✨(backend) add document path and depth to accesses endpoint

The frontend requires this information about the ancestor document
to which each access is related. We make sure it does not generate
more db queries and does not fetch useless and heavy fields from
the document like "excerpt".

Author: sampaccoud

src/backend/core/api/serializers.py

@@ -38,83 +38,6 @@ class Meta:
         read_only_fields = ["full_name", "short_name"]
 
 
-class DocumentAccessSerializer(serializers.ModelSerializer):
-    """Serialize document accesses."""
-
-    document_id = serializers.PrimaryKeyRelatedField(
-        read_only=True,
-        source="document",
-    )
-    user_id = serializers.PrimaryKeyRelatedField(
-        queryset=models.User.objects.all(),
-        write_only=True,
-        source="user",
-        required=False,
-        allow_null=True,
-    )
-    user = UserSerializer(read_only=True)
-    abilities = serializers.SerializerMethodField(read_only=True)
-    max_ancestors_role = serializers.SerializerMethodField(read_only=True)
-
-    class Meta:
-        model = models.DocumentAccess
-        resource_field_name = "document"
-        fields = [
-            "id",
-            "document_id",
-            "user",
-            "user_id",
-            "team",
-            "role",
-            "abilities",
-            "max_ancestors_role",
-        ]
-        read_only_fields = ["id", "document_id", "abilities", "max_ancestors_role"]
-
-    def get_abilities(self, instance) -> dict:
-        """Return abilities of the logged-in user on the instance."""
-        request = self.context.get("request")
-        if request:
-            return instance.get_abilities(request.user)
-        return {}
-
-    def get_max_ancestors_role(self, instance):
-        """Return max_ancestors_role if annotated; else None."""
-        return getattr(instance, "max_ancestors_role", None)
-
-    def update(self, instance, validated_data):
-        """Make "user" field is readonly but only on update."""
-        validated_data.pop("user", None)
-        return super().update(instance, validated_data)
-
-
-class DocumentAccessLightSerializer(DocumentAccessSerializer):
-    """Serialize document accesses with limited fields."""
-
-    user = UserLightSerializer(read_only=True)
-
-    class Meta:
-        model = models.DocumentAccess
-        resource_field_name = "document"
-        fields = [
-            "id",
-            "document_id",
-            "user",
-            "team",
-            "role",
-            "abilities",
-            "max_ancestors_role",
-        ]
-        read_only_fields = [
-            "id",
-            "document_id",
-            "team",
-            "role",
-            "abilities",
-            "max_ancestors_role",
-        ]
-
-
 class TemplateAccessSerializer(serializers.ModelSerializer):
     """Serialize template accesses."""
 
@@ -139,6 +62,15 @@ def update(self, instance, validated_data):
         return super().update(instance, validated_data)
 
 
+class DocumentMinimalSerializer(serializers.ModelSerializer):
+    """Minial document serializer for nesting in document accesses."""
+
+    class Meta:
+        model = models.Document
+        fields = ["id", "path", "depth"]
+        read_only_fields = ["id", "path", "depth"]
+
+
 class ListDocumentSerializer(serializers.ModelSerializer):
     """Serialize documents with limited fields for display in lists."""
 
@@ -357,6 +289,82 @@ def save(self, **kwargs):
         return super().save(**kwargs)
 
 
+class DocumentAccessSerializer(serializers.ModelSerializer):
+    """Serialize document accesses."""
+
+    document = DocumentMinimalSerializer(read_only=True)
+    user_id = serializers.PrimaryKeyRelatedField(
+        queryset=models.User.objects.all(),
+        write_only=True,
+        source="user",
+        required=False,
+        allow_null=True,
+    )
+    user = UserSerializer(read_only=True)
+    team = serializers.CharField(required=False, allow_blank=True)
+    abilities = serializers.SerializerMethodField(read_only=True)
+    max_ancestors_role = serializers.SerializerMethodField(read_only=True)
+
+    class Meta:
+        model = models.DocumentAccess
+        resource_field_name = "document"
+        fields = [
+            "id",
+            "document",
+            "user",
+            "user_id",
+            "team",
+            "role",
+            "abilities",
+            "max_ancestors_role",
+        ]
+        read_only_fields = ["id", "document", "abilities", "max_ancestors_role"]
+
+    def get_abilities(self, instance) -> dict:
+        """Return abilities of the logged-in user on the instance."""
+        request = self.context.get("request")
+        if request:
+            return instance.get_abilities(request.user)
+        return {}
+
+    def get_max_ancestors_role(self, instance):
+        """Return max_ancestors_role if annotated; else None."""
+        return getattr(instance, "max_ancestors_role", None)
+
+    def update(self, instance, validated_data):
+        """Make "user" field readonly but only on update."""
+        validated_data.pop("team", None)
+        validated_data.pop("user", None)
+        return super().update(instance, validated_data)
+
+
+class DocumentAccessLightSerializer(DocumentAccessSerializer):
+    """Serialize document accesses with limited fields."""
+
+    user = UserLightSerializer(read_only=True)
+
+    class Meta:
+        model = models.DocumentAccess
+        resource_field_name = "document"
+        fields = [
+            "id",
+            "document",
+            "user",
+            "team",
+            "role",
+            "abilities",
+            "max_ancestors_role",
+        ]
+        read_only_fields = [
+            "id",
+            "document",
+            "team",
+            "role",
+            "abilities",
+            "max_ancestors_role",
+        ]
+
+
 class ServerCreateDocumentSerializer(serializers.Serializer):
     """
     Serializer for creating a document from a server-to-server request.

src/backend/core/api/viewsets.py

@@ -1359,7 +1359,20 @@ class DocumentAccessViewSet(
 
     lookup_field = "pk"
     permission_classes = [permissions.DocumentAccessPermission]
-    queryset = models.DocumentAccess.objects.select_related("user").all()
+    queryset = models.DocumentAccess.objects.select_related("user", "document").only(
+        "id",
+        "created_at",
+        "role",
+        "team",
+        "user__id",
+        "user__short_name",
+        "user__full_name",
+        "user__email",
+        "user__language",
+        "document__id",
+        "document__path",
+        "document__depth",
+    )
     resource_field_name = "document"
 
     @cached_property
@@ -1398,37 +1411,33 @@ def list(self, request, *args, **kwargs):
         if role not in choices.PRIVILEGED_ROLES:
             queryset = queryset.filter(role__in=choices.PRIVILEGED_ROLES)
 
-        accesses = list(
-            queryset.annotate(document_path=db.F("document__path")).order_by(
-                "document_path"
-            )
-        )
+        accesses = list(queryset.order_by("document__path"))
 
         # Annotate more information on roles
         key_to_max_ancestors_role = defaultdict(lambda: None)
         path_to_ancestors_roles = defaultdict(list)
         path_to_role = defaultdict(lambda: None)
         for access in accesses:
             key = access.target_key
-            if access.document_path != self.document.path:
+            if access.document.path != self.document.path:
                 key_to_max_ancestors_role[key] = choices.RoleChoices.max(
                     key_to_max_ancestors_role[key], access.role
                 )
 
             if access.user_id == user.id or access.team in user.teams:
-                parent_path = access.document_path[: -models.Document.steplen]
+                parent_path = access.document.path[: -models.Document.steplen]
                 if parent_path:
-                    path_to_ancestors_roles[access.document_path].extend(
+                    path_to_ancestors_roles[access.document.path].extend(
                         path_to_ancestors_roles[parent_path]
                     )
-                    path_to_ancestors_roles[access.document_path].append(
+                    path_to_ancestors_roles[access.document.path].append(
                         path_to_role[parent_path]
                     )
                 else:
-                    path_to_ancestors_roles[access.document_path] = []
+                    path_to_ancestors_roles[access.document.path] = []
 
-                path_to_role[access.document_path] = choices.RoleChoices.max(
-                    path_to_role[access.document_path], access.role
+                path_to_role[access.document.path] = choices.RoleChoices.max(
+                    path_to_role[access.document.path], access.role
                 )
 
         # serialize and return the response
@@ -1438,8 +1447,8 @@ def list(self, request, *args, **kwargs):
         for access in accesses:
             access.max_ancestors_role = key_to_max_ancestors_role[access.target_key]
             access.user_roles_tuple = (
-                choices.RoleChoices.max(*path_to_ancestors_roles[access.document_path]),
-                path_to_role.get(access.document_path),
+                choices.RoleChoices.max(*path_to_ancestors_roles[access.document.path]),
+                path_to_role.get(access.document.path),
             )
             serializer = serializer_class(access, context=context)
             serialized_data.append(serializer.data)

src/backend/core/models.py

@@ -1095,9 +1095,7 @@ def get_abilities(self, user):
         if self.role == RoleChoices.OWNER:
             can_delete = role == RoleChoices.OWNER and (
                 # check if document is not root trying to avoid an extra query
-                # "document_path" is annotated by the viewset's list method
-                len(getattr(self, "document_path", "")) > Document.steplen
-                or not self.document.is_root()
+                self.document.depth > 1
                 or DocumentAccess.objects.filter(
                     document_id=self.document_id, role=RoleChoices.OWNER
                 ).count()

src/backend/core/tests/documents/test_api_document_accesses.py

@@ -139,7 +139,11 @@ def test_api_document_accesses_list_authenticated_related_non_privileged(
         [
             {
                 "id": str(access.id),
-                "document_id": str(access.document_id),
+                "document": {
+                    "id": str(access.document_id),
+                    "path": access.document.path,
+                    "depth": access.document.depth,
+                },
                 "user": {
                     "full_name": access.user.full_name,
                     "short_name": access.user.short_name,
@@ -236,7 +240,11 @@ def test_api_document_accesses_list_authenticated_related_privileged(
         [
             {
                 "id": str(access.id),
-                "document_id": str(access.document_id),
+                "document": {
+                    "id": str(access.document_id),
+                    "path": access.document.path,
+                    "depth": access.document.depth,
+                },
                 "user": {
                     "id": str(access.user.id),
                     "email": access.user.email,
@@ -533,7 +541,11 @@ def test_api_document_accesses_retrieve_authenticated_related(
         assert response.status_code == 200
         assert response.json() == {
             "id": str(access.id),
-            "document_id": str(access.document_id),
+            "document": {
+                "id": str(access.document_id),
+                "path": access.document.path,
+                "depth": access.document.depth,
+            },
             "user": access_user,
             "team": "",
             "role": access.role,

src/backend/core/tests/documents/test_api_document_accesses_create.py

@@ -170,12 +170,16 @@ def test_api_document_accesses_create_authenticated_administrator(
     other_user = serializers.UserSerializer(instance=other_user).data
     assert response.json() == {
         "abilities": new_document_access.get_abilities(user),
-        "document_id": str(new_document_access.document_id),
+        "document": {
+            "id": str(new_document_access.document_id),
+            "depth": new_document_access.document.depth,
+            "path": new_document_access.document.path,
+        },
         "id": str(new_document_access.id),
+        "user": other_user,
         "team": "",
         "role": role,
         "max_ancestors_role": None,
-        "user": other_user,
     }
     assert len(mail.outbox) == 1
     email = mail.outbox[0]
@@ -236,7 +240,11 @@ def test_api_document_accesses_create_authenticated_owner(via, depth, mock_user_
     new_document_access = models.DocumentAccess.objects.filter(user=other_user).get()
     other_user = serializers.UserSerializer(instance=other_user).data
     assert response.json() == {
-        "document_id": str(new_document_access.document_id),
+        "document": {
+            "id": str(new_document_access.document_id),
+            "path": new_document_access.document.path,
+            "depth": new_document_access.document.depth,
+        },
         "id": str(new_document_access.id),
         "user": other_user,
         "team": "",
@@ -302,7 +310,11 @@ def test_api_document_accesses_create_email_in_receivers_language(via, mock_user
         ).get()
         other_user_data = serializers.UserSerializer(instance=other_user).data
         assert response.json() == {
-            "document_id": str(new_document_access.document_id),
+            "document": {
+                "id": str(new_document_access.document_id),
+                "path": new_document_access.document.path,
+                "depth": new_document_access.document.depth,
+            },
             "id": str(new_document_access.id),
             "user": other_user_data,
             "team": "",