at >= recordings[1].created_at
+    assert recordings[1].created_at >= recordings[2].created_at
+
+
+def test_models_recording_room_relationship():
+    """It should maintain proper relationship with room."""
+    room = RoomFactory()
+    recording = RecordingFactory(room=room)
+    assert recording.room == room
+    assert recording in room.recordings.all()
+
+
+def test_models_recording_default_status():
+    """A new recording should have INITIATED status by default."""
+    recording = RecordingFactory()
+    assert recording.status == RecordingStatusChoices.INITIATED
+
+
+def test_models_recording_unique_initiated_or_active_per_room():
+    """Only one initiated or active recording should be allowed per room."""
+    room = RoomFactory()
+    RecordingFactory(room=room, status=RecordingStatusChoices.ACTIVE)
+
+    with pytest.raises(ValidationError):
+        RecordingFactory(room=room, status=RecordingStatusChoices.ACTIVE)
+
+    with pytest.raises(ValidationError):
+        RecordingFactory(room=room, status=RecordingStatusChoices.INITIATED)
+
+
+def test_models_recording_multiple_finished_allowed():
+    """Multiple finished recordings should be allowed in the same room."""
+    room = RoomFactory()
+    RecordingFactory(room=room, status=RecordingStatusChoices.SAVED)
+    RecordingFactory(room=room, status=RecordingStatusChoices.SAVED)
+    assert room.recordings.count() == 2
+
+
+# Test get_abilities method
+
+
+@pytest.mark.parametrize(
+    "role",
+    ["owner", "administrator"],
+)
+def test_models_recording_get_abilities_privileges_active(role):
+    """Test abilities for active recording and privileged user."""
+
+    user = UserFactory()
+    access = UserRecordingAccessFactory(role=role, user=user)
+    access.recording.status = RecordingStatusChoices.ACTIVE
+    abilities = access.recording.get_abilities(user)
+
+    assert abilities == {
+        "destroy": False,  # Not final status
+        "partial_update": False,
+        "retrieve": True,  # Privileged users can always retrieve
+        "stop": True,  # Not final status, so can stop
+        "update": False,
+    }
+
+
+def test_models_recording_get_abilities_member_active():
+    """Test abilities for a user who is unprivileged."""
+
+    user = UserFactory()
+    access = UserRecordingAccessFactory(role="member", user=user)
+    access.recording.status = RecordingStatusChoices.ACTIVE
+    abilities = access.recording.get_abilities(user)
+
+    assert abilities == {
+        "destroy": False,
+        "partial_update": False,
+        "retrieve": False,
+        "stop": False,
+        "update": False,
+    }
+
+
+@pytest.mark.parametrize(
+    "role",
+    ["owner", "administrator"],
+)
+def test_models_recording_get_abilities_privileges_final(role):
+    """Test abilities for active recording and privileged user."""
+
+    user = UserFactory()
+    access = UserRecordingAccessFactory(role=role, user=user)
+    access.recording.status = RecordingStatusChoices.SAVED
+    abilities = access.recording.get_abilities(user)
+
+    assert abilities == {
+        "destroy": True,
+        "partial_update": False,
+        "retrieve": True,  # Privileged users can always retrieve
+        "stop": False,  # In final status, so can not stop
+        "update": False,
+    }
+
+
+def test_models_recording_get_abilities_member_final():
+    """Test abilities for a user who is unprivileged."""
+
+    user = UserFactory()
+    access = UserRecordingAccessFactory(role="member", user=user)
+    access.recording.status = RecordingStatusChoices.SAVED
+    abilities = access.recording.get_abilities(user)
+
+    assert abilities == {
+        "destroy": False,
+        "partial_update": False,
+        "retrieve": False,
+        "stop": False,
+        "update": False,
+    }
+
+
+# Test is_savable method
+
+
+def test_models_recording_is_savable_normal():
+    """Test is_savable for normal recording status."""
+    recording = RecordingFactory(status=RecordingStatusChoices.ACTIVE)
+    assert recording.is_savable() is True
+
+
+@pytest.mark.parametrize(
+    "status",
+    [
+        RecordingStatusChoices.FAILED_TO_STOP,
+        RecordingStatusChoices.FAILED_TO_START,
+        RecordingStatusChoices.ABORTED,
+    ],
+)
+def test_models_recording_is_savable_error(status):
+    """Test is_savable for error status."""
+    recording = RecordingFactory(status=status)
+    assert recording.is_savable() is False
+
+
+def test_models_recording_is_savable_already_saved():
+    """Test is_savable for already saved recording."""
+    recording = RecordingFactory(status=RecordingStatusChoices.SAVED)
+    assert recording.is_savable() is False
+
+
+# Test few corner cases
+
+
+def test_models_recording_worker_id_optional():
+    """Worker ID should be optional."""
+    recording = RecordingFactory(worker_id=None)
+    assert recording.worker_id is None
+
+    recording = RecordingFactory(worker_id="worker-123")
+    assert recording.worker_id == "worker-123"
+
+
+def test_models_recording_invalid_status():
+    """Test that setting an invalid status raises an error."""
+    recording = RecordingFactory()
+    recording.status = "INVALID_STATUS"
+    with pytest.raises(ValidationError):
+        recording.save()
+
+
+def test_models_recording_room_deletion():
+    """Test that deleting a room cascades to its recordings."""
+    room = RoomFactory()
+    recording = RecordingFactory(room=room)
+    room.delete()
+    assert not Recording.objects.filter(id=recording.id).exists()
+
+
+def test_models_recording_worker_id_very_long():
+    """Test worker_id with maximum length."""
+    long_id = "w" * 255
+    recording = RecordingFactory(worker_id=long_id)
+    assert recording.worker_id == long_id
+
+    too_long_id = "w" * 256
+    with pytest.raises(ValidationError):
+        RecordingFactory(worker_id=too_long_id)
--- a/src/backend/core/tests/test_models_recording_accesses.py
+++ b/src/backend/core/tests/test_models_recording_accesses.py
@@ -0,0 +1,312 @@
+"""
+Unit tests for the RecordingAccess model
+"""
+
+from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import ValidationError
+
+import pytest
+
+from core import factories
+
+pytestmark = pytest.mark.django_db
+
+
+def test_models_recording_accesses_str():
+    """
+    The str representation should include user email, recording ID and role.
+    """
+    user = factories.UserFactory(email="david.bowman@example.com")
+    access = factories.UserRecordingAccessFactory(
+        role="member",
+        user=user,
+    )
+    assert (
+        str(access)
+        == f"david.bowman@example.com is member in Recording {access.recording.id} (initiated)"
+    )
+
+
+def test_models_recording_accesses_unique_user():
+    """Recording accesses should be unique for a given couple of user and recording."""
+    access = factories.UserRecordingAccessFactory()
+
+    with pytest.raises(
+        ValidationError,
+        match="This user is already in this recording.",
+    ):
+        factories.UserRecordingAccessFactory(
+            user=access.user, recording=access.recording
+        )
+
+
+def test_models_recording_accesses_several_empty_teams():
+    """A recording can have several recording accesses with an empty team."""
+    access = factories.UserRecordingAccessFactory()
+    factories.UserRecordingAccessFactory(recording=access.recording)
+
+
+def test_models_recording_accesses_unique_team():
+    """Recording accesses should be unique for a given couple of team and recording."""
+    access = factories.TeamRecordingAccessFactory()
+
+    with pytest.raises(
+        ValidationError,
+        match="This team is already in this recording.",
+    ):
+        factories.TeamRecordingAccessFactory(
+            team=access.team, recording=access.recording
+        )
+
+
+def test_models_recording_accesses_several_null_users():
+    """A recording can have several recording accesses with a null user."""
+    access = factories.TeamRecordingAccessFactory()
+    factories.TeamRecordingAccessFactory(recording=access.recording)
+
+
+def test_models_recording_accesses_user_and_team_set():
+    """User and team can't both be set on a recording access."""
+    with pytest.raises(
+        ValidationError,
+        match="Either user or team must be set, not both.",
+    ):
+        factories.UserRecordingAccessFactory(team="my-team")
+
+
+def test_models_recording_accesses_user_and_team_empty():
+    """User and team can't both be empty on a recording access."""
+    with pytest.raises(
+        ValidationError,
+        match="Either user or team must be set, not both.",
+    ):
+        factories.UserRecordingAccessFactory(user=None)
+
+
+# get_abilities
+
+
+def test_models_recording_access_get_abilities_anonymous():
+    """Check abilities returned for an anonymous user."""
+    access = factories.UserRecordingAccessFactory()
+    abilities = access.get_abilities(AnonymousUser())
+    assert abilities == {
+        "destroy": False,
+        "retrieve": False,
+        "update": False,
+        "partial_update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_recording_access_get_abilities_authenticated():
+    """Check abilities returned for an authenticated user."""
+    access = factories.UserRecordingAccessFactory()
+    user = factories.UserFactory()
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": False,
+        "update": False,
+        "partial_update": False,
+        "set_role_to": [],
+    }
+
+
+# - for owner
+
+
+def test_models_recording_access_get_abilities_for_owner_of_self_allowed():
+    """
+    Check abilities of self access for the owner of a recording when
+    there is more than one owner left.
+    """
+    access = factories.UserRecordingAccessFactory(role="owner")
+    factories.UserRecordingAccessFactory(recording=access.recording, role="owner")
+    abilities = access.get_abilities(access.user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "partial_update": True,
+        "set_role_to": ["administrator", "member"],
+    }
+
+
+def test_models_recording_access_get_abilities_for_owner_of_self_last():
+    """
+    Check abilities of self access for the owner of a recording when there is only one owner left.
+    """
+    access = factories.UserRecordingAccessFactory(role="owner")
+    abilities = access.get_abilities(access.user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "partial_update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_recording_access_get_abilities_for_owner_of_owner():
+    """Check abilities of owner access for the owner of a recording."""
+    access = factories.UserRecordingAccessFactory(role="owner")
+    factories.UserRecordingAccessFactory(recording=access.recording)  # another one
+    user = factories.UserRecordingAccessFactory(
+        recording=access.recording, role="owner"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "partial_update": True,
+        "set_role_to": ["administrator", "member"],
+    }
+
+
+def test_models_recording_access_get_abilities_for_owner_of_administrator():
+    """Check abilities of administrator access for the owner of a recording."""
+    access = factories.UserRecordingAccessFactory(role="administrator")
+    factories.UserRecordingAccessFactory(recording=access.recording)  # another one
+    user = factories.UserRecordingAccessFactory(
+        recording=access.recording, role="owner"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "partial_update": True,
+        "set_role_to": ["member", "owner"],
+    }
+
+
+def test_models_recording_access_get_abilities_for_owner_of_member():
+    """Check abilities of member access for the owner of a recording."""
+    access = factories.UserRecordingAccessFactory(role="member")
+    factories.UserRecordingAccessFactory(recording=access.recording)  # another one
+    user = factories.UserRecordingAccessFactory(
+        recording=access.recording, role="owner"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "partial_update": True,
+        "set_role_to": ["administrator", "owner"],
+    }
+
+
+# - for administrator
+
+
+def test_models_recording_access_get_abilities_for_administrator_of_owner():
+    """Check abilities of owner access for the administrator of a recording."""
+    access = factories.UserRecordingAccessFactory(role="owner")
+    factories.UserRecordingAccessFactory(recording=access.recording)  # another one
+    user = factories.UserRecordingAccessFactory(
+        recording=access.recording, role="administrator"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "partial_update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_recording_access_get_abilities_for_administrator_of_administrator():
+    """Check abilities of administrator access for the administrator of a recording."""
+    access = factories.UserRecordingAccessFactory(role="administrator")
+    factories.UserRecordingAccessFactory(recording=access.recording)  # another one
+    user = factories.UserRecordingAccessFactory(
+        recording=access.recording, role="administrator"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "partial_update": True,
+        "set_role_to": ["member"],
+    }
+
+
+def test_models_recording_access_get_abilities_for_administrator_of_member():
+    """Check abilities of member access for the administrator of a recording."""
+    access = factories.UserRecordingAccessFactory(role="member")
+    factories.UserRecordingAccessFactory(recording=access.recording)  # another one
+    user = factories.UserRecordingAccessFactory(
+        recording=access.recording, role="administrator"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": True,
+        "retrieve": True,
+        "update": True,
+        "partial_update": True,
+        "set_role_to": ["administrator"],
+    }
+
+
+# - for member
+
+
+def test_models_recording_access_get_abilities_for_member_of_owner():
+    """Check abilities of owner access for the member of a recording."""
+    access = factories.UserRecordingAccessFactory(role="owner")
+    factories.UserRecordingAccessFactory(recording=access.recording)  # another one
+    user = factories.UserRecordingAccessFactory(
+        recording=access.recording, role="member"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "partial_update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_recording_access_get_abilities_for_member_of_administrator():
+    """Check abilities of administrator access for the member of a recording."""
+    access = factories.UserRecordingAccessFactory(role="administrator")
+    factories.UserRecordingAccessFactory(recording=access.recording)  # another one
+    user = factories.UserRecordingAccessFactory(
+        recording=access.recording, role="member"
+    ).user
+    abilities = access.get_abilities(user)
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "partial_update": False,
+        "set_role_to": [],
+    }
+
+
+def test_models_recording_access_get_abilities_for_member_of_member_user(
+    django_assert_num_queries,
+):
+    """Check abilities of member access for the member of a recording."""
+    access = factories.UserRecordingAccessFactory(role="member")
+    factories.UserRecordingAccessFactory(recording=access.recording)  # another one
+    user = factories.UserRecordingAccessFactory(
+        recording=access.recording, role="member"
+    ).user
+
+    with django_assert_num_queries(1):
+        abilities = access.get_abilities(user)
+
+    assert abilities == {
+        "destroy": False,
+        "retrieve": True,
+        "update": False,
+        "partial_update": False,
+        "set_role_to": [],
+    }