✨(backend) add resource server api

[Ash-Crow]

Purpose

Adds a resource server API similar to the one that already exists for Drive.

Proposal

• Add a new resource_server API with four endpoints : documents, document_accesses, document_invitation, users, along with unit tests that check that :
  • anonymous users can't use these endpoints
  • logged-in users can't use the endpoints that are not active by default
  • for each action that is allowed by default, that it works
  • for each action that is not allowed by default, that is is forbidden, and works if explicitely allowed (see detailed list below)
• Add a documentation for the new API at docs/resource_server.md.
• Fix some intermittent errors in other unit tests
• Fix some missing entries in the DocumentViewSet docstring.

List of actions for each endpoint

• For documents:

  • list (allowed by default)
  • retrieve (allowed by default)
  • create (allowed by default)
  • update
  • delete
  • trashbin
  • restore → added to the documentation, it was missing
  • move → added to the documentation, it was missing
  • duplicate → bypasses restriction checks, so always allowed for logged-in users
  • children (allowed by default)
  • versions_list
  • versions_detail
  • favorite_list → bypasses restriction checks, so always allowed for logged-in users
  • favorite
  • create-for-owner → not allowed.
  • link_configuration
  • attachment_upload
  • media_auth
  • ai_transform
  • ai_translate
  • ai_proxy

• For document accesses:

  • list
  • retrieve
  • create
  • update
  • partial_update
  • destroy

• For invitations:

  • list
  • retrieve
  • create
  • partial_update
  • destroy

• For users:

  • get_me (allowed by default)
  • check that other actions are not allowed

[gustavotrott]

Hey, I'm testing the API and ran into an error that I'm not sure is expected.
When I create a document using a service token (or user token either), I can't delete that document afterward.

The response returned is:
{"detail":"You do not have permission to perform this action."}

Script used for testing:

TOKEN=$(curl -s -X POST \
  "https://$KEYCLOAK_HOST/realms/$REALM/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=$CLIENT_ID" \
  -d "client_secret=$CLIENT_SECRET" \
  -d "grant_type=client_credentials" \
  -d "scope=openid email" \
  | jq -r '.access_token')

# Create document
json_return=$(curl -s -X POST "$HOST/external_api/v1.0/documents/" \
  -H "Authorization: Bearer $TOKEN" \
  -F "file=@/home/gustavo/README.md;type=text/markdown")

DOC_ID=$(echo $json_return | jq -r '.id')
CONTENT=$(echo $json_return | jq -r '.content')

# Remove document
curl -X DELETE "$HOST/external_api/v1.0/documents/$DOC_ID/" \
  -H "Authorization: Bearer $TOKEN"

Am I missing something?

[lunika]

Hi,

In the settings there is a list of allowed actions for each viewset. And destroy is not an allowed one by default. You have to add it, it is explained in the documentation present in this PR.

[gustavotrott]

Hi,

In the settings there is a list of allowed actions for each viewset. And destroy is not an allowed one by default. You have to add it, it is explained in the documentation present in this PR.

I see it now, thank you!