✨(backend) notify collaboration server

When an access is updated or removed, the
collaboration server is notified to reset the
access connection; by being disconnected, the
accesses will automatically reconnect by passing
by the ngnix subrequest, and so get the good
rights.
We do the same system when the document link is
updated, except here we reset every access
connection.

Author: AntoLC

docker/files/etc/nginx/conf.d/default.conf

@@ -46,6 +46,12 @@ server {
         proxy_set_header X-Original-Method $request_method;
     }
 
+    location  /collaboration/api/ {
+        # Collaboration server
+        proxy_pass http://y-provider:4444;
+        proxy_set_header Host $host;
+    }
+
     # Proxy auth for media
     location /media/ {
         # Auth request configuration

env.d/development/common.dist

@@ -53,9 +53,10 @@ AI_API_KEY=password
 AI_MODEL=llama
 
 # Collaboration
+COLLABORATION_API_URL=http://nginx:8083/collaboration/api/
 COLLABORATION_SERVER_ORIGIN=http://localhost:3000
 COLLABORATION_SERVER_SECRET=my-secret
-COLLABORATION_WS_URL=ws://localhost:8083/collaboration/ws
+COLLABORATION_WS_URL=ws://localhost:8083/collaboration/ws/
 
 # Frontend
 FRONTEND_THEME=dsfr

src/backend/core/api/viewsets.py

@@ -30,6 +30,7 @@
 
 from core import enums, models
 from core.services.ai_services import AIService
+from core.services.collaboration_services import CollaborationService
 
 from . import permissions, serializers, utils
 from .filters import DocumentFilter
@@ -520,6 +521,10 @@ def link_configuration(self, request, *args, **kwargs):
         serializer.is_valid(raise_exception=True)
 
         serializer.save()
+
+        # Notify collaboration server about the link updated
+        CollaborationService().reset_connections(str(document.id))
+
         return drf.response.Response(serializer.data, status=drf.status.HTTP_200_OK)
 
     @drf.decorators.action(detail=True, methods=["post", "delete"], url_path="favorite")
@@ -815,6 +820,28 @@ def perform_create(self, serializer):
             self.request.user,
         )
 
+    def perform_update(self, serializer):
+        """Update an access to the document and notify the collaboration server."""
+        access = serializer.save()
+
+        access_user_id = None
+        if access.user:
+            access_user_id = str(access.user.id)
+
+        # Notify collaboration server about the access change
+        CollaborationService().reset_connections(
+            str(access.document.id), access_user_id
+        )
+
+    def perform_destroy(self, instance):
+        """Delete an access to the document and notify the collaboration server."""
+        instance.delete()
+
+        # Notify collaboration server about the access removed
+        CollaborationService().reset_connections(
+            str(instance.document.id), str(instance.user.id)
+        )
+
 
 class TemplateViewSet(
     drf.mixins.CreateModelMixin,

src/backend/core/services/collaboration_services.py

@@ -0,0 +1,42 @@
+"""Collaboration services."""
+
+from django.conf import settings
+from django.core.exceptions import ImproperlyConfigured
+
+import requests
+
+
+class CollaborationService:
+    """Service class for Collaboration related operations."""
+
+    def __init__(self):
+        """Ensure that the collaboration configuration is set properly."""
+        if settings.COLLABORATION_API_URL is None:
+            raise ImproperlyConfigured("Collaboration configuration not set")
+
+    def reset_connections(self, room, user_id=None):
+        """
+        Reset connections of a room in the collaboration server.
+        Reseting a connection means that the user will be disconnected and will
+        have to reconnect to the collaboration server, with updated rights.
+        """
+        endpoint = "reset-connections"
+
+        # room is necessary as a parameter, it is easier to stick to the
+        # same pod thanks to a parameter
+        endpoint_url = f"{settings.COLLABORATION_API_URL}{endpoint}/?room={room}"
+
+        headers = {"Authorization": settings.COLLABORATION_SERVER_SECRET}
+        if user_id:
+            headers["X-User-Id"] = user_id
+
+        try:
+            response = requests.post(endpoint_url, headers=headers, timeout=10)
+        except requests.RequestException as e:
+            raise requests.HTTPError("Failed to notify WebSocket server.") from e
+
+        if response.status_code != 200:
+            raise requests.HTTPError(
+                f"Failed to notify WebSocket server. Status code: {response.status_code}, "
+                f"Response: {response.text}"
+            )

src/backend/core/tests/documents/test_api_document_accesses.py

@@ -11,6 +11,9 @@
 from core import factories, models
 from core.api import serializers
 from core.tests.conftest import TEAM, USER, VIA
+from core.tests.test_services_collaboration_services import (  # pylint: disable=unused-import
+    mock_reset_connections,
+)
 
 pytestmark = pytest.mark.django_db
 
@@ -316,7 +319,11 @@ def test_api_document_accesses_update_authenticated_reader_or_editor(
 
 
 @pytest.mark.parametrize("via", VIA)
-def test_api_document_accesses_update_administrator_except_owner(via, mock_user_teams):
+def test_api_document_accesses_update_administrator_except_owner(
+    via,
+    mock_user_teams,
+    mock_reset_connections,  # pylint: disable=redefined-outer-name
+):
     """
     A user who is a direct administrator in a document should be allowed to update a user
     access for this document, as long as they don't try to set the role to owner.
@@ -351,18 +358,21 @@ def test_api_document_accesses_update_administrator_except_owner(via, mock_user_
 
     for field, value in new_values.items():
         new_data = {**old_values, field: value}
-        response = client.put(
-            f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
-            data=new_data,
-            format="json",
-        )
-
-        if (
-            new_data["role"] == old_values["role"]
-        ):  # we are not really updating the role
+        if new_data["role"] == old_values["role"]:
+            response = client.put(
+                f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
+                data=new_data,
+                format="json",
+            )
             assert response.status_code == 403
         else:
-            assert response.status_code == 200
+            with mock_reset_connections(document.id, str(access.user_id)):
+                response = client.put(
+                    f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
+                    data=new_data,
+                    format="json",
+                )
+                assert response.status_code == 200
 
         access.refresh_from_db()
         updated_values = serializers.DocumentAccessSerializer(instance=access).data
@@ -420,7 +430,11 @@ def test_api_document_accesses_update_administrator_from_owner(via, mock_user_te
 
 
 @pytest.mark.parametrize("via", VIA)
-def test_api_document_accesses_update_administrator_to_owner(via, mock_user_teams):
+def test_api_document_accesses_update_administrator_to_owner(
+    via,
+    mock_user_teams,
+    mock_reset_connections,  # pylint: disable=redefined-outer-name
+):
     """
     A user who is an administrator in a document, should not be allowed to update
     the user access of another user to grant document ownership.
@@ -457,24 +471,35 @@ def test_api_document_accesses_update_administrator_to_owner(via, mock_user_team
 
     for field, value in new_values.items():
         new_data = {**old_values, field: value}
-        response = client.put(
-            f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
-            data=new_data,
-            format="json",
-        )
         # We are not allowed or not really updating the role
         if field == "role" or new_data["role"] == old_values["role"]:
+            response = client.put(
+                f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
+                data=new_data,
+                format="json",
+            )
+
             assert response.status_code == 403
         else:
-            assert response.status_code == 200
+            with mock_reset_connections(document.id, str(access.user_id)):
+                response = client.put(
+                    f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
+                    data=new_data,
+                    format="json",
+                )
+                assert response.status_code == 200
 
         access.refresh_from_db()
         updated_values = serializers.DocumentAccessSerializer(instance=access).data
         assert updated_values == old_values
 
 
 @pytest.mark.parametrize("via", VIA)
-def test_api_document_accesses_update_owner(via, mock_user_teams):
+def test_api_document_accesses_update_owner(
+    via,
+    mock_user_teams,
+    mock_reset_connections,  # pylint: disable=redefined-outer-name
+):
     """
     A user who is an owner in a document should be allowed to update
     a user access for this document whatever the role.
@@ -507,18 +532,24 @@ def test_api_document_accesses_update_owner(via, mock_user_teams):
 
     for field, value in new_values.items():
         new_data = {**old_values, field: value}
-        response = client.put(
-            f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
-            data=new_data,
-            format="json",
-        )
-
         if (
             new_data["role"] == old_values["role"]
         ):  # we are not really updating the role
+            response = client.put(
+                f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
+                data=new_data,
+                format="json",
+            )
             assert response.status_code == 403
         else:
-            assert response.status_code == 200
+            with mock_reset_connections(document.id, str(access.user_id)):
+                response = client.put(
+                    f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
+                    data=new_data,
+                    format="json",
+                )
+
+                assert response.status_code == 200
 
         access.refresh_from_db()
         updated_values = serializers.DocumentAccessSerializer(instance=access).data
@@ -530,7 +561,11 @@ def test_api_document_accesses_update_owner(via, mock_user_teams):
 
 
 @pytest.mark.parametrize("via", VIA)
-def test_api_document_accesses_update_owner_self(via, mock_user_teams):
+def test_api_document_accesses_update_owner_self(
+    via,
+    mock_user_teams,
+    mock_reset_connections,  # pylint: disable=redefined-outer-name
+):
     """
     A user who is owner of a document should be allowed to update
     their own user access provided there are other owners in the document.
@@ -568,21 +603,23 @@ def test_api_document_accesses_update_owner_self(via, mock_user_teams):
     # Add another owner and it should now work
     factories.UserDocumentAccessFactory(document=document, role="owner")
 
-    response = client.put(
-        f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
-        data={
-            **old_values,
-            "role": new_role,
-            "user_id": old_values.get("user", {}).get("id")
-            if old_values.get("user") is not None
-            else None,
-        },
-        format="json",
-    )
+    user_id = str(access.user_id) if via == USER else None
+    with mock_reset_connections(document.id, user_id):
+        response = client.put(
+            f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
+            data={
+                **old_values,
+                "role": new_role,
+                "user_id": old_values.get("user", {}).get("id")
+                if old_values.get("user") is not None
+                else None,
+            },
+            format="json",
+        )
 
-    assert response.status_code == 200
-    access.refresh_from_db()
-    assert access.role == new_role
+        assert response.status_code == 200
+        access.refresh_from_db()
+        assert access.role == new_role
 
 
 # Delete
@@ -656,7 +693,9 @@ def test_api_document_accesses_delete_reader_or_editor(via, role, mock_user_team
 
 @pytest.mark.parametrize("via", VIA)
 def test_api_document_accesses_delete_administrators_except_owners(
-    via, mock_user_teams
+    via,
+    mock_user_teams,
+    mock_reset_connections,  # pylint: disable=redefined-outer-name
 ):
     """
     Users who are administrators in a document should be allowed to delete an access
@@ -685,12 +724,13 @@ def test_api_document_accesses_delete_administrators_except_owners(
     assert models.DocumentAccess.objects.count() == 2
     assert models.DocumentAccess.objects.filter(user=access.user).exists()
 
-    response = client.delete(
-        f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
-    )
+    with mock_reset_connections(document.id, str(access.user_id)):
+        response = client.delete(
+            f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
+        )
 
-    assert response.status_code == 204
-    assert models.DocumentAccess.objects.count() == 1
+        assert response.status_code == 204
+        assert models.DocumentAccess.objects.count() == 1
 
 
 @pytest.mark.parametrize("via", VIA)
@@ -729,7 +769,11 @@ def test_api_document_accesses_delete_administrator_on_owners(via, mock_user_tea
 
 
 @pytest.mark.parametrize("via", VIA)
-def test_api_document_accesses_delete_owners(via, mock_user_teams):
+def test_api_document_accesses_delete_owners(
+    via,
+    mock_user_teams,
+    mock_reset_connections,  # pylint: disable=redefined-outer-name
+):
     """
     Users should be able to delete the document access of another user
     for a document of which they are owner.
@@ -753,12 +797,13 @@ def test_api_document_accesses_delete_owners(via, mock_user_teams):
     assert models.DocumentAccess.objects.count() == 2
     assert models.DocumentAccess.objects.filter(user=access.user).exists()
 
-    response = client.delete(
-        f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
-    )
+    with mock_reset_connections(document.id, str(access.user_id)):
+        response = client.delete(
+            f"/api/v1.0/documents/{document.id!s}/accesses/{access.id!s}/",
+        )
 
-    assert response.status_code == 204
-    assert models.DocumentAccess.objects.count() == 1
+        assert response.status_code == 204
+        assert models.DocumentAccess.objects.count() == 1
 
 
 @pytest.mark.parametrize("via", VIA)