♻️(backend) change abilities for deleted document

The abilities for a deleted document were too open. We want to restrict
them. Only the restore, retrieve and tree is allowed. The tree method
will need some modifications to get the right informations.

Author: lunika

src/backend/core/models.py

@@ -721,7 +721,7 @@ def get_abilities(self, user):
 
         # Characteristics that are based only on specific access
         is_owner = role == RoleChoices.OWNER
-        is_deleted = self.ancestors_deleted_at and not is_owner
+        is_deleted = self.ancestors_deleted_at
         is_owner_or_admin = (is_owner or role == RoleChoices.ADMIN) and not is_deleted
 
         # Compute access roles before adding link roles because we don't
@@ -750,6 +750,7 @@ def get_abilities(self, user):
             role = RoleChoices.max(role, link_definition["link_role"])
 
         can_get = bool(role) and not is_deleted
+        retrieve = can_get or is_owner
         can_update = (
             is_owner_or_admin or role == RoleChoices.EDITOR
         ) and not is_deleted
@@ -758,7 +759,7 @@ def get_abilities(self, user):
             is_owner
             if self.is_root()
             else (is_owner_or_admin or (user.is_authenticated and self.creator == user))
-        )
+        ) and not is_deleted
 
         ai_allow_reach_from = settings.AI_ALLOW_REACH_FROM
         ai_access = any(
@@ -790,15 +791,15 @@ def get_abilities(self, user):
             "duplicate": can_get and user.is_authenticated,
             "favorite": can_get and user.is_authenticated,
             "link_configuration": is_owner_or_admin,
-            "invite_owner": is_owner,
+            "invite_owner": is_owner and not is_deleted,
             "mask": can_get and user.is_authenticated,
-            "move": is_owner_or_admin and not self.ancestors_deleted_at,
+            "move": is_owner_or_admin and not is_deleted,
             "partial_update": can_update,
             "restore": is_owner,
-            "retrieve": can_get,
+            "retrieve": retrieve,
             "media_auth": can_get,
             "link_select_options": link_select_options,
-            "tree": can_get,
+            "tree": retrieve,
             "update": can_update,
             "versions_destroy": is_owner_or_admin,
             "versions_list": has_access_role,

src/backend/core/tests/documents/test_api_documents_trashbin.py

@@ -70,40 +70,40 @@ def test_api_documents_trashbin_format():
     assert results[0] == {
         "id": str(document.id),
         "abilities": {
-            "accesses_manage": True,
-            "accesses_view": True,
-            "ai_transform": True,
-            "ai_translate": True,
-            "attachment_upload": True,
-            "can_edit": True,
-            "children_create": True,
-            "children_list": True,
-            "collaboration_auth": True,
-            "descendants": True,
-            "cors_proxy": True,
-            "content": True,
-            "destroy": True,
-            "duplicate": True,
-            "favorite": True,
-            "invite_owner": True,
-            "link_configuration": True,
+            "accesses_manage": False,
+            "accesses_view": False,
+            "ai_transform": False,
+            "ai_translate": False,
+            "attachment_upload": False,
+            "can_edit": False,
+            "children_create": False,
+            "children_list": False,
+            "collaboration_auth": False,
+            "descendants": False,
+            "cors_proxy": False,
+            "content": False,
+            "destroy": False,
+            "duplicate": False,
+            "favorite": False,
+            "invite_owner": False,
+            "link_configuration": False,
             "link_select_options": {
                 "authenticated": ["reader", "editor"],
                 "public": ["reader", "editor"],
                 "restricted": None,
             },
-            "mask": True,
-            "media_auth": True,
-            "media_check": True,
+            "mask": False,
+            "media_auth": False,
+            "media_check": False,
             "move": False,  # Can't move a deleted document
-            "partial_update": True,
+            "partial_update": False,
             "restore": True,
             "retrieve": True,
             "tree": True,
-            "update": True,
-            "versions_destroy": True,
-            "versions_list": True,
-            "versions_retrieve": True,
+            "update": False,
+            "versions_destroy": False,
+            "versions_list": False,
+            "versions_retrieve": False,
         },
         "ancestors_link_reach": None,
         "ancestors_link_role": None,

src/backend/core/tests/test_models_documents.py

@@ -375,8 +375,42 @@ def test_models_documents_get_abilities_owner(django_assert_num_queries):
 
     document.soft_delete()
     document.refresh_from_db()
-    expected_abilities["move"] = False
-    assert document.get_abilities(user) == expected_abilities
+    assert document.get_abilities(user) == {
+        "accesses_manage": False,
+        "accesses_view": False,
+        "ai_transform": False,
+        "ai_translate": False,
+        "attachment_upload": False,
+        "can_edit": False,
+        "children_create": False,
+        "children_list": False,
+        "collaboration_auth": False,
+        "descendants": False,
+        "cors_proxy": False,
+        "content": False,
+        "destroy": False,
+        "duplicate": False,
+        "favorite": False,
+        "invite_owner": False,
+        "link_configuration": False,
+        "link_select_options": {
+            "authenticated": ["reader", "editor"],
+            "public": ["reader", "editor"],
+            "restricted": None,
+        },
+        "mask": False,
+        "media_auth": False,
+        "media_check": False,
+        "move": False,
+        "partial_update": False,
+        "restore": True,
+        "retrieve": True,
+        "tree": True,
+        "update": False,
+        "versions_destroy": False,
+        "versions_list": False,
+        "versions_retrieve": False,
+    }
 
 
 @override_settings(