diff --git a/app/gen-server/lib/HomeDBManager.ts b/app/gen-server/lib/HomeDBManager.ts index 7355e7f2..f737350b 100644 --- a/app/gen-server/lib/HomeDBManager.ts +++ b/app/gen-server/lib/HomeDBManager.ts @@ -1833,17 +1833,19 @@ export class HomeDBManager extends EventEmitter { }); } - // Checks that the user has UPDATE permissions to the given doc. If not, throws an + // Checks that the user has SCHEMA_EDIT permissions to the given doc. If not, throws an // error. Otherwise updates the given doc with the given name. Returns an empty // query result with status 200 on success. // NOTE: This does not update the updateAt date indicating the last modified time of the doc. // We may want to make it do so. public async updateDocument(scope: DocScope, props: Partial): Promise> { + + const markPermissions = Permissions.SCHEMA_EDIT; return await this._connection.transaction(async manager => { const docQuery = this._doc(scope, { manager, - markPermissions: Permissions.UPDATE + markPermissions }); const queryResult = await verifyIsPermitted(docQuery); diff --git a/test/server/lib/DocApi.ts b/test/server/lib/DocApi.ts index e14e8e9e..68a4df82 100644 --- a/test/server/lib/DocApi.ts +++ b/test/server/lib/DocApi.ts @@ -213,6 +213,20 @@ function testDocApi() { await assert.isFulfilled(kiwiApi.deleteDoc(doc1)); }); + it("should allow only owners to rename a document", async () => { + const ws1 = (await userApi.getOrgWorkspaces('current'))[0].id; + const doc1 = await userApi.newDoc({name: 'testrenameme1'}, ws1); + const kiwiApi = makeUserApi(ORG_NAME, 'kiwi'); + + // Kiwi is editor of the document, so he can't rename it. + await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'editors'}}); + await assert.isRejected(kiwiApi.renameDoc(doc1, "testrenameme2"), /Forbidden/); + + // Kiwi is owner of the document - now he can rename it. + await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'owners'}}); + await assert.isFulfilled(kiwiApi.renameDoc(doc1, "testrenameme2")); + }); + it("guesses types of new columns", async () => { const userActions = [ ['AddTable', 'GuessTypes', []],