Fix: limit share link viewset actions

2026-03-30 04:42:45 +00:00 · 2026-03-29 07:18:48 -07:00
2 changed files with 61 additions and 1 deletions
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@@ -2990,6 +2990,58 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
        self.assertEqual(create_resp.status_code, status.HTTP_201_CREATED)
        self.assertEqual(create_resp.data["document"], doc.pk)

+    def test_share_link_update_methods_not_allowed(self):
+        """
+        GIVEN:
+            - An existing share link
+        WHEN:
+            - PUT and PATCH requests are made to its detail endpoint
+        THEN:
+            - The API rejects them with 405 and the link is unchanged
+        """
+        doc = Document.objects.create(
+            title="test",
+            mime_type="application/pdf",
+            content="share link content",
+        )
+        expiration = timezone.now() + timedelta(days=7)
+        create_resp = self.client.post(
+            "/api/share_links/",
+            data={
+                "document": doc.pk,
+                "expiration": expiration.isoformat(),
+                "file_version": ShareLink.FileVersion.ORIGINAL,
+            },
+            format="json",
+        )
+        self.assertEqual(create_resp.status_code, status.HTTP_201_CREATED)
+        share_link_id = create_resp.data["id"]
+
+        patch_resp = self.client.patch(
+            f"/api/share_links/{share_link_id}/",
+            data={
+                "expiration": None,
+                "file_version": ShareLink.FileVersion.ARCHIVE,
+            },
+            format="json",
+        )
+        self.assertEqual(patch_resp.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
+
+        put_resp = self.client.put(
+            f"/api/share_links/{share_link_id}/",
+            data={
+                "document": doc.pk,
+                "expiration": None,
+                "file_version": ShareLink.FileVersion.ARCHIVE,
+            },
+            format="json",
+        )
+        self.assertEqual(put_resp.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
+
+        share_link = ShareLink.objects.get(pk=share_link_id)
+        self.assertEqual(share_link.file_version, ShareLink.FileVersion.ORIGINAL)
+        self.assertIsNotNone(share_link.expiration)
+
    def test_next_asn(self):
        """
        GIVEN:
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -76,6 +76,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.filters import OrderingFilter
 from rest_framework.filters import SearchFilter
 from rest_framework.generics import GenericAPIView
+from rest_framework.mixins import CreateModelMixin
 from rest_framework.mixins import DestroyModelMixin
 from rest_framework.mixins import ListModelMixin
 from rest_framework.mixins import RetrieveModelMixin
@@ -2702,7 +2703,14 @@ class TasksViewSet(ReadOnlyModelViewSet):
            )


-class ShareLinkViewSet(ModelViewSet, PassUserMixin):
+class ShareLinkViewSet(
+    PassUserMixin,
+    CreateModelMixin,
+    RetrieveModelMixin,
+    DestroyModelMixin,
+    ListModelMixin,
+    GenericViewSet,
+):
    model = ShareLink

    queryset = ShareLink.objects.all()