Skip to content

🔒️(back) restrict accesss to document accesses #801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 26, 2025
Merged

🔒️(back) restrict accesss to document accesses #801

merged 1 commit into from
Mar 26, 2025

Conversation

lunika
Copy link
Member

@lunika lunika commented Mar 24, 2025

Purpose

Every user having an access to a document, no matter its role have access to the entire accesses list with all the user details. Only owner or admin should be able to have the entire list, for the other roles, they have access to the list containing only owner and administrator with less information on the username. The email and its id is removed

Proposal

  • 🔒️(back) restrict accesss to document accesses

@lunika lunika requested review from sampaccoud and qbey March 24, 2025 22:44
@lunika lunika self-assigned this Mar 24, 2025
@lunika lunika force-pushed the refactor/docs-accesses branch from ffd4673 to f242a57 Compare March 24, 2025 22:50
qbey
qbey reviewed Mar 25, 2025
View reviewed changes
src/backend/core/api/viewsets.py
Comment on lines +1462 to +1465
try:
document = models.Document.objects.get(pk=self.kwargs["resource_id"])
except models.Document.DoesNotExist:
return queryset.none()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't that weird the document is not always checked? Shouldn't we return 404 in those case (more global than just the list).
No change required in this PR anyway (because I guess it would have too much impact).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totally agree with you. I discover this while working on this PR. IMO it has been done this way to avoid one more query to test if the Document exists or not.
I wrote a test proving that we never have a 404, we should probably do something on this subject.

src/backend/core/api/viewsets.py
self.is_current_user_owner_or_admin = is_owner_or_admin
if not is_owner_or_admin:
# Return only the document owner access
queryset = queryset.filter(role__in=models.PRIVILEGED_ROLES)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need to display those roles to readers? Should we display only the owner?

Copy link
Member Author

@lunika lunika Mar 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm open on this suggestion. In a first time I limited only to owners. But as administrator have the same permissions I made the choice to also return both owners and administrators.

@lunika lunika requested a review from qbey March 25, 2025 14:24
@lunika
🔒️(back) restrict accesss to document accesses
12ffc25 
Every user having an access to a document, no matter its role have
access to the entire accesses list with all the user details. Only
owner or admin should be able to have the entire list, for the other
roles, they have access to the list containing only owner and
administrator with less information on the username. The email and its
id is removed
@lunika lunika force-pushed the refactor/docs-accesses branch from 40b433d to 12ffc25 Compare March 26, 2025 09:27
@lunika lunika enabled auto-merge (rebase) March 26, 2025 09:27
@lunika lunika merged commit a445278 into main Mar 26, 2025
19 checks passed
@lunika lunika deleted the refactor/docs-accesses branch March 26, 2025 09:40
This was referenced Mar 28, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qbey qbey qbey approved these changes

@sampaccoud sampaccoud Awaiting requested review from sampaccoud

Assignees

@lunika lunika

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lunika @qbey