Fix: handle errors for trash actions and only show documents user can restore or delete (#7119)

2025-08-12 00:19:48 +00:00 · 2024-06-27 13:33:39 -07:00
parent f01283c309
commit ac0ed0def8
6 changed files with 195 additions and 43 deletions
--- a/src/documents/tests/test_api_trash.py
+++ b/src/documents/tests/test_api_trash.py
@@ -1,3 +1,4 @@
+from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from django.core.cache import cache
 from rest_framework import status
@@ -10,7 +11,8 @@ class TestTrashAPI(APITestCase):
    def setUp(self):
        super().setUp()

-        self.user = User.objects.create_superuser(username="temp_admin")
+        self.user = User.objects.create_user(username="temp_admin")
+        self.user.user_permissions.add(*Permission.objects.all())
        self.client.force_authenticate(user=self.user)
        cache.clear()

@@ -97,6 +99,56 @@ class TestTrashAPI(APITestCase):
        self.assertEqual(resp.status_code, status.HTTP_200_OK)
        self.assertEqual(Document.global_objects.count(), 0)

+    def test_api_trash_show_owned_only(self):
+        """
+        GIVEN:
+            - Existing documents in trash
+        WHEN:
+            - API request to show documents in trash for regular user
+            - API request to show documents in trash for superuser
+        THEN:
+            - Only owned documents are returned
+        """
+
+        document_u1 = Document.objects.create(
+            title="Title",
+            content="content",
+            checksum="checksum",
+            mime_type="application/pdf",
+            owner=self.user,
+        )
+        document_u1.delete()
+        document_not_owned = Document.objects.create(
+            title="Title2",
+            content="content2",
+            checksum="checksum2",
+            mime_type="application/pdf",
+        )
+        document_not_owned.delete()
+        user2 = User.objects.create_user(username="user2")
+        document_u2 = Document.objects.create(
+            title="Title3",
+            content="content3",
+            checksum="checksum3",
+            mime_type="application/pdf",
+            owner=user2,
+        )
+        document_u2.delete()
+
+        # user only sees their own documents or unowned documents
+        resp = self.client.get("/api/trash/")
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+        self.assertEqual(resp.data["count"], 2)
+        self.assertEqual(resp.data["results"][0]["id"], document_not_owned.pk)
+        self.assertEqual(resp.data["results"][1]["id"], document_u1.pk)
+
+        # superuser sees all documents
+        superuser = User.objects.create_superuser(username="superuser")
+        self.client.force_authenticate(user=superuser)
+        resp = self.client.get("/api/trash/")
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+        self.assertEqual(resp.data["count"], 3)
+
    def test_api_trash_insufficient_permissions(self):
        """
        GIVEN:
@@ -107,9 +159,6 @@ class TestTrashAPI(APITestCase):
            - 403 Forbidden
        """

-        user1 = User.objects.create_user(username="user1")
-        self.client.force_authenticate(user=user1)
-        self.client.force_login(user=user1)
        user2 = User.objects.create_user(username="user2")
        document = Document.objects.create(
            title="Title",