♻️(backend) set_role_to min role to max_ancestors_role for is_explicit

The set_role_to was computed to have only roles strictly higher than the
max_ancestors_role. We want this behavior only for inherited accesses.
When the role is explicit, we want to allow the lower role in
set_role_to equal to max_ancestors_role

Author: lunika

src/backend/core/api/permissions.py

@@ -120,7 +120,9 @@ def has_permission(self, request, view):
 
     def has_object_permission(self, request, view, obj):
         """Check permission for a given object."""
-        abilities = obj.get_abilities(request.user)
+        abilities = obj.get_abilities(
+            request.user, is_explicit=str(view.item.id) == str(obj.item_id)
+        )
 
         requested_role = request.data.get("role")
         if requested_role and requested_role not in abilities.get("set_role_to", []):

src/backend/core/api/serializers.py

@@ -89,7 +89,9 @@ def get_abilities(self, instance):
         """Return abilities of the logged-in user on the instance."""
         request = self.context.get("request")
         if request:
-            return instance.get_abilities(request.user)
+            return instance.get_abilities(
+                request.user, is_explicit=self.get_is_explicit(instance)
+            )
         return {}
 
     def get_max_ancestors_role(self, instance):

src/backend/core/models.py

@@ -1248,7 +1248,7 @@ def max_ancestors_role(self, max_ancestors_role):
         """Cache the max_ancestors_role."""
         self._max_ancestors_role = max_ancestors_role
 
-    def get_abilities(self, user):
+    def get_abilities(self, user, is_explicit=True):
         """
         Compute and return abilities for a given user on the item access.
         """
@@ -1278,11 +1278,19 @@ def get_abilities(self, user):
 
         # Filter out roles that would be lower than the one the user already has
         ancestors_role_priority = RoleChoices.get_priority(self.max_ancestors_role)
-        set_role_to = [
-            candidate_role
-            for candidate_role in set_role_to
-            if RoleChoices.get_priority(candidate_role) > ancestors_role_priority
-        ]
+        if is_explicit:
+            set_role_to = [
+                candidate_role
+                for candidate_role in set_role_to
+                if RoleChoices.get_priority(candidate_role) >= ancestors_role_priority
+            ]
+        else:
+            set_role_to = [
+                candidate_role
+                for candidate_role in set_role_to
+                if RoleChoices.get_priority(candidate_role) > ancestors_role_priority
+            ]
+
         if len(set_role_to) == 1:
             set_role_to = []
 

src/backend/core/tests/items/test_api_item_accesses.py

@@ -337,6 +337,7 @@ def test_api_item_accesses_retrieve_set_role_to_child():
         result["id"]: result["abilities"]["set_role_to"] for result in content
     }
     assert result_dict[str(item_access_other_user.id)] == [
+        "editor",
         "administrator",
         "owner",
     ]
@@ -357,23 +358,23 @@ def test_api_item_accesses_retrieve_set_role_to_child():
             [
                 ["reader", "editor", "administrator"],
                 [],
-                ["editor", "administrator"],
+                ["reader", "editor", "administrator"],
             ],
         ],
         [
             ["owner", "reader", "reader", "reader"],
             [
                 ["reader", "editor", "administrator", "owner"],
                 [],
-                ["editor", "administrator", "owner"],
+                ["reader", "editor", "administrator", "owner"],
             ],
         ],
         [
             ["owner", "reader", "reader", "owner"],
             [
                 ["reader", "editor", "administrator", "owner"],
                 [],
-                ["editor", "administrator", "owner"],
+                ["reader", "editor", "administrator", "owner"],
             ],
         ],
     ],
@@ -432,31 +433,31 @@ def test_api_item_accesses_list_authenticated_related_same_user(roles, results):
             [
                 ["reader", "editor", "administrator"],
                 [],
-                ["editor", "administrator"],
+                ["reader", "editor", "administrator"],
             ],
         ],
         [
             ["owner", "reader", "reader", "reader"],
             [
                 ["reader", "editor", "administrator", "owner"],
                 [],
-                ["editor", "administrator", "owner"],
+                ["reader", "editor", "administrator", "owner"],
             ],
         ],
         [
             ["owner", "reader", "reader", "owner"],
             [
                 ["reader", "editor", "administrator", "owner"],
                 [],
-                ["editor", "administrator", "owner"],
+                ["reader", "editor", "administrator", "owner"],
             ],
         ],
         [
             ["reader", "reader", "reader", "owner"],
             [
                 ["reader", "editor", "administrator", "owner"],
                 [],
-                ["editor", "administrator", "owner"],
+                ["reader", "editor", "administrator", "owner"],
             ],
         ],
         [
@@ -1595,7 +1596,7 @@ def test_api_item_accesses_explicit():
                 "update": True,
                 "partial_update": True,
                 "retrieve": True,
-                "set_role_to": ["administrator", "owner"],
+                "set_role_to": ["editor", "administrator", "owner"],
             },
             "max_ancestors_role": "editor",
             "max_role": "owner",
@@ -1743,10 +1744,10 @@ def test_api_item_accesses_explicit():
             "role": "owner",
             "abilities": {
                 "destroy": True,
-                "update": False,
-                "partial_update": False,
+                "update": True,
+                "partial_update": True,
                 "retrieve": True,
-                "set_role_to": [],
+                "set_role_to": ["administrator", "owner"],
             },
             "max_ancestors_role": "administrator",
             "max_role": "owner",

src/backend/core/tests/test_models_item_accesses.py

@@ -449,7 +449,7 @@ def test_models_item_access_get_abilities_explicit():
         "update": True,
         "partial_update": True,
         "retrieve": True,
-        "set_role_to": ["administrator", "owner"],
+        "set_role_to": ["editor", "administrator", "owner"],
     }
 
     # Owner user on the root item, acting on the previous user's accesses.
@@ -468,5 +468,5 @@ def test_models_item_access_get_abilities_explicit():
         "update": True,
         "partial_update": True,
         "retrieve": True,
-        "set_role_to": ["administrator", "owner"],
+        "set_role_to": ["editor", "administrator", "owner"],
     }