fix: admin delete bypass + update merge checklist for new features

- Fix doc-service delete endpoint: admins could not delete non-owned, non-shared documents — they hit 404 because the initial query filtered by owner/watch/group even before the is_admin bypass was checked. Admins now get an unconditional fetch, consistent with intent. - Add 18 new checklist tests covering: group admin role (4.9–4.10), delete permission variants (12.16b–12.16e), can_delete sharing (13.11–13.14), category scopes / PascalCase naming (14.7–14.17), and three-dots portal fix (19.11). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-19 02:12:40 +02:00
parent c59718171c
commit d345ace86d
3 changed files with 55 additions and 17 deletions
@@ -526,21 +526,25 @@ async def delete_document(
    user_admin_groups: list[str] = Depends(get_user_admin_groups),
    db: AsyncSession = Depends(get_db),
 ) -> None:
-    # Fetch the document (owner, watch, or shared with user's groups)
-    result = await db.execute(
-        select(Document).where(
-            Document.id == doc_id,
-            or_(
-                Document.user_id == user_id,
-                Document.user_id == _WATCH_USER_ID,
-                Document.id.in_(
-                    select(DocumentShare.document_id).where(
-                        DocumentShare.group_id.in_(user_groups)
-                    )
-                ) if user_groups else False,
-            ),
+    if is_admin:
+        # Admins can delete any document — fetch unconditionally.
+        result = await db.execute(select(Document).where(Document.id == doc_id))
+    else:
+        # Fetch the document (owner, watch, or shared with user's groups)
+        result = await db.execute(
+            select(Document).where(
+                Document.id == doc_id,
+                or_(
+                    Document.user_id == user_id,
+                    Document.user_id == _WATCH_USER_ID,
+                    Document.id.in_(
+                        select(DocumentShare.document_id).where(
+                            DocumentShare.group_id.in_(user_groups)
+                        )
+                    ) if user_groups else False,
+                ),
+            )
        )
-    )
    doc = result.scalar_one_or_none()
    if doc is None:
        raise HTTPException(status_code=404, detail="Document not found")