(core) Limiting doc remove permission to owners.

Summary: Guest editors added to a document were able to remove it. This limits this permission by allowing only owners of a doc to delete it. Test Plan: Updated Reviewers: paulfitz Reviewed By: paulfitz Subscribers: dsagal, anaisconce Differential Revision: https://phab.getgrist.com/D3708
2026-03-02 04:09:24 +00:00 · 2022-11-30 23:10:07 +01:00
parent 601ba58a2e
commit 59942a23b6
4 changed files with 38 additions and 9 deletions
--- a/app/gen-server/lib/HomeDBManager.ts
+++ b/app/gen-server/lib/HomeDBManager.ts
@@ -1885,7 +1885,7 @@ export class HomeDBManager extends EventEmitter {
    return await this._connection.transaction(async manager => {
      const docQuery = this._doc(scope, {
        manager,
-        markPermissions: Permissions.REMOVE,
+        markPermissions: Permissions.REMOVE | Permissions.SCHEMA_EDIT,
        allowSpecialPermit: true
      })
      // Join the docs's ACLs and groups so we can remove them.
@@ -3396,7 +3396,7 @@ export class HomeDBManager extends EventEmitter {
        effectiveUserId = this.getPreviewerUserId();
        threshold = Permissions.VIEW;
      }
-      // Compute whether we have access to the doc
+      // Compute whether we have access to the ws
      query = query.addSelect(
        this._markIsPermitted('workspaces', effectiveUserId, 'open', threshold),
        'is_permitted'
@@ -4298,7 +4298,7 @@ export class HomeDBManager extends EventEmitter {
    return this._connection.transaction(async manager => {
      let docQuery = this._doc({...scope, showAll: true}, {
        manager,
-        markPermissions: Permissions.REMOVE,
+        markPermissions: Permissions.SCHEMA_EDIT | Permissions.REMOVE,
        allowSpecialPermit: true
      });
      if (!removedAt) {