(core) Limiting doc remove permission to owners.

Summary: Guest editors added to a document were able to remove it. This limits this permission by allowing only owners of a doc to delete it. Test Plan: Updated Reviewers: paulfitz Reviewed By: paulfitz Subscribers: dsagal, anaisconce Differential Revision: https://phab.getgrist.com/D3708
2026-03-02 04:09:24 +00:00 · 2022-11-30 23:10:07 +01:00
parent 601ba58a2e
commit 59942a23b6
4 changed files with 38 additions and 9 deletions
--- a/app/client/ui/DocMenu.ts
+++ b/app/client/ui/DocMenu.ts
@@ -488,7 +488,7 @@ export function makeDocOptionsMenu(home: HomeModel, doc: Document, renaming: Obs
      testId('move-doc')
    ),
    menuItem(deleteDoc, t('Remove'),
-      dom.cls('disabled', !roles.canDelete(doc.access)),
+      dom.cls('disabled', !roles.isOwner(doc)),
      testId('delete-doc')
    ),
    menuItem(() => home.pinUnpinDoc(doc.id, !doc.isPinned).catch(reportError),
@@ -511,11 +511,11 @@ export function makeRemovedDocOptionsMenu(home: HomeModel, doc: Document, worksp

  return [
    menuItem(() => home.restoreDoc(doc), t('Restore'),
-      dom.cls('disabled', !roles.canDelete(doc.access) || !!workspace.removedAt),
+      dom.cls('disabled', !roles.isOwner(doc) || !!workspace.removedAt),
      testId('doc-restore')
    ),
    menuItem(hardDeleteDoc, t('DeleteForever'),
-      dom.cls('disabled', !roles.canDelete(doc.access)),
+      dom.cls('disabled', !roles.isOwner(doc)),
      testId('doc-delete-forever')
    ),
    (workspace.removedAt ?
--- a/app/gen-server/lib/HomeDBManager.ts
+++ b/app/gen-server/lib/HomeDBManager.ts
@@ -1885,7 +1885,7 @@ export class HomeDBManager extends EventEmitter {
    return await this._connection.transaction(async manager => {
      const docQuery = this._doc(scope, {
        manager,
-        markPermissions: Permissions.REMOVE,
+        markPermissions: Permissions.REMOVE | Permissions.SCHEMA_EDIT,
        allowSpecialPermit: true
      })
      // Join the docs's ACLs and groups so we can remove them.
@@ -3396,7 +3396,7 @@ export class HomeDBManager extends EventEmitter {
        effectiveUserId = this.getPreviewerUserId();
        threshold = Permissions.VIEW;
      }
-      // Compute whether we have access to the doc
+      // Compute whether we have access to the ws
      query = query.addSelect(
        this._markIsPermitted('workspaces', effectiveUserId, 'open', threshold),
        'is_permitted'
@@ -4298,7 +4298,7 @@ export class HomeDBManager extends EventEmitter {
    return this._connection.transaction(async manager => {
      let docQuery = this._doc({...scope, showAll: true}, {
        manager,
-        markPermissions: Permissions.REMOVE,
+        markPermissions: Permissions.SCHEMA_EDIT | Permissions.REMOVE,
        allowSpecialPermit: true
      });
      if (!removedAt) {