✨(back) check on document update if user can save it

When a document is updated, users not connected to the collaboration
server can override work made by other people connected to the
collaboration server. To avoid this, the priority is given to user
connected to the collaboration server. If the websocket property in the
request payload is missing or set to False, the backend fetch the
collaboration server to now if the user can save or not. If users are
already connected, the user can't save. Also, only one user without
websocket can save a connect, the first user saving acquire a lock and
all other users can't save.
To implement this behavior, we need to track all users, connected and
not, so a session is created for every user in the
ForceSessionMiddleware.

Author: lunika

src/backend/core/api/serializers.py

@@ -239,6 +239,7 @@ class DocumentSerializer(ListDocumentSerializer):
     """Serialize documents with all fields for display in detail views."""
 
     content = serializers.CharField(required=False)
+    websocket = serializers.BooleanField(required=False, write_only=True)
 
     class Meta:
         model = models.Document
@@ -260,6 +261,7 @@ class Meta:
             "title",
             "updated_at",
             "user_roles",
+            "websocket",
         ]
         read_only_fields = [
             "id",

src/backend/core/api/viewsets.py

@@ -30,6 +30,7 @@
 from rest_framework import response as drf_response
 from rest_framework.permissions import AllowAny
 from rest_framework.throttling import UserRateThrottle
+from sentry_sdk import capture_exception
 
 from core import authentication, enums, models
 from core.services.ai_services import AIService
@@ -631,6 +632,54 @@ def perform_destroy(self, instance):
         """Override to implement a soft delete instead of dumping the record in database."""
         instance.soft_delete()
 
+    def perform_update(self, serializer):
+        """Check rules about collaboration."""
+        if serializer.validated_data.get("websocket"):
+            return super().perform_update(serializer)
+
+        try:
+            connection_info = CollaborationService().get_document_connection_info(
+                serializer.instance.id,
+                self.request.session.session_key,
+            )
+        except requests.HTTPError as e:
+            capture_exception(e)
+            connection_info = {
+                "count": 0,
+                "exists": False,
+            }
+
+        if connection_info["count"] == 0:
+            # No websocket mode
+            logger.debug("update without connection found in the websocket server")
+            cache_key = f"docs:no-websocket:{serializer.instance.id}"
+            current_editor = cache.get(cache_key)
+            if not current_editor:
+                cache.set(
+                    cache_key,
+                    self.request.session.session_key,
+                    settings.NO_WEBSOCKET_CACHE_TIMEOUT,
+                )
+            elif current_editor != self.request.session.session_key:
+                raise drf.exceptions.PermissionDenied(
+                    "You are not allowed to edit this document."
+                )
+            cache.touch(cache_key, settings.NO_WEBSOCKET_CACHE_TIMEOUT)
+            return super().perform_update(serializer)
+
+        if connection_info["exists"]:
+            # Websocket mode
+            logger.debug("session key found in the websocket server")
+            return super().perform_update(serializer)
+
+        logger.debug(
+            "Users connected to the websocket but current editor not connected to it. Can not edit."
+        )
+
+        raise drf.exceptions.PermissionDenied(
+            "You are not allowed to edit this document."
+        )
+
     @drf.decorators.action(
         detail=False,
         methods=["get"],

src/backend/core/middleware.py

@@ -0,0 +1,21 @@
+"""Force session creation for all requests."""
+
+
+class ForceSessionMiddleware:
+    """
+    Force session creation for unauthenticated users.
+    Must be used after Authentication middleware.
+    """
+
+    def __init__(self, get_response):
+        """Initialize the middleware."""
+        self.get_response = get_response
+
+    def __call__(self, request):
+        """Force session creation for unauthenticated users."""
+
+        if not request.user.is_authenticated and request.session.session_key is None:
+            request.session.save()
+
+        response = self.get_response(request)
+        return response

src/backend/core/services/collaboration_services.py

@@ -41,3 +41,31 @@ def reset_connections(self, room, user_id=None):
                 f"Failed to notify WebSocket server. Status code: {response.status_code}, "
                 f"Response: {response.text}"
             )
+
+    def get_document_connection_info(self, room, session_key):
+        """
+        Get the connection info for a document.
+        """
+        endpoint = "get-connections"
+        querystring = {
+            "room": room,
+            "sessionKey": session_key,
+        }
+        endpoint_url = f"{settings.COLLABORATION_API_URL}{endpoint}/"
+
+        headers = {"Authorization": settings.COLLABORATION_SERVER_SECRET}
+
+        try:
+            response = requests.get(
+                endpoint_url, headers=headers, params=querystring, timeout=10
+            )
+        except requests.RequestException as e:
+            raise requests.HTTPError("Failed to get document connection info.") from e
+
+        if response.status_code != 200:
+            raise requests.HTTPError(
+                f"Failed to get document connection info. Status code: {response.status_code}, "
+                f"Response: {response.text}"
+            )
+
+        return response.json()