Compare commits

...

1 Commits

Author SHA1 Message Date
Sylvain Boissel f4670cd1c5 🐛(backend) create_for_owner: add accesses before saving doc content
We add the User Accesses before saving content so the user is sure to
have access to the the first version when creating a doc through
create_for_owner (fixes #2123)
2026-03-24 19:20:28 +01:00
3 changed files with 44 additions and 1 deletions
+4
View File
@@ -10,6 +10,10 @@ and this project adheres to
- 💄(frontend) improve comments highlights #1961
### Fixed
- 🐛(backend) create_for_owner: add accesses before saving doc content #2124
## [v4.8.3] - 2026-03-23
### Changed
+3 -1
View File
@@ -507,7 +507,6 @@ class ServerCreateDocumentSerializer(serializers.Serializer):
document = models.Document.add_root(
title=validated_data["title"],
content=document_content,
creator=user,
)
@@ -526,6 +525,9 @@ class ServerCreateDocumentSerializer(serializers.Serializer):
role=models.RoleChoices.OWNER,
)
document.content = document_content
document.save()
self._send_email_notification(document, validated_data, email, language)
return document
@@ -594,6 +594,43 @@ def test_api_documents_create_for_owner_with_converter_exception(
assert response.json() == {"content": ["Could not convert content"]}
@override_settings(SERVER_TO_SERVER_API_TOKENS=["DummyToken"])
def test_api_documents_create_for_owner_access_before_content():
"""
Accesses must exist before content is saved to object storage so the owner
has access to the very first version of the document.
"""
user = factories.UserFactory()
accesses_at_save_time = []
original_save_content = Document.save_content
def capturing_save_content(self, content):
accesses_at_save_time.extend(
list(self.accesses.values_list("user__sub", "role"))
)
return original_save_content(self, content)
data = {
"title": "My Document",
"content": "Document content",
"sub": str(user.sub),
"email": user.email,
}
with patch.object(Document, "save_content", capturing_save_content):
response = APIClient().post(
"/api/v1.0/documents/create-for-owner/",
data,
format="json",
HTTP_AUTHORIZATION="Bearer DummyToken",
)
assert response.status_code == 201
# The owner access must already exist when save_content is called
assert (str(user.sub), "owner") in accesses_at_save_time
@override_settings(SERVER_TO_SERVER_API_TOKENS=["DummyToken"])
def test_api_documents_create_for_owner_with_empty_content():
"""The content should not be empty or a 400 error should be raised."""