Summary: A user without SchemaEdit permission was able to reorder pages, since this changes _grist_Pages, and that table was left under control of regular access rules. This diff tightens things up, to require SchemaEdit for all metadata edits. The one remaining exception is _grist_Attachments, which needs some reworking to play well with granular access. Test Plan: extended test Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D3025pull/115/head
parent
4fcdd2ba07
commit
d5a7fb23fe
Loading…
Reference in new issue