From fa75c93d67f713d3c6b60bafb1390b8a7140d584 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaros=C5=82aw=20Sadzi=C5=84ski?= Date: Mon, 19 Dec 2022 11:37:21 +0100 Subject: [PATCH] (core) Only owners should be able to rename a document. Summary: Checking SCHEMA_EDIT permission when user wants to update document's name. Test Plan: New test Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3733 --- app/gen-server/lib/HomeDBManager.ts | 6 ++++-- test/server/lib/DocApi.ts | 14 ++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/app/gen-server/lib/HomeDBManager.ts b/app/gen-server/lib/HomeDBManager.ts index 7355e7f2..f737350b 100644 --- a/app/gen-server/lib/HomeDBManager.ts +++ b/app/gen-server/lib/HomeDBManager.ts @@ -1833,17 +1833,19 @@ export class HomeDBManager extends EventEmitter { }); } - // Checks that the user has UPDATE permissions to the given doc. If not, throws an + // Checks that the user has SCHEMA_EDIT permissions to the given doc. If not, throws an // error. Otherwise updates the given doc with the given name. Returns an empty // query result with status 200 on success. // NOTE: This does not update the updateAt date indicating the last modified time of the doc. // We may want to make it do so. public async updateDocument(scope: DocScope, props: Partial): Promise> { + + const markPermissions = Permissions.SCHEMA_EDIT; return await this._connection.transaction(async manager => { const docQuery = this._doc(scope, { manager, - markPermissions: Permissions.UPDATE + markPermissions }); const queryResult = await verifyIsPermitted(docQuery); diff --git a/test/server/lib/DocApi.ts b/test/server/lib/DocApi.ts index e14e8e9e..68a4df82 100644 --- a/test/server/lib/DocApi.ts +++ b/test/server/lib/DocApi.ts @@ -213,6 +213,20 @@ function testDocApi() { await assert.isFulfilled(kiwiApi.deleteDoc(doc1)); }); + it("should allow only owners to rename a document", async () => { + const ws1 = (await userApi.getOrgWorkspaces('current'))[0].id; + const doc1 = await userApi.newDoc({name: 'testrenameme1'}, ws1); + const kiwiApi = makeUserApi(ORG_NAME, 'kiwi'); + + // Kiwi is editor of the document, so he can't rename it. + await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'editors'}}); + await assert.isRejected(kiwiApi.renameDoc(doc1, "testrenameme2"), /Forbidden/); + + // Kiwi is owner of the document - now he can rename it. + await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'owners'}}); + await assert.isFulfilled(kiwiApi.renameDoc(doc1, "testrenameme2")); + }); + it("guesses types of new columns", async () => { const userActions = [ ['AddTable', 'GuessTypes', []],