mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
(core) Only owners should be able to rename a document.
Summary: Checking SCHEMA_EDIT permission when user wants to update document's name. Test Plan: New test Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3733
This commit is contained in:
parent
620e86a9f1
commit
fa75c93d67
@ -1833,17 +1833,19 @@ export class HomeDBManager extends EventEmitter {
|
||||
});
|
||||
}
|
||||
|
||||
// Checks that the user has UPDATE permissions to the given doc. If not, throws an
|
||||
// Checks that the user has SCHEMA_EDIT permissions to the given doc. If not, throws an
|
||||
// error. Otherwise updates the given doc with the given name. Returns an empty
|
||||
// query result with status 200 on success.
|
||||
// NOTE: This does not update the updateAt date indicating the last modified time of the doc.
|
||||
// We may want to make it do so.
|
||||
public async updateDocument(scope: DocScope,
|
||||
props: Partial<DocumentProperties>): Promise<QueryResult<number>> {
|
||||
|
||||
const markPermissions = Permissions.SCHEMA_EDIT;
|
||||
return await this._connection.transaction(async manager => {
|
||||
const docQuery = this._doc(scope, {
|
||||
manager,
|
||||
markPermissions: Permissions.UPDATE
|
||||
markPermissions
|
||||
});
|
||||
|
||||
const queryResult = await verifyIsPermitted(docQuery);
|
||||
|
@ -213,6 +213,20 @@ function testDocApi() {
|
||||
await assert.isFulfilled(kiwiApi.deleteDoc(doc1));
|
||||
});
|
||||
|
||||
it("should allow only owners to rename a document", async () => {
|
||||
const ws1 = (await userApi.getOrgWorkspaces('current'))[0].id;
|
||||
const doc1 = await userApi.newDoc({name: 'testrenameme1'}, ws1);
|
||||
const kiwiApi = makeUserApi(ORG_NAME, 'kiwi');
|
||||
|
||||
// Kiwi is editor of the document, so he can't rename it.
|
||||
await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'editors'}});
|
||||
await assert.isRejected(kiwiApi.renameDoc(doc1, "testrenameme2"), /Forbidden/);
|
||||
|
||||
// Kiwi is owner of the document - now he can rename it.
|
||||
await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'owners'}});
|
||||
await assert.isFulfilled(kiwiApi.renameDoc(doc1, "testrenameme2"));
|
||||
});
|
||||
|
||||
it("guesses types of new columns", async () => {
|
||||
const userActions = [
|
||||
['AddTable', 'GuessTypes', []],
|
||||
|
Loading…
Reference in New Issue
Block a user