(core) Only owners should be able to rename a document.

Summary:
Checking SCHEMA_EDIT permission when user wants to
update document's name.

Test Plan: New test

Reviewers: paulfitz

Reviewed By: paulfitz

Differential Revision: https://phab.getgrist.com/D3733
This commit is contained in:
Jarosław Sadziński 2022-12-19 11:37:21 +01:00
parent 620e86a9f1
commit fa75c93d67
2 changed files with 18 additions and 2 deletions

View File

@ -1833,17 +1833,19 @@ export class HomeDBManager extends EventEmitter {
}); });
} }
// Checks that the user has UPDATE permissions to the given doc. If not, throws an // Checks that the user has SCHEMA_EDIT permissions to the given doc. If not, throws an
// error. Otherwise updates the given doc with the given name. Returns an empty // error. Otherwise updates the given doc with the given name. Returns an empty
// query result with status 200 on success. // query result with status 200 on success.
// NOTE: This does not update the updateAt date indicating the last modified time of the doc. // NOTE: This does not update the updateAt date indicating the last modified time of the doc.
// We may want to make it do so. // We may want to make it do so.
public async updateDocument(scope: DocScope, public async updateDocument(scope: DocScope,
props: Partial<DocumentProperties>): Promise<QueryResult<number>> { props: Partial<DocumentProperties>): Promise<QueryResult<number>> {
const markPermissions = Permissions.SCHEMA_EDIT;
return await this._connection.transaction(async manager => { return await this._connection.transaction(async manager => {
const docQuery = this._doc(scope, { const docQuery = this._doc(scope, {
manager, manager,
markPermissions: Permissions.UPDATE markPermissions
}); });
const queryResult = await verifyIsPermitted(docQuery); const queryResult = await verifyIsPermitted(docQuery);

View File

@ -213,6 +213,20 @@ function testDocApi() {
await assert.isFulfilled(kiwiApi.deleteDoc(doc1)); await assert.isFulfilled(kiwiApi.deleteDoc(doc1));
}); });
it("should allow only owners to rename a document", async () => {
const ws1 = (await userApi.getOrgWorkspaces('current'))[0].id;
const doc1 = await userApi.newDoc({name: 'testrenameme1'}, ws1);
const kiwiApi = makeUserApi(ORG_NAME, 'kiwi');
// Kiwi is editor of the document, so he can't rename it.
await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'editors'}});
await assert.isRejected(kiwiApi.renameDoc(doc1, "testrenameme2"), /Forbidden/);
// Kiwi is owner of the document - now he can rename it.
await userApi.updateDocPermissions(doc1, {users: {'kiwi@getgrist.com': 'owners'}});
await assert.isFulfilled(kiwiApi.renameDoc(doc1, "testrenameme2"));
});
it("guesses types of new columns", async () => { it("guesses types of new columns", async () => {
const userActions = [ const userActions = [
['AddTable', 'GuessTypes', []], ['AddTable', 'GuessTypes', []],