suitenumerique · AntoLC · Oct 3, 2025 · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to
 ### Added
 
 - ✨(frontend) add pdf block to the editor #1293
+- ✨List and restore deleted docs #1450
 
 ### Changed
 

diff --git a/src/backend/core/api/serializers.py b/src/backend/core/api/serializers.py
@@ -90,6 +90,7 @@ class ListDocumentSerializer(serializers.ModelSerializer):
     nb_accesses_direct = serializers.IntegerField(read_only=True)
     user_role = serializers.SerializerMethodField(read_only=True)
     abilities = serializers.SerializerMethodField(read_only=True)
+    deleted_at = serializers.SerializerMethodField(read_only=True)
 
     class Meta:
         model = models.Document
@@ -102,6 +103,7 @@ class Meta:
             "computed_link_role",
             "created_at",
             "creator",
+            "deleted_at",
             "depth",
             "excerpt",
             "is_favorite",
@@ -124,6 +126,7 @@ class Meta:
             "computed_link_role",
             "created_at",
             "creator",
+            "deleted_at",
             "depth",
             "excerpt",
             "is_favorite",
@@ -165,6 +168,10 @@ def get_user_role(self, instance):
         request = self.context.get("request")
         return instance.get_role(request.user) if request else None
 
+    def get_deleted_at(self, instance):
+        """Return the deleted_at of the current document."""
+        return instance.ancestors_deleted_at
+
 
 class DocumentLightSerializer(serializers.ModelSerializer):
     """Minial document serializer for nesting in document accesses."""
@@ -193,6 +200,7 @@ class Meta:
             "content",
             "created_at",
             "creator",
+            "deleted_at",
             "depth",
             "excerpt",
             "is_favorite",
@@ -216,6 +224,7 @@ class Meta:
             "computed_link_role",
             "created_at",
             "creator",
+            "deleted_at",
             "depth",
             "is_favorite",
             "link_role",

diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py
@@ -851,33 +851,47 @@ def tree(self, request, pk, *args, **kwargs):
 
         try:
             current_document = (
-                self.queryset.select_related(None).only("depth", "path").get(pk=pk)
+                self.queryset.select_related(None)
+                .only("depth", "path", "ancestors_deleted_at")
+                .get(pk=pk)
             )
         except models.Document.DoesNotExist as excpt:
             raise drf.exceptions.NotFound() from excpt
 
-        ancestors = (
-            (
-                current_document.get_ancestors()
-                | self.queryset.select_related(None).filter(pk=pk)
-            )
-            .filter(ancestors_deleted_at__isnull=True)
-            .order_by("path")
-        )
+        is_deleted = current_document.ancestors_deleted_at is not None
 
-        # Get the highest readable ancestor
-        highest_readable = (
-            ancestors.select_related(None)
-            .readable_per_se(request.user)
-            .only("depth", "path")
-            .first()
-        )
-        if highest_readable is None:
-            raise (
-                drf.exceptions.PermissionDenied()
-                if request.user.is_authenticated
-                else drf.exceptions.NotAuthenticated()
+        if is_deleted:
+            if current_document.get_role(user) != models.RoleChoices.OWNER:
+                raise (
+                    drf.exceptions.PermissionDenied()
+                    if request.user.is_authenticated
+                    else drf.exceptions.NotAuthenticated()
+                )
+            highest_readable = current_document
+            ancestors = self.queryset.select_related(None).filter(pk=pk)
+        else:
+            ancestors = (
+                (
+                    current_document.get_ancestors()
+                    | self.queryset.select_related(None).filter(pk=pk)
+                )
+                .filter(ancestors_deleted_at__isnull=True)
+                .order_by("path")
             )
+            # Get the highest readable ancestor
+            highest_readable = (
+                ancestors.select_related(None)
+                .readable_per_se(request.user)
+                .only("depth", "path")
+                .first()
+            )
+
+            if highest_readable is None:
+                raise (
+                    drf.exceptions.PermissionDenied()
+                    if request.user.is_authenticated
+                    else drf.exceptions.NotAuthenticated()
+                )
         paths_links_mapping = {}
         ancestors_links = []
         children_clause = db.Q()
@@ -2157,6 +2171,7 @@ def get(self, request):
             "LANGUAGES",
             "LANGUAGE_CODE",
             "SENTRY_DSN",
+            "TRASHBIN_CUTOFF_DAYS",
         ]
         dict_settings = {}
         for setting in array_settings:

diff --git a/src/backend/core/models.py b/src/backend/core/models.py
@@ -721,7 +721,7 @@ def get_abilities(self, user):
 
         # Characteristics that are based only on specific access
         is_owner = role == RoleChoices.OWNER
-        is_deleted = self.ancestors_deleted_at and not is_owner
+        is_deleted = self.ancestors_deleted_at
         is_owner_or_admin = (is_owner or role == RoleChoices.ADMIN) and not is_deleted
 
         # Compute access roles before adding link roles because we don't
@@ -750,6 +750,7 @@ def get_abilities(self, user):
             role = RoleChoices.max(role, link_definition["link_role"])
 
         can_get = bool(role) and not is_deleted
+        retrieve = can_get or is_owner
         can_update = (
             is_owner_or_admin or role == RoleChoices.EDITOR
         ) and not is_deleted
@@ -758,7 +759,7 @@ def get_abilities(self, user):
             is_owner
             if self.is_root()
             else (is_owner_or_admin or (user.is_authenticated and self.creator == user))
-        )
+        ) and not is_deleted
 
         ai_allow_reach_from = settings.AI_ALLOW_REACH_FROM
         ai_access = any(
@@ -790,15 +791,15 @@ def get_abilities(self, user):
             "duplicate": can_get and user.is_authenticated,
             "favorite": can_get and user.is_authenticated,
             "link_configuration": is_owner_or_admin,
-            "invite_owner": is_owner,
+            "invite_owner": is_owner and not is_deleted,
             "mask": can_get and user.is_authenticated,
-            "move": is_owner_or_admin and not self.ancestors_deleted_at,
+            "move": is_owner_or_admin and not is_deleted,
             "partial_update": can_update,
             "restore": is_owner,
-            "retrieve": can_get,
+            "retrieve": retrieve,
             "media_auth": can_get,
             "link_select_options": link_select_options,
-            "tree": can_get,
+            "tree": retrieve,
             "update": can_update,
             "versions_destroy": is_owner_or_admin,
             "versions_list": has_access_role,

diff --git a/src/backend/core/tests/documents/test_api_documents_children_list.py b/src/backend/core/tests/documents/test_api_documents_children_list.py
@@ -41,6 +41,7 @@ def test_api_documents_children_list_anonymous_public_standalone(
                 "computed_link_role": child1.computed_link_role,
                 "created_at": child1.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child1.creator.id),
+                "deleted_at": None,
                 "depth": 2,
                 "excerpt": child1.excerpt,
                 "id": str(child1.id),
@@ -63,6 +64,7 @@ def test_api_documents_children_list_anonymous_public_standalone(
                 "computed_link_role": child2.computed_link_role,
                 "created_at": child2.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child2.creator.id),
+                "deleted_at": None,
                 "depth": 2,
                 "excerpt": child2.excerpt,
                 "id": str(child2.id),
@@ -115,6 +117,7 @@ def test_api_documents_children_list_anonymous_public_parent(django_assert_num_q
                 "computed_link_role": child1.computed_link_role,
                 "created_at": child1.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child1.creator.id),
+                "deleted_at": None,
                 "depth": 4,
                 "excerpt": child1.excerpt,
                 "id": str(child1.id),
@@ -137,6 +140,7 @@ def test_api_documents_children_list_anonymous_public_parent(django_assert_num_q
                 "computed_link_role": child2.computed_link_role,
                 "created_at": child2.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child2.creator.id),
+                "deleted_at": None,
                 "depth": 4,
                 "excerpt": child2.excerpt,
                 "id": str(child2.id),
@@ -208,6 +212,7 @@ def test_api_documents_children_list_authenticated_unrelated_public_or_authentic
                 "computed_link_role": child1.computed_link_role,
                 "created_at": child1.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child1.creator.id),
+                "deleted_at": None,
                 "depth": 2,
                 "excerpt": child1.excerpt,
                 "id": str(child1.id),
@@ -230,6 +235,7 @@ def test_api_documents_children_list_authenticated_unrelated_public_or_authentic
                 "computed_link_role": child2.computed_link_role,
                 "created_at": child2.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child2.creator.id),
+                "deleted_at": None,
                 "depth": 2,
                 "excerpt": child2.excerpt,
                 "id": str(child2.id),
@@ -287,6 +293,7 @@ def test_api_documents_children_list_authenticated_public_or_authenticated_paren
                 "computed_link_role": child1.computed_link_role,
                 "created_at": child1.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child1.creator.id),
+                "deleted_at": None,
                 "depth": 4,
                 "excerpt": child1.excerpt,
                 "id": str(child1.id),
@@ -309,6 +316,7 @@ def test_api_documents_children_list_authenticated_public_or_authenticated_paren
                 "computed_link_role": child2.computed_link_role,
                 "created_at": child2.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child2.creator.id),
+                "deleted_at": None,
                 "depth": 4,
                 "excerpt": child2.excerpt,
                 "id": str(child2.id),
@@ -393,6 +401,7 @@ def test_api_documents_children_list_authenticated_related_direct(
                 "computed_link_role": child1.computed_link_role,
                 "created_at": child1.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child1.creator.id),
+                "deleted_at": None,
                 "depth": 2,
                 "excerpt": child1.excerpt,
                 "id": str(child1.id),
@@ -415,6 +424,7 @@ def test_api_documents_children_list_authenticated_related_direct(
                 "computed_link_role": child2.computed_link_role,
                 "created_at": child2.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child2.creator.id),
+                "deleted_at": None,
                 "depth": 2,
                 "excerpt": child2.excerpt,
                 "id": str(child2.id),
@@ -475,6 +485,7 @@ def test_api_documents_children_list_authenticated_related_parent(
                 "computed_link_role": child1.computed_link_role,
                 "created_at": child1.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child1.creator.id),
+                "deleted_at": None,
                 "depth": 4,
                 "excerpt": child1.excerpt,
                 "id": str(child1.id),
@@ -497,6 +508,7 @@ def test_api_documents_children_list_authenticated_related_parent(
                 "computed_link_role": child2.computed_link_role,
                 "created_at": child2.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child2.creator.id),
+                "deleted_at": None,
                 "depth": 4,
                 "excerpt": child2.excerpt,
                 "id": str(child2.id),
@@ -609,6 +621,7 @@ def test_api_documents_children_list_authenticated_related_team_members(
                 "computed_link_role": child1.computed_link_role,
                 "created_at": child1.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child1.creator.id),
+                "deleted_at": None,
                 "depth": 2,
                 "excerpt": child1.excerpt,
                 "id": str(child1.id),
@@ -631,6 +644,7 @@ def test_api_documents_children_list_authenticated_related_team_members(
                 "computed_link_role": child2.computed_link_role,
                 "created_at": child2.created_at.isoformat().replace("+00:00", "Z"),
                 "creator": str(child2.creator.id),
+                "deleted_at": None,
                 "depth": 2,
                 "excerpt": child2.excerpt,
                 "id": str(child2.id),