✨(external_api) add Invitations to the external API

sylvinus · lunika · commit 2b920558b67b · 2025-10-13T16:49:02.000+02:00
diff --git a/src/backend/core/external_api/viewsets.py b/src/backend/core/external_api/viewsets.py
@@ -4,8 +4,18 @@
 
 from lasuite.oidc_resource_server.authentication import ResourceServerAuthentication
 
-from ..api.permissions import AccessPermission, IsSelf, ItemAccessPermission
-from ..api.viewsets import ItemAccessViewSet, ItemViewSet, UserViewSet
+from ..api.permissions import (
+    AccessPermission,
+    CanCreateInvitationPermission,
+    IsSelf,
+    ItemAccessPermission,
+)
+from ..api.viewsets import (
+    InvitationViewset,
+    ItemAccessViewSet,
+    ItemViewSet,
+    UserViewSet,
+)
 from .authentication import JWTAuthentication
 from .permissions import ResourceServerClientPermission
 
@@ -34,6 +44,16 @@ class ResourceServerItemAccessViewSet(ItemAccessViewSet):
     permission_classes = [ResourceServerClientPermission & AccessPermission]
 
 
+class ResourceServerInvitationViewSet(InvitationViewset):
+    """Resource Server Viewset for the Drive app."""
+
+    authentication_classes = EXTERNAL_API_AUTH_CLASSES
+
+    permission_classes = [
+        ResourceServerClientPermission & CanCreateInvitationPermission
+    ]
+
+
 class ResourceServerUserViewSet(UserViewSet):
     """Resource Server UserViewset for the Drive app."""
 
diff --git a/src/backend/core/tests/external_api/items/test_api.py b/src/backend/core/tests/external_api/items/test_api.py
@@ -129,7 +129,9 @@ def test_api_items_accesses_retrieve_anonymous_public_standalone():
     item = factories.ItemFactory(link_reach="public")
 
     response = APIClient().get(f"/external_api/v1.0/items/{item.id!s}/accesses/")
+    assert response.status_code == 403
 
+    response = APIClient().get(f"/external_api/v1.0/items/{item.id!s}/invitations/")
     assert response.status_code == 403
 
 
@@ -157,7 +159,9 @@ def test_api_items_accesses_retrieve_connected_resource_server(
     item = factories.ItemFactory(link_reach="public")
 
     response = client.get(f"/external_api/v1.0/items/{item.id!s}/accesses/")
+    assert response.status_code == 200
 
+    response = client.get(f"/external_api/v1.0/items/{item.id!s}/invitations/")
     assert response.status_code == 200
 
 
diff --git a/src/backend/core/urls.py b/src/backend/core/urls.py
@@ -54,6 +54,11 @@
     external_api_viewsets.ResourceServerItemAccessViewSet,
     basename="resource_server_item_accesses",
 )
+external_api_item_related_router.register(
+    "invitations",
+    external_api_viewsets.ResourceServerInvitationViewSet,
+    basename="resource_server_invitations",
+)
 
 urlpatterns = [
     path(
diff --git a/src/backend/drive/settings.py b/src/backend/drive/settings.py
@@ -402,7 +402,9 @@ class Base(Configuration):
     EMAIL_FROM = values.Value("from@example.com")
 
     AUTH_USER_MODEL = "core.User"
-    INVITATION_VALIDITY_DURATION = values.PositiveIntegerValue(604800)  # 7 days, in seconds
+    INVITATION_VALIDITY_DURATION = values.PositiveIntegerValue(
+        604800
+    )  # 7 days, in seconds
 
     # CORS
     CORS_ALLOW_CREDENTIALS = True
