(core) Only owners should be able to rename a document.

Summary: Checking SCHEMA_EDIT permission when user wants to update document's name. Test Plan: New test Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3733
1 year ago · fa75c93d67
parent 620e86a9f1
commit fa75c93d67
2 changed files with 18 additions and 2 deletions
--- a/app/gen-server/lib/HomeDBManager.ts
+++ b/app/gen-server/lib/HomeDBManager.ts
@ -1833,17 +1833,19 @@ export class HomeDBManager extends EventEmitter {
    });
  }

-  // Checks that the user has UPDATE permissions to the given doc. If not, throws an
+  // Checks that the user has SCHEMA_EDIT permissions to the given doc. If not, throws an
  // error. Otherwise updates the given doc with the given name. Returns an empty
  // query result with status 200 on success.
  // NOTE: This does not update the updateAt date indicating the last modified time of the doc.
  // We may want to make it do so.
  public async updateDocument(scope: DocScope,
                              props: Partial<DocumentProperties>): Promise<QueryResult<number>> {
+
+    const markPermissions = Permissions.SCHEMA_EDIT;
    return await this._connection.transaction(async manager => {
      const docQuery = this._doc(scope, {
        manager,
-        markPermissions: Permissions.UPDATE
+        markPermissions
      });

      const queryResult = await verifyIsPermitted(docQuery);
--- a/test/server/lib/DocApi.ts
+++ b/test/server/lib/DocApi.ts
@ -213,6 +213,20 @@ function testDocApi() {
    await assert.isFulfilled(kiwiApi.deleteDoc(doc1));
  });

+  it("should allow only owners to rename a document", async () => {
+    const ws1 = (await userApi.getOrgWorkspaces('current'))[0].id;
+    const doc1 = await userApi.newDoc({name: 'testrenameme1'}, ws1);
+    const kiwiApi = makeUserApi(ORG_NAME, 'kiwi');
+
+    // Kiwi is editor of the document, so he can't rename it.
+    await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'editors'}});
+    await assert.isRejected(kiwiApi.renameDoc(doc1, "testrenameme2"), /Forbidden/);
+
+    // Kiwi is owner of the document - now he can rename it.
+    await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'owners'}});
+    await assert.isFulfilled(kiwiApi.renameDoc(doc1, "testrenameme2"));
+  });
+
  it("guesses types of new columns", async () => {
    const userActions = [
      ['AddTable', 'GuessTypes', []],