🔒️(back) restrict accesss to document accesses

Every user having an access to a document, no matter its role have
access to the entire accesses list with all the user details. Only
owner or admin should be able to have the entire list, for the other
roles, they have access to the list containing only owner and
administrator with less information on the username. The email and its
id is removed

Author: lunika

Diff for: CHANGELOG.md

@@ -19,6 +19,7 @@ and this project adheres to
 ## Fixed
 
 - 🐛(backend) compute ancestor_links in get_abilities if needed #725
+- 🔒️(back) restrict access to document accesses #801
 
 ## [2.6.0] - 2025-03-21
 

Diff for: src/backend/core/api/serializers.py

@@ -27,6 +27,26 @@ class Meta:
         read_only_fields = ["id", "email", "full_name", "short_name"]
 
 
+class UserLightSerializer(UserSerializer):
+    """Serialize users with limited fields."""
+
+    id = serializers.SerializerMethodField(read_only=True)
+    email = serializers.SerializerMethodField(read_only=True)
+
+    def get_id(self, _user):
+        """Return always None. Here to have the same fields than in UserSerializer."""
+        return None
+
+    def get_email(self, _user):
+        """Return always None. Here to have the same fields than in UserSerializer."""
+        return None
+
+    class Meta:
+        model = models.User
+        fields = ["id", "email", "full_name", "short_name"]
+        read_only_fields = ["id", "email", "full_name", "short_name"]
+
+
 class BaseAccessSerializer(serializers.ModelSerializer):
     """Serialize template accesses."""
 
@@ -118,6 +138,17 @@ class Meta:
         read_only_fields = ["id", "abilities"]
 
 
+class DocumentAccessLightSerializer(DocumentAccessSerializer):
+    """Serialize document accesses with limited fields."""
+
+    user = UserLightSerializer(read_only=True)
+
+    class Meta:
+        model = models.DocumentAccess
+        fields = ["id", "user", "team", "role", "abilities"]
+        read_only_fields = ["id", "team", "role", "abilities"]
+
+
 class TemplateAccessSerializer(BaseAccessSerializer):
     """Serialize template accesses."""
 

Diff for: src/backend/core/api/viewsets.py

@@ -1420,12 +1420,7 @@ def cors_proxy(self, request, *args, **kwargs):
 
 class DocumentAccessViewSet(
     ResourceAccessViewsetMixin,
-    drf.mixins.CreateModelMixin,
-    drf.mixins.DestroyModelMixin,
-    drf.mixins.ListModelMixin,
-    drf.mixins.RetrieveModelMixin,
-    drf.mixins.UpdateModelMixin,
-    viewsets.GenericViewSet,
+    viewsets.ModelViewSet,
 ):
     """
     API ViewSet for all interactions with document accesses.
@@ -1457,6 +1452,32 @@ class DocumentAccessViewSet(
     queryset = models.DocumentAccess.objects.select_related("user").all()
     resource_field_name = "document"
     serializer_class = serializers.DocumentAccessSerializer
+    is_current_user_owner_or_admin = False
+
+    def get_queryset(self):
+        """Return the queryset according to the action."""
+        queryset = super().get_queryset()
+
+        if self.action == "list":
+            try:
+                document = models.Document.objects.get(pk=self.kwargs["resource_id"])
+            except models.Document.DoesNotExist:
+                return queryset.none()
+
+            roles = set(document.get_roles(self.request.user))
+            is_owner_or_admin = bool(roles.intersection(set(models.PRIVILEGED_ROLES)))
+            self.is_current_user_owner_or_admin = is_owner_or_admin
+            if not is_owner_or_admin:
+                # Return only the document owner access
+                queryset = queryset.filter(role__in=models.PRIVILEGED_ROLES)
+
+        return queryset
+
+    def get_serializer_class(self):
+        if self.action == "list" and not self.is_current_user_owner_or_admin:
+            return serializers.DocumentAccessLightSerializer
+
+        return super().get_serializer_class()
 
     def perform_create(self, serializer):
         """Add a new access to the document and send an email to the new added user."""

Diff for: src/backend/core/models.py

@@ -364,10 +364,9 @@ class BaseAccess(BaseModel):
     class Meta:
         abstract = True
 
-    def _get_abilities(self, resource, user):
+    def _get_roles(self, resource, user):
         """
-        Compute and return abilities for a given user taking into account
-        the current state of the object.
+        Get the roles a user has on a resource.
         """
         roles = []
         if user.is_authenticated:
@@ -382,6 +381,15 @@ def _get_abilities(self, resource, user):
                 except (self._meta.model.DoesNotExist, IndexError):
                     roles = []
 
+        return roles
+
+    def _get_abilities(self, resource, user):
+        """
+        Compute and return abilities for a given user taking into account
+        the current state of the object.
+        """
+        roles = self._get_roles(resource, user)
+
         is_owner_or_admin = bool(
             set(roles).intersection({RoleChoices.OWNER, RoleChoices.ADMIN})
         )
@@ -1103,7 +1111,41 @@ def get_abilities(self, user):
         """
         Compute and return abilities for a given user on the document access.
         """
-        return self._get_abilities(self.document, user)
+        roles = self._get_roles(self.document, user)
+        is_owner_or_admin = bool(set(roles).intersection(set(PRIVILEGED_ROLES)))
+        if self.role == RoleChoices.OWNER:
+            can_delete = (
+                RoleChoices.OWNER in roles
+                and self.document.accesses.filter(role=RoleChoices.OWNER).count() > 1
+            )
+            set_role_to = (
+                [RoleChoices.ADMIN, RoleChoices.EDITOR, RoleChoices.READER]
+                if can_delete
+                else []
+            )
+        else:
+            can_delete = is_owner_or_admin
+            set_role_to = []
+            if RoleChoices.OWNER in roles:
+                set_role_to.append(RoleChoices.OWNER)
+            if is_owner_or_admin:
+                set_role_to.extend(
+                    [RoleChoices.ADMIN, RoleChoices.EDITOR, RoleChoices.READER]
+                )
+
+        # Remove the current role as we don't want to propose it as an option
+        try:
+            set_role_to.remove(self.role)
+        except ValueError:
+            pass
+
+        return {
+            "destroy": can_delete,
+            "update": bool(set_role_to) and is_owner_or_admin,
+            "partial_update": bool(set_role_to) and is_owner_or_admin,
+            "retrieve": self.user and self.user.id == user.id or is_owner_or_admin,
+            "set_role_to": set_role_to,
+        }
 
 
 class Template(BaseModel):