Fix link reach/role and add ancestors link access info #846
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sampaccoud
added
bug
sampaccoud
force-pushed
the
fix-link_reach_role_and_add_ancestors_info
branch
2 times, most recently
from
28dac80 to
d85d20f
Compare
lunika
approved these changes
Apr 13, 2025
|
@PanchoutNathan The request types |
sampaccoud
force-pushed
the
fix-link_reach_role_and_add_ancestors_info
branch
5 times, most recently
from
61cf214 to
604a491
Compare
lunika
reviewed
May 6, 2025
Comment on lines
-35
to
+38
| id = serializers.SerializerMethodField(read_only=True) | ||
| email = serializers.SerializerMethodField(read_only=True) | ||
|
|
||
| def get_id(self, _user): | ||
| """Return always None. Here to have the same fields than in UserSerializer.""" | ||
| return None | ||
|
|
||
| def get_email(self, _user): | ||
| """Return always None. Here to have the same fields than in UserSerializer.""" | ||
| return None | ||
|
|
||
| class Meta: | ||
| model = models.User | ||
| fields = ["id", "email", "full_name", "short_name"] | ||
| read_only_fields = ["id", "email", "full_name", "short_name"] | ||
| fields = ["full_name", "short_name"] | ||
| read_only_fields = ["full_name", "short_name"] |
There was a problem hiding this comment.
I did that to avoid the front application to have multiple models.
There was a problem hiding this comment.
The question it raised was: how do I differentiate between an model who has the value and the value is None and a model that doesn't have it?
I removed it because I was introducing more differences between the 2 serializers and it would be confusing to have these other fields as well with null values 🤔
sampaccoud
force-pushed
the
fix-link_reach_role_and_add_ancestors_info
branch
from
604a491 to
389e25c
Compare
lunika
approved these changes
May 9, 2025
sampaccoud
force-pushed
the
fix-link_reach_role_and_add_ancestors_info
branch
3 times, most recently
from
4f920d8 to
b9b27b4
Compare
PanchoutNathan
force-pushed
the
fix-link_reach_role_and_add_ancestors_info
branch
from
fc9d049 to
ac0fba4
Compare
sampaccoud
force-pushed
the
fix-link_reach_role_and_add_ancestors_info
branch
from
ac0fba4 to
e683d9f
Compare
We were returning too many select options for the restricted link reach: - when the "restricted" reach is an option (key present in the returned dictionary), the possible values for link roles are now always None to make it clearer that they don't matter and no select box should be shown for roles. - Never propose "restricted" as option for link reach when the ancestors already offer a public access. Indeed, restricted/editor was shown when the ancestors had public/read access. The logic was to propose editor role on more restricted reaches... but this does not make sense for restricted since the role does is not taken into account for this reach. Roles are set by each access line assign to users/teams.
The frontend needs to display inherited link accesses when it displays possible selection options. We need to return this information to the client.
If anonymous users have reader access on a parent, we were considering that an edge use case was interesting: allowing an authenticated user to still be editor on the child. Although this use case could be interesting, we consider, as a first approach, that the value it carries is not big enough to justify the complexity for the user to understand this complex access right heritage.
The document viewset was overriding the get_queryset method from its own mixin. This was a sign that the mixin was not optimal anymore. In the next commit I will need to complexify it further so it's time to refactor the mixin.
The methods to annotate a document queryset were factorized on the viewset but the correct place is the custom queryset itself now that we have one.
The document accesses a user have on a document's ancestors also apply to this document. The frontend needs to list them as "inherited" so we need to add them to the list. Adding a "document_id" field on the output will allow the frontend to differentiate between inherited and direct accesses on a document.
We are going to need to compare choices to materialize the fact that choices are ordered. For example an admin role is higer than an editor role but lower than an owner role. We will need this to compute the reach and role resulting from all the document accesses (resp. link accesses) assigned on a document's ancestors.
This will allow us to simplify the get_abilities method. It is also more efficient because we have computed this definitions dict and the the get_select_options method was doing the conversion again.
The user account created to query the API had a random email that could randomly interfere with our search results.
We were returning the list of roles a user has on a document (direct and inherited). Now that we introduced priority on roles, we are able to determine what is the max role and return only this one. This commit also changes the role that is returned for the restricted reach: we now return None because the role is not relevant in this case.
On a document, we need to display the status of the link (reach and role) as inherited from its ancestors.
On a document, we need to display the status of the link (reach and role) taking into account the ancestors link reach/role as well as the current document.
The latest refactoring in a445278 kept some factorizations that are not legit anymore after the refactoring. It is also cleaner to not make serializer choice in the list view if the reason for this choice is related to something else b/c other views would then use the wrong serializer and that would be a security leak. This commit also fixes a bug in the access rights inheritance: if a user is allowed to see accesses on a document, he should see all acesses related to ancestors, even the ancestors that he can not read. This is because the access that was granted on all ancestors also apply on the current document... so it must be displayed. Lastly, we optimize database queries because the number of accesses we fetch is going up with multi-pages and we were generating a lot of useless queries.
This field is set only on the list view when all accesses for a given document and all its ancestors are listed. It gives the highest role among all accesses related to each document.
If root documents are guaranteed to have a owner, non-root documents will automatically have them as owner by inheritance. We should not require non-root documents to have their own direct owner because this will make it difficult to manage access rights when we move documents around or when we want to remove access rights for someone on a document subtree... There should be as few overrides as possible.
There is a delay between the time the signature is issued and the
time it is checked. Although this delay is minimal, if the signature
is issued at the end of a second, both timestamps can differ of 1s.
> assert response["X-Amz-Date"] == timezone.now().strftime("%Y%m%dT%H%M%SZ")
AssertionError: assert equals failed '20250504T175307Z' '20250504T175308Z'
We took the opportunity of this bug to refactor serializers and permissions as advised one day by @qbey: no permission checks in serializers.
The frontend requires this information about the ancestor document to which each access is related. We make sure it does not generate more db queries and does not fetch useless and heavy fields from the document like "excerpt".
This use case was forgotten when the support for team accesses was added. We add tests to stabilize the feature and its security.
We reduce the number of options even more by treating link reach and link role independently: link reach must be higher than its ancestors' equivalent link reach and link role must be higher than its ancestors' link role. This reduces the number of possibilities but we decided to start with the most restrictive and simple offer and extend it if we realize it faces too many criticism instead of risking to offer too many options that are too complex and must be reduced afterwards.
The frontend needs to know what to display on an access. The maximum role between the access role and the role equivalent to all accesses on the document's ancestors should be computed on the backend.
PanchoutNathan
force-pushed
the
fix-link_reach_role_and_add_ancestors_info
branch
from
e683d9f to
23cf004
Compare
lunika
reviewed
May 15, 2025
| class AccessPermission(permissions.BasePermission): | ||
| """Permission class for access objects.""" | ||
| class ResourceWithAccessPermission(permissions.BasePermission): | ||
| """A permission class for templates.""" |
There was a problem hiding this comment.
This seems also used for Invitations.
Comment on lines
+185
to
+186
| roles = view.template.get_roles(request.user) | ||
| if not set(roles).intersection(set(choices.PRIVILEGED_ROLES)): |
There was a problem hiding this comment.
This is the only difference between TemplateAccessPermission and DocumentAccessPermission. Is there a way to factorize it ?
|
|
||
|
|
||
| class TemplateAccessSerializer(BaseAccessSerializer): | ||
| """Serialize template accesses.""" | ||
| class DocumentMinimalSerializer(serializers.ModelSerializer): |
There was a problem hiding this comment.
What about DocumentLight as we are already using this semantic.
| return None, None | ||
|
|
||
| try: | ||
| return self.user_roles_tuple |
There was a problem hiding this comment.
The way this property can be set is a little bit magic. The only occurrence found is in the DocumentAccessViewset and seems not computed the same way.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose
We are returning too many select options for the link access configuration.
Proposal
Never propose "restricted" as option for link reach when the ancestors already offer a public access. Indeed, restricted/editor was shown when the ancestors had public/read access. The logic was to propose editor role on more restricted reaches... but this does not make sense for restricted since the role does is not taken into account for this reach. Roles are set by each access line assign to users/teams.Never propose "authenticated" as option for link reach when the ancestors already offer a public access whatever the role. The logic was to propose editor role for authenticated user when the public access from ancestors was only readonly... but this was juged too much complexity for not enough value created. It can still be brought back later.Restrict link reach and link role independently. Link reach can only be improved and link role can only be improved.~ This restricts a lot what is possible but we prefer to offer something simple and as easy as possible to understand. We can open more possibilities later if people request the use cases we have ignored.We also realized that we needed to display specific access rights inherited from ancestors. This PR adds inherited accesses to the list of accesses returned for a document on
/api/v1.0/documents/{uuid}/accesses/