🐛(teams) disable creation endpoint from abilities

When we don't allow the user to see the team creation button, we also want to disable the corresponding API.
suitenumerique · Feb 4, 2025 · b4a8773 · b4a8773
1 parent 9275308
commit b4a8773
Show file tree

Hide file tree

Showing 6 changed files with 68 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,7 @@ and this project adheres to
 
 ### Fixed
 
+- 🚑️(teams) do not display add button when disallowed #676
 - 🚑️(plugins) fix name from SIRET specific case #674
 - 🐛(api) restrict mailbox sync to enabled domains
 

diff --git a/src/backend/core/api/client/viewsets.py b/src/backend/core/api/client/viewsets.py
@@ -303,7 +303,7 @@ class TeamViewSet(
 ):
     """Team ViewSet"""
 
-    permission_classes = [permissions.AccessPermission]
+    permission_classes = [permissions.TeamPermission, permissions.AccessPermission]
     serializer_class = serializers.TeamSerializer
     filter_backends = [filters.OrderingFilter]
     ordering_fields = ["created_at", "name", "path"]

diff --git a/src/backend/core/api/permissions.py b/src/backend/core/api/permissions.py
@@ -53,3 +53,18 @@ def has_object_permission(self, request, view, obj):
         """Check permission for a given object."""
         abilities = obj.get_abilities(request.user)
         return abilities.get(request.method.lower(), False)
+
+
+class TeamPermission(IsAuthenticated):
+    """Permission class for team objects viewset."""
+
+    def has_permission(self, request, view):
+        """Check permission only when the user tries to create a new team."""
+        if not super().has_permission(request, view):
+            return False
+
+        if request.method != "POST":
+            return True
+
+        abilities = request.user.get_abilities()
+        return abilities["teams"]["can_create"]
diff --git a/src/backend/core/models.py b/src/backend/core/models.py
@@ -573,7 +573,7 @@ def get_abilities(self):
             .get()
         )
 
-        teams_can_view = user_info.teams_can_view
+        teams_can_view = user_info.teams_can_view or settings.FEATURES["TEAMS_DISPLAY"]
         mailboxes_can_view = user_info.mailboxes_can_view
 
         return {
@@ -585,7 +585,7 @@ def get_abilities(self):
                 ),
             },
             "teams": {
-                "can_view": teams_can_view and settings.FEATURES["TEAMS_DISPLAY"],
+                "can_view": teams_can_view,
                 "can_create": teams_can_view and settings.FEATURES["TEAMS_CREATE"],
             },
             "mailboxes": {

diff --git a/src/backend/core/tests/teams/test_core_api_teams_create.py b/src/backend/core/tests/teams/test_core_api_teams_create.py
@@ -6,6 +6,7 @@
 from rest_framework.status import (
     HTTP_201_CREATED,
     HTTP_401_UNAUTHORIZED,
+    HTTP_403_FORBIDDEN,
 )
 from rest_framework.test import APIClient
 
@@ -28,7 +29,7 @@ def test_api_teams_create_anonymous():
     assert not Team.objects.exists()
 
 
-def test_api_teams_create_authenticated():
+def test_api_teams_create_authenticated(settings):
     """
     Authenticated users should be able to create teams and should automatically be declared
     as the owner of the newly created team.
@@ -39,6 +40,14 @@ def test_api_teams_create_authenticated():
     client = APIClient()
     client.force_login(user)
 
+    settings.FEATURES = {
+        "TEAMS_DISPLAY": True,
+        "TEAMS_CREATE": True,
+        "CONTACTS_DISPLAY": False,
+        "CONTACTS_CREATE": False,
+        "MAILBOXES_CREATE": False,
+    }
+
     response = client.post(
         "/api/v1.0/teams/",
         {
@@ -54,6 +63,36 @@ def test_api_teams_create_authenticated():
     assert team.accesses.filter(role="owner", user=user).exists()
 
 
+def test_api_teams_create_authenticated_feature_disabled(settings):
+    """
+    Authenticated users should not be able to create teams when feature is disabled.
+    """
+    organization = OrganizationFactory(with_registration_id=True)
+    user = UserFactory(organization=organization)
+
+    client = APIClient()
+    client.force_login(user)
+
+    settings.FEATURES = {
+        "TEAMS_DISPLAY": True,
+        "TEAMS_CREATE": False,
+        "CONTACTS_DISPLAY": False,
+        "CONTACTS_CREATE": False,
+        "MAILBOXES_CREATE": False,
+    }
+
+    response = client.post(
+        "/api/v1.0/teams/",
+        {
+            "name": "my team",
+        },
+        format="json",
+    )
+
+    assert response.status_code == HTTP_403_FORBIDDEN
+    assert not Team.objects.exists()
+
+
 def test_api_teams_create_cannot_override_organization():
     """
     Authenticated users should be able to create teams and not

diff --git a/src/backend/core/tests/users/test_api_users_retrieve.py b/src/backend/core/tests/users/test_api_users_retrieve.py
@@ -56,7 +56,7 @@ def test_api_users_retrieve_me_authenticated():
         "abilities": {
             "contacts": {"can_create": True, "can_view": True},
             "mailboxes": {"can_create": False, "can_view": False},
-            "teams": {"can_create": False, "can_view": False},
+            "teams": {"can_create": True, "can_view": True},
         },
         "organization": {
             "id": str(user.organization.pk),
@@ -66,11 +66,18 @@ def test_api_users_retrieve_me_authenticated():
     }
 
 
-def test_api_users_retrieve_me_authenticated_abilities():
+def test_api_users_retrieve_me_authenticated_abilities(settings):
     """
     Authenticated users should be able to retrieve their own user via the "/users/me" path
     with the proper abilities.
     """
+    settings.FEATURES = {
+        "TEAMS_DISPLAY": False,
+        "TEAMS_CREATE": True,
+        "CONTACTS_DISPLAY": True,
+        "CONTACTS_CREATE": True,
+        "MAILBOXES_CREATE": True,
+    }
     user = factories.UserFactory()
 
     client = APIClient()