✨(backend) add ancestors links definitions to document abilities

sampaccoud · sampaccoud · commit 28dac806d539 · 2025-04-06T21:32:21.000+02:00
The frontend needs to display inherited link accesses when it displays
possible selection options. We need to return this information to the
client.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to
 
 ## Added
 
+- ✨(backend) add ancestors links definitions to document abilities #846
 - 🚩(backend) add feature flag for the footer #841
 - 🔧(backend) add view to manage footer json #841
 
diff --git a/src/backend/core/models.py b/src/backend/core/models.py
@@ -749,17 +749,16 @@ def get_roles(self, user):
                 roles = []
         return roles
 
-    def get_links_definitions(self, ancestors_links):
-        """Get links reach/role definitions for the current document and its ancestors."""
+    def get_ancestors_links_definitions(self, ancestors_links):
+        """Get links reach/role definitions for ancestors of the current document."""
 
-        links_definitions = defaultdict(set)
-        links_definitions[self.link_reach].add(self.link_role)
-
-        # Merge ancestor link definitions
+        ancestors_links_definitions = defaultdict(set)
         for ancestor in ancestors_links:
-            links_definitions[ancestor["link_reach"]].add(ancestor["link_role"])
+            ancestors_links_definitions[ancestor["link_reach"]].add(
+                ancestor["link_role"]
+            )
 
-        return dict(links_definitions)  # Convert defaultdict back to a normal dict
+        return ancestors_links_definitions
 
     def compute_ancestors_links(self, user):
         """
@@ -815,10 +814,20 @@ def get_abilities(self, user, ancestors_links=None):
         ) and not is_deleted
 
         # Add roles provided by the document link, taking into account its ancestors
-        links_definitions = self.get_links_definitions(ancestors_links)
-        public_roles = links_definitions.get(LinkReachChoices.PUBLIC, set())
+        ancestors_links_definitions = self.get_ancestors_links_definitions(
+            ancestors_links
+        )
+
+        public_roles = ancestors_links_definitions.get(
+            LinkReachChoices.PUBLIC, set()
+        ) | ({self.link_role} if self.link_reach == LinkReachChoices.PUBLIC else set())
         authenticated_roles = (
-            links_definitions.get(LinkReachChoices.AUTHENTICATED, set())
+            ancestors_links_definitions.get(LinkReachChoices.AUTHENTICATED, set())
+            | (
+                {self.link_role}
+                if self.link_reach == LinkReachChoices.AUTHENTICATED
+                else set()
+            )
             if user.is_authenticated
             else set()
         )
@@ -862,6 +871,9 @@ def get_abilities(self, user, ancestors_links=None):
             "restore": is_owner,
             "retrieve": can_get,
             "media_auth": can_get,
+            "ancestors_links_definitions": {
+                k: list(v) for k, v in ancestors_links_definitions.items()
+            },
             "link_select_options": LinkReachChoices.get_select_options(ancestors_links),
             "tree": can_get,
             "update": can_update,
diff --git a/src/backend/core/tests/documents/test_api_documents_retrieve.py b/src/backend/core/tests/documents/test_api_documents_retrieve.py
@@ -42,6 +42,7 @@ def test_api_documents_retrieve_anonymous_public_standalone():
             "favorite": False,
             "invite_owner": False,
             "link_configuration": False,
+            "ancestors_links_definitions": {},
             "link_select_options": {
                 "authenticated": ["reader", "editor"],
                 "public": ["reader", "editor"],
@@ -97,6 +98,10 @@ def test_api_documents_retrieve_anonymous_public_parent():
             "accesses_view": False,
             "ai_transform": False,
             "ai_translate": False,
+            "ancestors_links_definitions": {
+                "public": [grand_parent.link_role],
+                parent.link_reach: [parent.link_role],
+            },
             "attachment_upload": grand_parent.link_role == "editor",
             "children_create": False,
             "children_list": True,
@@ -193,6 +198,7 @@ def test_api_documents_retrieve_authenticated_unrelated_public_or_authenticated(
             "accesses_view": False,
             "ai_transform": document.link_role == "editor",
             "ai_translate": document.link_role == "editor",
+            "ancestors_links_definitions": {},
             "attachment_upload": document.link_role == "editor",
             "children_create": document.link_role == "editor",
             "children_list": True,
@@ -267,6 +273,10 @@ def test_api_documents_retrieve_authenticated_public_or_authenticated_parent(rea
             "accesses_view": False,
             "ai_transform": grand_parent.link_role == "editor",
             "ai_translate": grand_parent.link_role == "editor",
+            "ancestors_links_definitions": {
+                grand_parent.link_reach: [grand_parent.link_role],
+                "restricted": [parent.link_role],
+            },
             "attachment_upload": grand_parent.link_role == "editor",
             "children_create": grand_parent.link_role == "editor",
             "children_list": True,
@@ -440,13 +450,15 @@ def test_api_documents_retrieve_authenticated_related_parent():
     )
     assert response.status_code == 200
     links = document.get_ancestors().values("link_reach", "link_role")
+    ancestors_roles = list({grand_parent.link_role, parent.link_role})
     assert response.json() == {
         "id": str(document.id),
         "abilities": {
             "accesses_manage": access.role in ["administrator", "owner"],
             "accesses_view": True,
             "ai_transform": access.role != "reader",
             "ai_translate": access.role != "reader",
+            "ancestors_links_definitions": {"restricted": ancestors_roles},
             "attachment_upload": access.role != "reader",
             "children_create": access.role != "reader",
             "children_list": True,
diff --git a/src/backend/core/tests/documents/test_api_documents_trashbin.py b/src/backend/core/tests/documents/test_api_documents_trashbin.py
@@ -74,6 +74,7 @@ def test_api_documents_trashbin_format():
             "accesses_view": True,
             "ai_transform": True,
             "ai_translate": True,
+            "ancestors_links_definitions": {},
             "attachment_upload": True,
             "children_create": True,
             "children_list": True,
diff --git a/src/backend/core/tests/test_models_documents.py b/src/backend/core/tests/test_models_documents.py
@@ -154,6 +154,7 @@ def test_models_documents_get_abilities_forbidden(
         "accesses_view": False,
         "ai_transform": False,
         "ai_translate": False,
+        "ancestors_links_definitions": {},
         "attachment_upload": False,
         "children_create": False,
         "children_list": False,
@@ -214,6 +215,7 @@ def test_models_documents_get_abilities_reader(
         "accesses_view": False,
         "ai_transform": False,
         "ai_translate": False,
+        "ancestors_links_definitions": {},
         "attachment_upload": False,
         "children_create": False,
         "children_list": True,
@@ -250,7 +252,7 @@ def test_models_documents_get_abilities_reader(
     assert all(
         value is False
         for key, value in document.get_abilities(user).items()
-        if key != "link_select_options"
+        if key not in ["link_select_options", "ancestors_links_definitions"]
     )
 
 
@@ -276,6 +278,7 @@ def test_models_documents_get_abilities_editor(
         "accesses_view": False,
         "ai_transform": is_authenticated,
         "ai_translate": is_authenticated,
+        "ancestors_links_definitions": {},
         "attachment_upload": True,
         "children_create": is_authenticated,
         "children_list": True,
@@ -311,7 +314,7 @@ def test_models_documents_get_abilities_editor(
     assert all(
         value is False
         for key, value in document.get_abilities(user).items()
-        if key != "link_select_options"
+        if key not in ["link_select_options", "ancestors_links_definitions"]
     )
 
 
@@ -327,6 +330,7 @@ def test_models_documents_get_abilities_owner(django_assert_num_queries):
         "accesses_view": True,
         "ai_transform": True,
         "ai_translate": True,
+        "ancestors_links_definitions": {},
         "attachment_upload": True,
         "children_create": True,
         "children_list": True,
@@ -375,6 +379,7 @@ def test_models_documents_get_abilities_administrator(django_assert_num_queries)
         "accesses_view": True,
         "ai_transform": True,
         "ai_translate": True,
+        "ancestors_links_definitions": {},
         "attachment_upload": True,
         "children_create": True,
         "children_list": True,
@@ -410,7 +415,7 @@ def test_models_documents_get_abilities_administrator(django_assert_num_queries)
     assert all(
         value is False
         for key, value in document.get_abilities(user).items()
-        if key != "link_select_options"
+        if key not in ["link_select_options", "ancestors_links_definitions"]
     )
 
 
@@ -426,6 +431,7 @@ def test_models_documents_get_abilities_editor_user(django_assert_num_queries):
         "accesses_view": True,
         "ai_transform": True,
         "ai_translate": True,
+        "ancestors_links_definitions": {},
         "attachment_upload": True,
         "children_create": True,
         "children_list": True,
@@ -461,7 +467,7 @@ def test_models_documents_get_abilities_editor_user(django_assert_num_queries):
     assert all(
         value is False
         for key, value in document.get_abilities(user).items()
-        if key != "link_select_options"
+        if key not in ["link_select_options", "ancestors_links_definitions"]
     )
 
 
@@ -484,6 +490,7 @@ def test_models_documents_get_abilities_reader_user(
         # You should not access AI if it's restricted to users with specific access
         "ai_transform": access_from_link and ai_access_setting != "restricted",
         "ai_translate": access_from_link and ai_access_setting != "restricted",
+        "ancestors_links_definitions": {},
         "attachment_upload": access_from_link,
         "children_create": access_from_link,
         "children_list": True,
@@ -521,7 +528,7 @@ def test_models_documents_get_abilities_reader_user(
         assert all(
             value is False
             for key, value in document.get_abilities(user).items()
-            if key != "link_select_options"
+            if key not in ["link_select_options", "ancestors_links_definitions"]
         )
 
 
@@ -540,6 +547,7 @@ def test_models_documents_get_abilities_preset_role(django_assert_num_queries):
         "accesses_view": True,
         "ai_transform": False,
         "ai_translate": False,
+        "ancestors_links_definitions": {},
         "attachment_upload": False,
         "children_create": False,
         "children_list": True,
