🐛(backend) create_for_owner: add accesses before saving doc content

Ash-Crow · Ash-Crow · commit e2d8e66fa4b1 · 2026-03-31T14:50:05.000+02:00
We add the User Accesses before saving content so the user is sure to have access to the the first version when creating a doc through create_for_owner (fixes #2123)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,6 +41,10 @@ and this project adheres to
 - 🐛(y-provider) destroy Y.Doc instances after each convert request #2129
 - 🐛(backend) remove deleted sub documents in favorite_list endpoint #2083
 
+### Fixed
+
+- 🐛(backend) create_for_owner: add accesses before saving doc content #2124
+
 ## [v4.8.3] - 2026-03-23
 
 ### Changed
diff --git a/src/backend/core/api/serializers.py b/src/backend/core/api/serializers.py
@@ -507,7 +507,6 @@ def create(self, validated_data):
 
         document = models.Document.add_root(
             title=validated_data["title"],
-            content=document_content,
             creator=user,
         )
 
@@ -526,6 +525,9 @@ def create(self, validated_data):
                 role=models.RoleChoices.OWNER,
             )
 
+        document.content = document_content
+        document.save()
+
         self._send_email_notification(document, validated_data, email, language)
         return document
 
diff --git a/src/backend/core/tests/documents/test_api_documents_create_for_owner.py b/src/backend/core/tests/documents/test_api_documents_create_for_owner.py
@@ -594,6 +594,43 @@ def test_api_documents_create_for_owner_with_converter_exception(
     assert response.json() == {"content": ["Could not convert content"]}
 
 
+@override_settings(SERVER_TO_SERVER_API_TOKENS=["DummyToken"])
+def test_api_documents_create_for_owner_access_before_content():
+    """
+    Accesses must exist before content is saved to object storage so the owner
+    has access to the very first version of the document.
+    """
+    user = factories.UserFactory()
+    accesses_at_save_time = []
+
+    original_save_content = Document.save_content
+
+    def capturing_save_content(self, content):
+        accesses_at_save_time.extend(
+            list(self.accesses.values_list("user__sub", "role"))
+        )
+        return original_save_content(self, content)
+
+    data = {
+        "title": "My Document",
+        "content": "Document content",
+        "sub": str(user.sub),
+        "email": user.email,
+    }
+
+    with patch.object(Document, "save_content", capturing_save_content):
+        response = APIClient().post(
+            "/api/v1.0/documents/create-for-owner/",
+            data,
+            format="json",
+            HTTP_AUTHORIZATION="Bearer DummyToken",
+        )
+
+    assert response.status_code == 201
+    # The owner access must already exist when save_content is called
+    assert (str(user.sub), "owner") in accesses_at_save_time
+
+
 @override_settings(SERVER_TO_SERVER_API_TOKENS=["DummyToken"])
 def test_api_documents_create_for_owner_with_empty_content():
     """The content should not be empty or a 400 error should be raised."""

Original file line number	Diff line number	Diff line change
`@@ -507,7 +507,6 @@ def create(self, validated_data):`
`507`	`507`
`508`	`508`	`document = models.Document.add_root(`
`509`	`509`	`title=validated_data["title"],`
`510`		`- content=document_content,`
`511`	`510`	`creator=user,`
`512`	`511`	`)`
`513`	`512`
`@@ -526,6 +525,9 @@ def create(self, validated_data):`
`526`	`525`	`role=models.RoleChoices.OWNER,`
`527`	`526`	`)`
`528`	`527`
	`528`	`+ document.content = document_content`
	`529`	`+ document.save()`
	`530`	`+`
`529`	`531`	`self._send_email_notification(document, validated_data, email, language)`
`530`	`532`	`return document`
`531`	`533`