(core) be stricter when replacing documents in the presence of granular access rules

Summary: The /replace endpoint was built with home-level access control in mind. Updates needed: * Only an owner can now replace a document. Only owners are permitted to change granular access rules, and a document replacement could change granular access rules. * For the document being substituted in: the user must have complete access to view all material within it. Test Plan: extended test Reviewers: georgegevoian, dsagal Reviewed By: georgegevoian, dsagal Differential Revision: https://phab.getgrist.com/D3694
2026-03-02 04:09:24 +00:00 · 2022-11-09 11:49:23 -05:00
parent 101450262c
commit 42c3568835
3 changed files with 56 additions and 8 deletions
--- a/app/server/lib/ActiveDoc.ts
+++ b/app/server/lib/ActiveDoc.ts
@@ -680,10 +680,13 @@ export class ActiveDoc extends EventEmitter {
   * shut it down, and unlist it via the DocManager.  A fresh ActiveDoc can be acquired via the
   * DocManager.
   */
-  public async replace(source: DocReplacementOptions) {
+  public async replace(docSession: OptDocSession, source: DocReplacementOptions) {
    // During replacement, it is important for all hands to be off the document. So we
    // ask the shutdown method to do the replacement when the ActiveDoc is shutdown but
    // before a new one could be opened.
+    if (!await this._granularAccess.isOwner(docSession)) {
+      throw new ApiError('Only owners can replace a document.', 403);
+    }
    return this.shutdown({
      afterShutdown: () => this._docManager.storageManager.replace(this.docName, source)
    });