✨(backend) extract attachment keys from updated content for access

sampaccoud · sampaccoud · commit a138321a01dc · 2025-01-21T23:56:50.000+01:00
We can't prevent document editors from copy/pasting content to from one
document to another. The problem is that copying content, will copy the
urls pointing to attachments but if we don't do anything, the reader of
the document to which the content is being pasted, may not be allowed to
access the attachment files from the original document.

Using the work from the previous commit, we can grant access to the readers
of the target document by extracting the attachment keys from the content and
adding themto the target document's "attachments" field. Before doing this,
we check that the current user can indeed access the attachment files extracted
from the content and that they are allowed to edit the current document.
diff --git a/src/backend/core/api/serializers.py b/src/backend/core/api/serializers.py
@@ -10,7 +10,7 @@
 import magic
 from rest_framework import exceptions, serializers
 
-from core import enums, models
+from core import enums, models, utils
 from core.services.ai_services import AI_ACTIONS
 from core.services.converter_services import (
     ConversionError,
@@ -231,6 +231,36 @@ def validate_id(self, value):
 
         return value
 
+    def save(self, **kwargs):
+        """
+        Process the content field to extract attachment keys and update the document's
+        "attachments" field for access control.
+        """
+        content = self.validated_data.get("content", "")
+        extracted_attachments = set(utils.extract_attachments(content))
+
+        existing_attachments = (
+            set(self.instance.attachments or []) if self.instance else set()
+        )
+        new_attachments = extracted_attachments - existing_attachments
+
+        if new_attachments:
+            user = self.context["request"].user
+            readable_documents = models.Document.objects.readable(user).filter(
+                Q(attachments__overlap=list(new_attachments))
+            )
+
+            readable_attachments = set()
+            for document in readable_documents:
+                readable_attachments.update(set(document.attachments) & new_attachments)
+
+            # Update attachments with readable keys
+            self.validated_data["attachments"] = list(
+                existing_attachments | readable_attachments
+            )
+
+        return super().save(**kwargs)
+
 
 class ServerCreateDocumentSerializer(serializers.Serializer):
     """
diff --git a/src/backend/core/tests/documents/test_api_documents_media_auth.py b/src/backend/core/tests/documents/test_api_documents_media_auth.py
@@ -1,5 +1,5 @@
 """
-Test file uploads API endpoint for users in impress's core app.
+Test media-auth authorization API endpoint in docs core app.
 """
 
 from io import BytesIO
diff --git a/src/backend/core/tests/documents/test_api_documents_update_extract_attachments.py b/src/backend/core/tests/documents/test_api_documents_update_extract_attachments.py
@@ -0,0 +1,153 @@
+"""
+Test extract-attachments on document update in docs core app.
+"""
+
+import base64
+from uuid import uuid4
+
+import pytest
+import y_py
+from rest_framework.test import APIClient
+
+from core import factories
+
+pytestmark = pytest.mark.django_db
+
+
+def get_ydoc_with_mages(image_keys):
+    """Return a ydoc from text for testing purposes."""
+    ydoc = y_py.YDoc()  # pylint: disable=no-member
+    with ydoc.begin_transaction() as txn:
+        xml_fragment = ydoc.get_xml_element("document-store")
+        for key in image_keys:
+            xml_image = xml_fragment.push_xml_element(txn, "image")
+            xml_image.set_attribute(txn, "src", f"http://localhost/media/{key:s}")
+
+    update = y_py.encode_state_as_update(ydoc)  # pylint: disable=no-member
+    return base64.b64encode(update).decode("utf-8")
+
+
+def test_api_documents_update_new_attachment_keys_anonymous(django_assert_num_queries):
+    """
+    When an anonymous user updates a document, the attachment keys extracted from the
+    updated content should be added to the list of "attachments" ot the document if these
+    attachments are already readable by anonymous users.
+    """
+    image_keys = [f"{uuid4()!s}/attachments/{uuid4()!s}.png" for _ in range(4)]
+    document = factories.DocumentFactory(
+        content=get_ydoc_with_mages(image_keys[:1]),
+        attachments=[image_keys[0]],
+        link_reach="public",
+        link_role="editor",
+    )
+
+    factories.DocumentFactory(attachments=[image_keys[1]], link_reach="public")
+    factories.DocumentFactory(attachments=[image_keys[2]], link_reach="authenticated")
+    factories.DocumentFactory(attachments=[image_keys[3]], link_reach="restricted")
+    expected_keys = {image_keys[i] for i in [0, 1]}
+
+    with django_assert_num_queries(4):
+        response = APIClient().put(
+            f"/api/v1.0/documents/{document.id!s}/",
+            {"content": get_ydoc_with_mages(image_keys)},
+            format="json",
+        )
+    assert response.status_code == 200
+
+    document.refresh_from_db()
+    assert set(document.attachments) == expected_keys
+
+    # Check that the db query to check attachments readability for extracted
+    # keys is not done if the content changes but no new keys are found
+    with django_assert_num_queries(3):
+        response = APIClient().put(
+            f"/api/v1.0/documents/{document.id!s}/",
+            {"content": get_ydoc_with_mages(image_keys[:2])},
+            format="json",
+        )
+    assert response.status_code == 200
+
+    document.refresh_from_db()
+    assert len(document.attachments) == 2
+    assert set(document.attachments) == expected_keys
+
+
+def test_api_documents_update_new_attachment_keys_authenticated(
+    django_assert_num_queries,
+):
+    """
+    When an authenticated user updates a document, the attachment keys extracted from the
+    updated content should be added to the list of "attachments" ot the document if these
+    attachments are already readable by the editing user.
+    """
+    user = factories.UserFactory()
+    client = APIClient()
+    client.force_login(user)
+
+    image_keys = [f"{uuid4()!s}/attachments/{uuid4()!s}.png" for _ in range(5)]
+    document = factories.DocumentFactory(
+        content=get_ydoc_with_mages(image_keys[:1]),
+        attachments=[image_keys[0]],
+        users=[(user, "editor")],
+    )
+
+    factories.DocumentFactory(attachments=[image_keys[1]], link_reach="public")
+    factories.DocumentFactory(attachments=[image_keys[2]], link_reach="authenticated")
+    factories.DocumentFactory(attachments=[image_keys[3]], link_reach="restricted")
+    factories.DocumentFactory(attachments=[image_keys[4]], users=[user])
+    expected_keys = {image_keys[i] for i in [0, 1, 2, 4]}
+
+    with django_assert_num_queries(5):
+        response = client.put(
+            f"/api/v1.0/documents/{document.id!s}/",
+            {"content": get_ydoc_with_mages(image_keys)},
+            format="json",
+        )
+    assert response.status_code == 200
+
+    document.refresh_from_db()
+    assert set(document.attachments) == expected_keys
+
+    # Check that the db query to check attachments readability for extracted
+    # keys is not done if the content changes but no new keys are found
+    with django_assert_num_queries(4):
+        response = client.put(
+            f"/api/v1.0/documents/{document.id!s}/",
+            {"content": get_ydoc_with_mages(image_keys[:2])},
+            format="json",
+        )
+    assert response.status_code == 200
+
+    document.refresh_from_db()
+    assert len(document.attachments) == 4
+    assert set(document.attachments) == expected_keys
+
+
+def test_api_documents_update_new_attachment_keys_duplicate():
+    """
+    Duplicate keys in the content should not result in duplicates in the document's attachments.
+    """
+    user = factories.UserFactory()
+    client = APIClient()
+    client.force_login(user)
+
+    image_key1 = f"{uuid4()!s}/attachments/{uuid4()!s}.png"
+    image_key2 = f"{uuid4()!s}/attachments/{uuid4()!s}.png"
+    document = factories.DocumentFactory(
+        content=get_ydoc_with_mages([image_key1]),
+        attachments=[image_key1],
+        users=[(user, "editor")],
+    )
+
+    factories.DocumentFactory(attachments=[image_key2], users=[user])
+
+    response = client.put(
+        f"/api/v1.0/documents/{document.id!s}/",
+        {"content": get_ydoc_with_mages([image_key1, image_key2, image_key2])},
+        format="json",
+    )
+    assert response.status_code == 200
+
+    document.refresh_from_db()
+    assert len(document.attachments) == 2
+    assert set(document.attachments) == {image_key1, image_key2}
diff --git a/src/backend/core/tests/test_utils_base64_yjs_to_text.py b/src/backend/core/tests/test_utils_base64_yjs_to_text.py
@@ -5,7 +5,7 @@
 
 import y_py
 
-from core import models, utils
+from core import utils
 from core.utils import base64_yjs_to_text
 
 
diff --git a/src/backend/core/utils.py b/src/backend/core/utils.py
@@ -28,7 +28,9 @@ def base64_yjs_to_text(base64_string):
     return soup.get_text(separator=" ").strip()
 
 
-def extract_attachments(document):
+def extract_attachments(content):
     """Helper method to extract media paths from a document's content."""
-    xml_content = base64_yjs_to_xml(document.content)
+    if not content:
+        return []
+    xml_content = base64_yjs_to_xml(content)
     return re.findall(enums.MEDIA_STORAGE_URL_EXTRACT, xml_content)
