✨(backend) add max ancestors role field to document access endpoint

This field is set only on the list view when all accesses for a given
document and all its ancestors are listed. It gives the highest role
among all accesses related to each document.

Author: sampaccoud

src/backend/core/api/serializers.py

@@ -124,6 +124,7 @@ class DocumentAccessSerializer(BaseAccessSerializer):
         allow_null=True,
     )
     user = UserSerializer(read_only=True)
+    max_ancestors_role = serializers.SerializerMethodField(read_only=True)
 
     class Meta:
         model = models.DocumentAccess
@@ -136,8 +137,13 @@ class Meta:
             "team",
             "role",
             "abilities",
+            "max_ancestors_role",
         ]
-        read_only_fields = ["id", "document_id", "abilities"]
+        read_only_fields = ["id", "document_id", "abilities", "max_ancestors_role"]
+
+    def get_max_ancestors_role(self, instance):
+        """Return max_ancestors_role if annotated; else None."""
+        return getattr(instance, "max_ancestors_role", None)
 
 
 class DocumentAccessLightSerializer(DocumentAccessSerializer):
@@ -155,13 +161,15 @@ class Meta:
             "team",
             "role",
             "abilities",
+            "max_ancestors_role",
         ]
         read_only_fields = [
             "id",
             "document_id",
             "team",
             "role",
             "abilities",
+            "max_ancestors_role",
         ]
 
 

src/backend/core/api/viewsets.py

@@ -1399,6 +1399,11 @@ def list(self, request, *args, **kwargs):
         path_to_ancestors_roles = defaultdict(list)
         path_to_role = defaultdict(lambda: None)
         for access in accesses:
+            key = access.target_key
+            key_to_max_ancestors_role[key] = choices.RoleChoices.max(
+                key_to_max_ancestors_role.get(key), access.role
+            )
+
             if access.user_id == user.id or access.team in user.teams:
                 parent_path = access.document_path[: -models.Document.steplen]
                 if parent_path:
@@ -1420,6 +1425,7 @@ def list(self, request, *args, **kwargs):
         serializer_class = self.get_serializer_class()
         serialized_data = []
         for access in accesses:
+            access.max_ancestors_role = key_to_max_ancestors_role[access.target_key]
             access.user_roles_tuple = (
                 choices.RoleChoices.max(*path_to_ancestors_roles[access.document_path]),
                 path_to_role.get(access.document_path),

src/backend/core/tests/documents/test_api_document_accesses.py

@@ -148,6 +148,7 @@ def test_api_document_accesses_list_authenticated_related_non_privileged(
                 else None,
                 "team": access.team,
                 "role": access.role,
+                "max_ancestors_role": access.role,
                 "abilities": {
                     "destroy": False,
                     "partial_update": False,
@@ -248,6 +249,7 @@ def test_api_document_accesses_list_authenticated_related_privileged(
                 }
                 if access.user
                 else None,
+                "max_ancestors_role": access.role,
                 "team": access.team,
                 "role": access.role,
                 "abilities": access.get_abilities(user),
@@ -514,6 +516,7 @@ def test_api_document_accesses_retrieve_authenticated_related(
             "user": access_user,
             "team": "",
             "role": access.role,
+            "max_ancestors_role": None,
             "abilities": access.get_abilities(user),
         }
 
@@ -668,7 +671,10 @@ def test_api_document_accesses_update_administrator_except_owner(
         access.refresh_from_db()
         updated_values = serializers.DocumentAccessSerializer(instance=access).data
         if field == "role":
-            assert updated_values == {**old_values, "role": new_values["role"]}
+            assert updated_values == {
+                **old_values,
+                "role": new_values["role"],
+            }
         else:
             assert updated_values == old_values
 
@@ -836,7 +842,10 @@ def test_api_document_accesses_update_owner(
         updated_values = serializers.DocumentAccessSerializer(instance=access).data
 
         if field == "role":
-            assert updated_values == {**old_values, "role": new_values["role"]}
+            assert updated_values == {
+                **old_values,
+                "role": new_values["role"],
+            }
         else:
             assert updated_values == old_values
 

src/backend/core/tests/documents/test_api_document_accesses_create.py

@@ -169,6 +169,7 @@ def test_api_document_accesses_create_authenticated_administrator(via, mock_user
         "id": str(new_document_access.id),
         "team": "",
         "role": role,
+        "max_ancestors_role": None,
         "user": other_user,
     }
     assert len(mail.outbox) == 1
@@ -228,6 +229,7 @@ def test_api_document_accesses_create_authenticated_owner(via, mock_user_teams):
         "user": other_user,
         "team": "",
         "role": role,
+        "max_ancestors_role": None,
         "abilities": new_document_access.get_abilities(user),
     }
     assert len(mail.outbox) == 1
@@ -293,6 +295,7 @@ def test_api_document_accesses_create_email_in_receivers_language(via, mock_user
             "user": other_user_data,
             "team": "",
             "role": role,
+            "max_ancestors_role": None,
             "abilities": new_document_access.get_abilities(user),
         }
         assert len(mail.outbox) == index + 1