🐛(backend) create_for_owner: add accesses before saving doc content

[Ash-Crow]

Purpose

We add the User Accesses before saving content so the user is sure to have access to the the first version when creating a doc through create_for_owner (fixes #2123)

Proposal

• Changed the order of operations in ServerCreateDocumentSerializer
• Added a unit test

tests are failing

[lunika]

The tests are failing on the tests you added

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: da43436f-a32b-4184-a84c-d1004bbaf31d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sbl-create-doc-accesses-before-content

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/backend/core/api/serializers.py (1)

508-530: ⚠️ Potential issue | 🟠 Major

LGTM! The reordering correctly ensures accesses exist before content is persisted.

The change properly addresses the issue: the document is created first without content (lines 508-511), then access/invitation records are created (lines 513-526), and only then is content assigned and saved (lines 528-530). This guarantees the owner has access to the first version.

However, similar patterns exist elsewhere that may have the same bug:

1. src/backend/core/api/viewsets.py:719-726 - perform_create passes content at creation time via **serializer.validated_data, then creates DocumentAccess after the document is saved.
2. src/backend/core/models.py:287-298 - _duplicate_onboarding_sandbox_document passes content=template_document.content at creation time, then creates DocumentAccess after.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/backend/core/api/serializers.py` around lines 508 - 530, The same bug
(creating a Document with content before granting access) appears in
perform_create in viewsets.py and _duplicate_onboarding_sandbox_document in
models.py: change both to create the Document without the content field (omit
content from the initial create call), then create the DocumentAccess/Invitation
records (using RoleChoices.OWNER and the same user/email logic), and only after
those access records exist assign document.content = ... and call
document.save(); update perform_create and
_duplicate_onboarding_sandbox_document accordingly so access is created before
content is persisted.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Around line 44-47: Remove the duplicate "### Fixed" heading and merge its list
item into the existing "### Fixed" section: move the entry "- 🐛(backend)
create_for_owner: add accesses before saving doc content `#2124`" under the
original "### Fixed" heading and delete the redundant heading so there's only
one "### Fixed" section in CHANGELOG.md.

In `@src/backend/core/tests/documents/test_api_documents_create_for_owner.py`:
- Around line 597-631: The failing test
test_api_documents_create_for_owner_access_before_content calls the serializer
that invokes Converter().convert() but does not use the mock_convert_md fixture
like other content-submitting tests; add the mock_convert_md fixture to this
test (e.g., include mock_convert_md as a parameter to
test_api_documents_create_for_owner_access_before_content or apply the fixture
decorator) so the converter is stubbed out before Document.save_content and the
test no longer tries to call the real conversion service; keep references to
Document.save_content and Converter().convert in mind when applying the fixture.

---

Outside diff comments:
In `@src/backend/core/api/serializers.py`:
- Around line 508-530: The same bug (creating a Document with content before
granting access) appears in perform_create in viewsets.py and
_duplicate_onboarding_sandbox_document in models.py: change both to create the
Document without the content field (omit content from the initial create call),
then create the DocumentAccess/Invitation records (using RoleChoices.OWNER and
the same user/email logic), and only after those access records exist assign
document.content = ... and call document.save(); update perform_create and
_duplicate_onboarding_sandbox_document accordingly so access is created before
content is persisted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9f0513a0-3446-4b57-9c3e-7cc285cfe3c8

📥 Commits

Reviewing files that changed from the base of the PR and between f166e75 and e2d8e66.

📒 Files selected for processing (3)

• CHANGELOG.md
• src/backend/core/api/serializers.py
• src/backend/core/tests/documents/test_api_documents_create_for_owner.py

[Ash-Crow]

The tests are failing on the tests you added

They should be fixed now.