🐛(backend) fix invitations API endpoint access rights

Only users who have the rights to manage accesses on the document should
be allowed to see and manipulate invitations. Other users can see access
rights on the document but only when the corresponding user/team has
actually been granted access.

We added a parameter in document abilities so the frontend knows when
the logged-in user can invite another user with the owner role or not.

Author: sampaccoud

CHANGELOG.md

@@ -16,6 +16,7 @@ and this project adheres to
 
 ## Fixed
 
+- 🐛(backend) require right to manage document accesses to see invitations #369
 - 🐛(frontend) add default toolbar buttons #355
 
 
@@ -29,7 +30,7 @@ and this project adheres to
 
 ## Changed
 
-- ♻️(frontend) More multi theme friendly #325
+- ♻️(frontend) more multi theme friendly #325
 - ♻️ Bootstrap frontend #257
 - ♻️ Add username in email #314
 

src/backend/core/api/permissions.py

@@ -1,9 +1,12 @@
 """Permission handlers for the impress core app."""
 
 from django.core import exceptions
+from django.db.models import Q
 
 from rest_framework import permissions
 
+from core.models import DocumentAccess, RoleChoices
+
 ACTION_FOR_METHOD_TO_PERMISSION = {
     "versions_detail": {"DELETE": "versions_destroy", "GET": "versions_retrieve"}
 }
@@ -59,6 +62,38 @@ def has_object_permission(self, request, view, obj):
             return False
 
 
+class CanCreateInvitationPermission(permissions.BasePermission):
+    """
+    Custom permission class to handle permission checks for managing invitations.
+    """
+
+    def has_permission(self, request, view):
+        user = request.user
+
+        # Ensure the user is authenticated
+        if not (bool(request.auth) or request.user.is_authenticated):
+            return False
+
+        # Apply permission checks only for creation (POST requests)
+        if view.action != "create":
+            return True
+
+        # Check if resource_id is passed in the context
+        try:
+            document_id = view.kwargs["resource_id"]
+        except KeyError as exc:
+            raise exceptions.ValidationError(
+                "You must set a document ID in kwargs to manage document invitations."
+            ) from exc
+
+        # Check if the user has access to manage invitations (Owner/Admin roles)
+        return DocumentAccess.objects.filter(
+            Q(user=user) | Q(team__in=user.teams),
+            document=document_id,
+            role__in=[RoleChoices.OWNER, RoleChoices.ADMIN],
+        ).exists()
+
+
 class AccessPermission(permissions.BasePermission):
     """Permission class for access objects."""
 

src/backend/core/api/serializers.py

@@ -328,48 +328,36 @@ def get_abilities(self, invitation) -> dict:
         return {}
 
     def validate(self, attrs):
-        """Validate and restrict invitation to new user based on email."""
-
+        """Validate invitation data."""
         request = self.context.get("request")
         user = getattr(request, "user", None)
-        role = attrs.get("role")
 
-        try:
-            document_id = self.context["resource_id"]
-        except KeyError as exc:
-            raise exceptions.ValidationError(
-                "You must set a document ID in kwargs to create a new document invitation."
-            ) from exc
+        attrs["document_id"] = self.context["resource_id"]
 
-        if not user and user.is_authenticated:
-            raise exceptions.PermissionDenied(
-                "Anonymous users are not allowed to create invitations."
-            )
+        # Only set the issuer if the instance is being created
+        if self.instance is None:
+            attrs["issuer"] = user
 
-        if not models.DocumentAccess.objects.filter(
-            Q(user=user) | Q(team__in=user.teams),
-            document=document_id,
-            role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],
-        ).exists():
-            raise exceptions.PermissionDenied(
-                "You are not allowed to manage invitations for this document."
-            )
+        return attrs
 
-        if (
-            role == models.RoleChoices.OWNER
-            and not models.DocumentAccess.objects.filter(
+    def validate_role(self, role):
+        """Custom validation for the role field."""
+        request = self.context.get("request")
+        user = getattr(request, "user", None)
+        document_id = self.context["resource_id"]
+
+        # If the role is OWNER, check if the user has OWNER access
+        if role == models.RoleChoices.OWNER:
+            if not models.DocumentAccess.objects.filter(
                 Q(user=user) | Q(team__in=user.teams),
                 document=document_id,
                 role=models.RoleChoices.OWNER,
-            ).exists()
-        ):
-            raise exceptions.PermissionDenied(
-                "Only owners of a document can invite other users as owners."
-            )
+            ).exists():
+                raise serializers.ValidationError(
+                    "Only owners of a document can invite other users as owners."
+                )
 
-        attrs["document_id"] = document_id
-        attrs["issuer"] = user
-        return attrs
+        return role
 
 
 class VersionFilterSerializer(serializers.Serializer):

src/backend/core/api/viewsets.py

@@ -807,7 +807,10 @@ class InvitationViewset(
 
     lookup_field = "id"
     pagination_class = Pagination
-    permission_classes = [permissions.IsAuthenticated, permissions.AccessPermission]
+    permission_classes = [
+        permissions.CanCreateInvitationPermission,
+        permissions.AccessPermission,
+    ]
     queryset = (
         models.Invitation.objects.all()
         .select_related("document")
@@ -842,10 +845,16 @@ def get_queryset(self):
             )
 
             queryset = (
-                # The logged-in user should be part of a document to see its accesses
+                # The logged-in user should be administrator or owner to see its accesses
                 queryset.filter(
-                    Q(document__accesses__user=user)
-                    | Q(document__accesses__team__in=teams),
+                    Q(
+                        document__accesses__user=user,
+                        document__accesses__role__in=models.PRIVILEGED_ROLES,
+                    )
+                    | Q(
+                        document__accesses__team__in=teams,
+                        document__accesses__role__in=models.PRIVILEGED_ROLES,
+                    ),
                 )
                 # Abilities are computed based on logged-in user's role and
                 # the user role on each document access

src/backend/core/models.py

@@ -72,6 +72,9 @@ class RoleChoices(models.TextChoices):
     OWNER = "owner", _("Owner")
 
 
+PRIVILEGED_ROLES = [RoleChoices.ADMIN, RoleChoices.OWNER]
+
+
 class LinkReachChoices(models.TextChoices):
     """Defines types of access for links"""
 
@@ -514,6 +517,7 @@ def get_abilities(self, user):
             "destroy": RoleChoices.OWNER in roles,
             "link_configuration": is_owner_or_admin,
             "manage_accesses": is_owner_or_admin,
+            "invite_owner": RoleChoices.OWNER in roles,
             "partial_update": is_owner_or_admin or is_editor,
             "retrieve": can_get,
             "update": is_owner_or_admin or is_editor,
@@ -880,8 +884,6 @@ def is_expired(self):
 
     def get_abilities(self, user):
         """Compute and return abilities for a given user."""
-        can_delete = False
-        can_update = False
         roles = []
 
         if user.is_authenticated:
@@ -896,17 +898,13 @@ def get_abilities(self, user):
                 except (self._meta.model.DoesNotExist, IndexError):
                     roles = []
 
-            can_delete = bool(
-                set(roles).intersection({RoleChoices.OWNER, RoleChoices.ADMIN})
-            )
-
-            can_update = bool(
-                set(roles).intersection({RoleChoices.OWNER, RoleChoices.ADMIN})
-            )
+        is_admin_or_owner = bool(
+            set(roles).intersection({RoleChoices.OWNER, RoleChoices.ADMIN})
+        )
 
         return {
-            "destroy": can_delete,
-            "update": can_update,
-            "partial_update": can_update,
-            "retrieve": bool(roles),
+            "destroy": is_admin_or_owner,
+            "update": is_admin_or_owner,
+            "partial_update": is_admin_or_owner,
+            "retrieve": is_admin_or_owner,
         }