Skip to content

Disconnecting users when deleting a document access related to a team #969

Open
@sampaccoud

Description

@sampaccoud
Member

Bug Report

Problematic behavior
When an access is deleted, we make a call to the collaboration server to disconnect the related user:

    CollaborationService().reset_connections(
            str(instance.document.id), str(instance.user.id)
        )

This code is forgetting the fact that an access can be related to a team....

Expected behavior/code
When deleting an access related to a team, all users in the team should be disconnected from the collaboration server.

Note that this bug does not manifest itself in production because we don't make use of team accesses yet.

Possible Solution
Getting the list of users for a team and disconnecting them one by one does not seem to be a good solution and would be fragile.
I would say it is much safer and simpler to disconnect every body and let the users who still have access reconnect...

Activity

rielzzapps

rielzzapps commented on May 15, 2025

@rielzzapps
Contributor

In the non-production server, when you add a team, does it effectively add all users one by one?

Or, should the authorisation server understand that this is a team and that the current user has access because it is a member of that team?

In the last case, it would work much more as I would expect. Also, in the case of adding users to a team, then these users automatically get access to all those files, which is again, what one would expect?

sampaccoud

sampaccoud commented on May 15, 2025

@sampaccoud
MemberAuthor

Hi @rielzzapps! the way it works is that Docs relies on an external service to get teams for a given user. Any access right can be given to a team the same way it is given to a user and when it is, all the users who are in the team will get this access right. This way we don't duplicate team definitions in every application of the OIDC federation.

We have not implemented it yet but everything is ready in the backend. The method to get the properties for a user is here and returns an empty list for the moment: https://github.com/suitenumerique/docs/blob/main/src/backend/core/models.py#L342

We want it to work with several team definition services and have included one in https://github.com/suitenumerique/people. Teams will be fetched following the SCIM standard representation and using OIDC resource server for authentication.

@qbey is currently working on it and can maybe give us more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    backendbugSomething isn't working

    Type

    No type

    Projects

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @sampaccoud@rielzzapps

        Issue actions

          Disconnecting users when deleting a document access related to a team · Issue #969 · suitenumerique/docs