🔥(api) remove possibility to force document id on creation

sampaccoud · sampaccoud · commit dec1a1a870a3 · 2024-09-11T22:31:30.000+02:00
This feature poses security issues in the way it is implemented.
We decide to remove it while clarifying the use case.
diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
@@ -321,19 +321,6 @@ class DocumentViewSet(
     queryset = models.Document.objects.all()
     ordering = ["-updated_at"]
 
-    def perform_create(self, serializer):
-        """
-        Override perform_create to use the provided ID in the payload if it exists
-        """
-        document_id = self.request.data.get("id")
-        document = serializer.save(id=document_id) if document_id else serializer.save()
-
-        self.access_model_class.objects.create(
-            user=self.request.user,
-            role=models.RoleChoices.OWNER,
-            **{self.resource_field_name: document},
-        )
-
     def list(self, request, *args, **kwargs):
         """Restrict resources returned by the list endpoint"""
         queryset = self.filter_queryset(self.get_queryset())
diff --git a/src/backend/core/tests/documents/test_api_documents_create.py b/src/backend/core/tests/documents/test_api_documents_create.py
@@ -2,8 +2,6 @@
 Tests for Documents API endpoint in impress's core app: create
 """
 
-import uuid
-
 import pytest
 from rest_framework.test import APIClient
 
@@ -48,26 +46,3 @@ def test_api_documents_create_authenticated():
     document = Document.objects.get()
     assert document.title == "my document"
     assert document.accesses.filter(role="owner", user=user).exists()
-
-
-def test_api_documents_create_with_id_from_payload():
-    """
-    We should be able to create a document with an ID from the payload.
-    """
-    user = factories.UserFactory()
-
-    client = APIClient()
-    client.force_login(user)
-
-    doc_id = uuid.uuid4()
-    response = client.post(
-        "/api/v1.0/documents/",
-        {"title": "my document", "id": str(doc_id)},
-        format="json",
-    )
-
-    assert response.status_code == 201
-    document = Document.objects.get()
-    assert document.title == "my document"
-    assert document.id == doc_id
-    assert document.accesses.filter(role="owner", user=user).exists()
