mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
(core) Only owners should be able to rename a document.
Summary: Checking SCHEMA_EDIT permission when user wants to update document's name. Test Plan: New test Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D3733
This commit is contained in:
parent
620e86a9f1
commit
fa75c93d67
@ -1833,17 +1833,19 @@ export class HomeDBManager extends EventEmitter {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// Checks that the user has UPDATE permissions to the given doc. If not, throws an
|
// Checks that the user has SCHEMA_EDIT permissions to the given doc. If not, throws an
|
||||||
// error. Otherwise updates the given doc with the given name. Returns an empty
|
// error. Otherwise updates the given doc with the given name. Returns an empty
|
||||||
// query result with status 200 on success.
|
// query result with status 200 on success.
|
||||||
// NOTE: This does not update the updateAt date indicating the last modified time of the doc.
|
// NOTE: This does not update the updateAt date indicating the last modified time of the doc.
|
||||||
// We may want to make it do so.
|
// We may want to make it do so.
|
||||||
public async updateDocument(scope: DocScope,
|
public async updateDocument(scope: DocScope,
|
||||||
props: Partial<DocumentProperties>): Promise<QueryResult<number>> {
|
props: Partial<DocumentProperties>): Promise<QueryResult<number>> {
|
||||||
|
|
||||||
|
const markPermissions = Permissions.SCHEMA_EDIT;
|
||||||
return await this._connection.transaction(async manager => {
|
return await this._connection.transaction(async manager => {
|
||||||
const docQuery = this._doc(scope, {
|
const docQuery = this._doc(scope, {
|
||||||
manager,
|
manager,
|
||||||
markPermissions: Permissions.UPDATE
|
markPermissions
|
||||||
});
|
});
|
||||||
|
|
||||||
const queryResult = await verifyIsPermitted(docQuery);
|
const queryResult = await verifyIsPermitted(docQuery);
|
||||||
|
@ -213,6 +213,20 @@ function testDocApi() {
|
|||||||
await assert.isFulfilled(kiwiApi.deleteDoc(doc1));
|
await assert.isFulfilled(kiwiApi.deleteDoc(doc1));
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it("should allow only owners to rename a document", async () => {
|
||||||
|
const ws1 = (await userApi.getOrgWorkspaces('current'))[0].id;
|
||||||
|
const doc1 = await userApi.newDoc({name: 'testrenameme1'}, ws1);
|
||||||
|
const kiwiApi = makeUserApi(ORG_NAME, 'kiwi');
|
||||||
|
|
||||||
|
// Kiwi is editor of the document, so he can't rename it.
|
||||||
|
await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'editors'}});
|
||||||
|
await assert.isRejected(kiwiApi.renameDoc(doc1, "testrenameme2"), /Forbidden/);
|
||||||
|
|
||||||
|
// Kiwi is owner of the document - now he can rename it.
|
||||||
|
await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'owners'}});
|
||||||
|
await assert.isFulfilled(kiwiApi.renameDoc(doc1, "testrenameme2"));
|
||||||
|
});
|
||||||
|
|
||||||
it("guesses types of new columns", async () => {
|
it("guesses types of new columns", async () => {
|
||||||
const userActions = [
|
const userActions = [
|
||||||
['AddTable', 'GuessTypes', []],
|
['AddTable', 'GuessTypes', []],
|
||||||
|
Loading…
Reference in New Issue
Block a user