✨(backend) add max ancestors role field to document access endpoint

sampaccoud · sampaccoud · commit 883be718359c · 2025-05-04T22:45:00.000+02:00
This field is set only on the list view when all accesses for a given
document and all its ancestors are listed. It gives the highest role
among all accesses related to each document.
diff --git a/src/backend/core/api/serializers.py b/src/backend/core/api/serializers.py
@@ -124,6 +124,7 @@ class DocumentAccessSerializer(BaseAccessSerializer):
         allow_null=True,
     )
     user = UserSerializer(read_only=True)
+    max_ancestors_role = serializers.SerializerMethodField(read_only=True)
 
     class Meta:
         model = models.DocumentAccess
@@ -136,8 +137,13 @@ class Meta:
             "team",
             "role",
             "abilities",
+            "max_ancestors_role",
         ]
-        read_only_fields = ["id", "document_id", "abilities"]
+        read_only_fields = ["id", "document_id", "abilities", "max_ancestors_role"]
+
+    def get_max_ancestors_role(self, instance):
+        """Return max_ancestors_role if annotated; else None."""
+        return getattr(instance, "max_ancestors_role", None)
 
 
 class DocumentAccessLightSerializer(DocumentAccessSerializer):
@@ -155,13 +161,15 @@ class Meta:
             "team",
             "role",
             "abilities",
+            "max_ancestors_role",
         ]
         read_only_fields = [
             "id",
             "document_id",
             "team",
             "role",
             "abilities",
+            "max_ancestors_role",
         ]
 
 
diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
@@ -1395,9 +1395,16 @@ def list(self, request, *args, **kwargs):
         )
 
         # Annotate more information on roles
+        key_to_max_ancestors_role = defaultdict(lambda: None)
         path_to_ancestors_roles = defaultdict(list)
         path_to_role = defaultdict(lambda: None)
         for access in accesses:
+            key = access.target_key
+            if access.document_path != self.document.path:
+                key_to_max_ancestors_role[key] = choices.RoleChoices.max(
+                    key_to_max_ancestors_role[key], access.role
+                )
+
             if access.user_id == user.id or access.team in user.teams:
                 parent_path = access.document_path[: -models.Document.steplen]
                 if parent_path:
@@ -1419,6 +1426,7 @@ def list(self, request, *args, **kwargs):
         serializer_class = self.get_serializer_class()
         serialized_data = []
         for access in accesses:
+            access.max_ancestors_role = key_to_max_ancestors_role[access.target_key]
             access.user_roles_tuple = (
                 choices.RoleChoices.max(*path_to_ancestors_roles[access.document_path]),
                 path_to_role.get(access.document_path),
diff --git a/src/backend/core/tests/documents/test_api_document_accesses.py b/src/backend/core/tests/documents/test_api_document_accesses.py
@@ -148,6 +148,9 @@ def test_api_document_accesses_list_authenticated_related_non_privileged(
                 else None,
                 "team": access.team,
                 "role": access.role,
+                "max_ancestors_role": access.role
+                if access.document_id != document.id
+                else None,
                 "abilities": {
                     "destroy": False,
                     "partial_update": False,
@@ -248,6 +251,9 @@ def test_api_document_accesses_list_authenticated_related_privileged(
                 }
                 if access.user
                 else None,
+                "max_ancestors_role": access.role
+                if access.document_id != document.id
+                else None,
                 "team": access.team,
                 "role": access.role,
                 "abilities": access.get_abilities(user),
@@ -258,6 +264,174 @@ def test_api_document_accesses_list_authenticated_related_privileged(
     )
 
 
+@pytest.mark.parametrize(
+    "roles,results",
+    [
+        [
+            ["administrator", "reader", "reader", "reader"],
+            [
+                ["reader", "editor", "administrator"],
+                [],
+                [],
+                ["reader", "editor", "administrator"],
+            ],
+        ],
+        [
+            ["owner", "reader", "reader", "reader"],
+            [[], [], [], ["reader", "editor", "administrator", "owner"]],
+        ],
+        [
+            ["owner", "reader", "reader", "owner"],
+            [
+                ["reader", "editor", "administrator", "owner"],
+                [],
+                [],
+                ["reader", "editor", "administrator", "owner"],
+            ],
+        ],
+    ],
+)
+def test_api_document_accesses_list_authenticated_related_same_user(roles, results):
+    """
+    The maximum role across ancestor documents and set_role_to optionsfor
+    a given user should be filled as expected.
+    """
+    user = factories.UserFactory()
+    client = APIClient()
+    client.force_login(user)
+
+    # Create documents structured as a tree
+    grand_parent = factories.DocumentFactory(link_reach="authenticated")
+    parent = factories.DocumentFactory(parent=grand_parent)
+    document = factories.DocumentFactory(parent=parent)
+
+    # Create accesses for another user
+    other_user = factories.UserFactory()
+    accesses = [
+        factories.UserDocumentAccessFactory(
+            document=document, user=user, role=roles[0]
+        ),
+        factories.UserDocumentAccessFactory(
+            document=grand_parent, user=other_user, role=roles[1]
+        ),
+        factories.UserDocumentAccessFactory(
+            document=parent, user=other_user, role=roles[2]
+        ),
+        factories.UserDocumentAccessFactory(
+            document=document, user=other_user, role=roles[3]
+        ),
+    ]
+
+    response = client.get(f"/api/v1.0/documents/{document.id!s}/accesses/")
+
+    assert response.status_code == 200
+    content = response.json()
+    assert len(content) == 4
+
+    for result in content:
+        assert (
+            result["max_ancestors_role"] is None
+            if result["user"]["id"] == str(user.id)
+            else choices.RoleChoices.max(roles[1], roles[2])
+        )
+
+    result_dict = {
+        result["id"]: result["abilities"]["set_role_to"] for result in content
+    }
+    assert [result_dict[str(access.id)] for access in accesses] == results
+
+
+@pytest.mark.parametrize(
+    "roles,results",
+    [
+        [
+            ["administrator", "reader", "reader", "reader"],
+            [
+                ["reader", "editor", "administrator"],
+                [],
+                [],
+                ["reader", "editor", "administrator"],
+            ],
+        ],
+        [
+            ["owner", "reader", "reader", "reader"],
+            [[], [], [], ["reader", "editor", "administrator", "owner"]],
+        ],
+        [
+            ["owner", "reader", "reader", "owner"],
+            [
+                ["reader", "editor", "administrator", "owner"],
+                [],
+                [],
+                ["reader", "editor", "administrator", "owner"],
+            ],
+        ],
+        [
+            ["reader", "reader", "reader", "owner"],
+            [["reader", "editor", "administrator", "owner"], [], [], []],
+        ],
+        [
+            ["reader", "administrator", "reader", "editor"],
+            [[], ["reader", "editor", "administrator"], [], []],
+        ],
+        [
+            ["reader", "editor", "administrator", "editor"],
+            [[], [], ["editor", "administrator"], []],
+        ],
+    ],
+)
+def test_api_document_accesses_list_authenticated_related_same_team(
+    roles, results, mock_user_teams
+):
+    """
+    The maximum role across ancestor documents and set_role_to optionsfor
+    a given team should be filled as expected.
+    """
+    user = factories.UserFactory()
+    client = APIClient()
+    client.force_login(user)
+
+    # Create documents structured as a tree
+    grand_parent = factories.DocumentFactory(link_reach="authenticated")
+    parent = factories.DocumentFactory(parent=grand_parent)
+    document = factories.DocumentFactory(parent=parent)
+
+    mock_user_teams.return_value = ["lasuite", "unknown"]
+    accesses = [
+        factories.UserDocumentAccessFactory(
+            document=document, user=user, role=roles[0]
+        ),
+        # Create accesses for a team
+        factories.TeamDocumentAccessFactory(
+            document=grand_parent, team="lasuite", role=roles[1]
+        ),
+        factories.TeamDocumentAccessFactory(
+            document=parent, team="lasuite", role=roles[2]
+        ),
+        factories.TeamDocumentAccessFactory(
+            document=document, team="lasuite", role=roles[3]
+        ),
+    ]
+
+    response = client.get(f"/api/v1.0/documents/{document.id!s}/accesses/")
+
+    assert response.status_code == 200
+    content = response.json()
+    assert len(content) == 4
+
+    for result in content:
+        assert (
+            result["max_ancestors_role"] is None
+            if result["user"] and result["user"]["id"] == str(user.id)
+            else choices.RoleChoices.max(roles[1], roles[2])
+        )
+
+    result_dict = {
+        result["id"]: result["abilities"]["set_role_to"] for result in content
+    }
+    assert [result_dict[str(access.id)] for access in accesses] == results
+
+
 def test_api_document_accesses_retrieve_anonymous():
     """
     Anonymous users should not be allowed to retrieve a document access.
@@ -353,6 +527,7 @@ def test_api_document_accesses_retrieve_authenticated_related(
             "user": access_user,
             "team": "",
             "role": access.role,
+            "max_ancestors_role": None,
             "abilities": access.get_abilities(user),
         }
 
diff --git a/src/backend/core/tests/documents/test_api_document_accesses_create.py b/src/backend/core/tests/documents/test_api_document_accesses_create.py
@@ -169,6 +169,7 @@ def test_api_document_accesses_create_authenticated_administrator(via, mock_user
         "id": str(new_document_access.id),
         "team": "",
         "role": role,
+        "max_ancestors_role": None,
         "user": other_user,
     }
     assert len(mail.outbox) == 1
@@ -228,6 +229,7 @@ def test_api_document_accesses_create_authenticated_owner(via, mock_user_teams):
         "user": other_user,
         "team": "",
         "role": role,
+        "max_ancestors_role": None,
         "abilities": new_document_access.get_abilities(user),
     }
     assert len(mail.outbox) == 1
@@ -293,6 +295,7 @@ def test_api_document_accesses_create_email_in_receivers_language(via, mock_user
             "user": other_user_data,
             "team": "",
             "role": role,
+            "max_ancestors_role": None,
             "abilities": new_document_access.get_abilities(user),
         }
         assert len(mail.outbox) == index + 1
