diff --git a/domain/permission/permission.go b/domain/permission/permission.go index ada289d8..e10bfc9a 100644 --- a/domain/permission/permission.go +++ b/domain/permission/permission.go @@ -147,6 +147,26 @@ func CanUploadDocument(ctx domain.RequestContext, s store.Store, spaceID string) return false } +// CanManageSpace returns if the user has permission to manage the given space. +func CanManageSpace(ctx domain.RequestContext, s store.Store, spaceID string) bool { + roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID) + if err == sql.ErrNoRows { + err = nil + } + if err != nil { + return false + } + for _, role := range roles { + if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow && + pm.ContainsPermission(role.Action, pm.SpaceManage, pm.SpaceOwner) { + return true + } + } + + return false +} + + // CanViewSpace returns if the user has permission to view the given spaceID. func CanViewSpace(ctx domain.RequestContext, s store.Store, spaceID string) bool { roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID) diff --git a/domain/space/endpoint.go b/domain/space/endpoint.go index 35b4eced..eba9a218 100644 --- a/domain/space/endpoint.go +++ b/domain/space/endpoint.go @@ -487,11 +487,6 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) { method := "space.update" ctx := domain.GetRequestContext(r) - if !ctx.Editor { - response.WriteForbiddenError(w) - return - } - spaceID := request.Param(r, "spaceID") if len(spaceID) == 0 { response.WriteMissingDataError(w, method, "spaceID") @@ -522,6 +517,13 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) { sp.RefID = spaceID + // Check permissions (either Documize admin OR space owner/manager). + canManage := perm.CanViewSpace(ctx, *h.Store, spaceID) + if !canManage && !ctx.Administrator { + response.WriteForbiddenError(w) + return + } + // Retreive previous record for comparison later. prev, err := h.Store.Space.Get(ctx, spaceID) if err != nil {