♻️(backend) refactored permissions check from BaseAccess serializer to permission class

Johann LORBER · Johann LORBER · commit 8f654b425cc7 · 2025-05-12T18:33:32.000+02:00
extracted access role validation from BaseAccessSerializer into DRF permissions, invoking them in the according viewset
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ and this project adheres to
 ## Added
 
 ✨ Add a custom callout block to the editor #892
+♻️ Refactored permissions check from serializers to permission class #343
 
 ## [3.2.1] - 2025-05-06
 
diff --git a/src/backend/core/api/permissions.py b/src/backend/core/api/permissions.py
@@ -134,3 +134,59 @@ def has_object_permission(self, request, view, obj):
             raise Http404
 
         return has_permission
+
+
+class CanManageAccessPermission(permissions.BasePermission):
+    """
+    Permission class to check access rights specific to writing (create/update)
+    """
+
+    def has_permission(self, request, view):
+        user = request.user
+
+        if not (bool(request.auth) or user.is_authenticated):
+            return False
+
+        if view.action == "create":
+            try:
+                resource_id = view.kwargs["resource_id"]
+            except KeyError as exc:
+                raise exceptions.ValidationError(
+                    f"You must set a resource ID in kwargs to create a new access."
+                ) from exc
+
+            if not view.queryset.model.objects.filter(  # pylint: disable=no-member
+                Q(user=user) | Q(team__in=user.teams),
+                role__in=[RoleChoices.OWNER, RoleChoices.ADMIN],  # pylint: disable=no-member
+                **{view.resource_field_name: resource_id},
+            ).exists():
+                raise exceptions.PermissionDenied(
+                    "You are not allowed to manage accesses for this resource."
+                )
+
+            role = request.data.get("role")
+            if (
+                role == RoleChoices.OWNER
+                and not view.queryset.model.objects.filter(
+                    Q(user=user) | Q(team__in=user.teams),
+                    **{view.resource_field_name: resource_id},
+                    role=RoleChoices.OWNER,
+                ).exists()
+            ):
+                raise exceptions.PermissionDenied(
+                    "Only owners of a resource can assign other users as owners."
+                )
+        return True
+
+    def has_object_permission(self, request, view, obj):
+        if view.action in ["update", "partial_update"]:
+            role = request.data.get("role")
+            can_set_role_to = obj.get_abilities(request.user).get("set_role_to", [])
+            if role and role not in can_set_role_to:
+                message = (
+                    f"You are only allowed to set role to {', '.join(can_set_role_to)}"
+                    if can_set_role_to
+                    else f"You are not allowed to set this role for this {getattr(view, 'resource_field_name', 'resource')}."
+                )
+                raise exceptions.PermissionDenied(message)
+        return True
diff --git a/src/backend/core/api/serializers.py b/src/backend/core/api/serializers.py
@@ -68,56 +68,10 @@ def get_abilities(self, access) -> dict:
 
     def validate(self, attrs):
         """
-        Check access rights specific to writing (create/update)
+        Add the resource ID to the validated data on creation.
         """
-        request = self.context.get("request")
-        user = getattr(request, "user", None)
-        role = attrs.get("role")
-
-        # Update
-        if self.instance:
-            can_set_role_to = self.instance.get_abilities(user)["set_role_to"]
-
-            if role and role not in can_set_role_to:
-                message = (
-                    f"You are only allowed to set role to {', '.join(can_set_role_to)}"
-                    if can_set_role_to
-                    else "You are not allowed to set this role for this template."
-                )
-                raise exceptions.PermissionDenied(message)
-
-        # Create
-        else:
-            try:
-                resource_id = self.context["resource_id"]
-            except KeyError as exc:
-                raise exceptions.ValidationError(
-                    "You must set a resource ID in kwargs to create a new access."
-                ) from exc
-
-            if not self.Meta.model.objects.filter(  # pylint: disable=no-member
-                Q(user=user) | Q(team__in=user.teams),
-                role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],
-                **{self.Meta.resource_field_name: resource_id},  # pylint: disable=no-member
-            ).exists():
-                raise exceptions.PermissionDenied(
-                    "You are not allowed to manage accesses for this resource."
-                )
-
-            if (
-                role == models.RoleChoices.OWNER
-                and not self.Meta.model.objects.filter(  # pylint: disable=no-member
-                    Q(user=user) | Q(team__in=user.teams),
-                    role=models.RoleChoices.OWNER,
-                    **{self.Meta.resource_field_name: resource_id},  # pylint: disable=no-member
-                ).exists()
-            ):
-                raise exceptions.PermissionDenied(
-                    "Only owners of a resource can assign other users as owners."
-                )
-
-        # pylint: disable=no-member
-        attrs[f"{self.Meta.resource_field_name}_id"] = self.context["resource_id"]
+        if not self.instance:
+            attrs[f"{self.Meta.resource_field_name}_id"] = self.context["resource_id"]
         return attrs
 
 
diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
@@ -1423,7 +1423,11 @@ class DocumentAccessViewSet(
 
     lookup_field = "pk"
     pagination_class = Pagination
-    permission_classes = [permissions.IsAuthenticated, permissions.AccessPermission]
+    permission_classes = [
+        permissions.IsAuthenticated,
+        permissions.CanManageAccessPermission,
+        permissions.AccessPermission,
+    ]
     queryset = models.DocumentAccess.objects.select_related("user").all()
     resource_field_name = "document"
     serializer_class = serializers.DocumentAccessSerializer
@@ -1595,7 +1599,11 @@ class TemplateAccessViewSet(
 
     lookup_field = "pk"
     pagination_class = Pagination
-    permission_classes = [permissions.IsAuthenticated, permissions.AccessPermission]
+    permission_classes = [
+        permissions.IsAuthenticated,
+        permissions.CanManageAccessPermission,
+        permissions.AccessPermission,
+    ]
     queryset = models.TemplateAccess.objects.select_related("user").all()
     resource_field_name = "template"
     serializer_class = serializers.TemplateAccessSerializer
