🔒️(backend) remove owner as valid role for ask_for_access serializer

When a ask_for_access creation is made, we explicitly remove the owner
role to prevent role escalation.

Author: lunika

src/backend/core/api/serializers.py

@@ -786,7 +786,9 @@ class DocumentAskForAccessCreateSerializer(serializers.Serializer):
     """Serializer for creating a document ask for access."""
 
     role = serializers.ChoiceField(
-        choices=models.RoleChoices.choices,
+        choices=[
+            role for role in choices.RoleChoices if role != models.RoleChoices.OWNER
+        ],
         required=False,
         default=models.RoleChoices.READER,
     )
@@ -810,11 +812,11 @@ class Meta:
         ]
         read_only_fields = ["id", "document", "user", "role", "created_at", "abilities"]
 
-    def get_abilities(self, invitation) -> dict:
+    def get_abilities(self, instance) -> dict:
         """Return abilities of the logged-in user on the instance."""
         request = self.context.get("request")
         if request:
-            return invitation.get_abilities(request.user)
+            return instance.get_abilities(request.user)
         return {}
 
 

src/backend/core/tests/documents/test_api_documents_ask_for_access.py

@@ -115,7 +115,10 @@ def test_api_documents_ask_for_access_create_authenticated_non_root_document():
     assert response.status_code == 404
 
 
-def test_api_documents_ask_for_access_create_authenticated_specific_role():
+@pytest.mark.parametrize(
+    "role", [role for role in RoleChoices if role != RoleChoices.OWNER]
+)
+def test_api_documents_ask_for_access_create_authenticated_specific_role(role):
     """
     Authenticated users should be able to create a document ask for access with a specific role.
     """
@@ -127,17 +130,35 @@ def test_api_documents_ask_for_access_create_authenticated_specific_role():
 
     response = client.post(
         f"/api/v1.0/documents/{document.id}/ask-for-access/",
-        data={"role": RoleChoices.EDITOR},
+        data={"role": role},
     )
     assert response.status_code == 201
 
     assert DocumentAskForAccess.objects.filter(
         document=document,
         user=user,
-        role=RoleChoices.EDITOR,
+        role=role,
     ).exists()
 
 
+def test_api_documents_ask_for_access_create_authenticated_owner_role():
+    """
+    Authenticated users should not be able to create a document ask for access with the owner role.
+    """
+    document = DocumentFactory()
+    user = UserFactory()
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.post(
+        f"/api/v1.0/documents/{document.id}/ask-for-access/",
+        data={"role": RoleChoices.OWNER},
+    )
+    assert response.status_code == 400
+    assert response.json() == {"role": ['"owner" is not a valid choice.']}
+
+
 def test_api_documents_ask_for_access_create_authenticated_already_has_access():
     """Authenticated users with existing access can ask for access with a different role."""
     user = UserFactory()