Allow non space creators to manage space settings

Fixes #337

domain/permission/permission.go

@@ -147,6 +147,26 @@ func CanUploadDocument(ctx domain.RequestContext, s store.Store, spaceID string)
 	return false
 }
 
+// CanManageSpace returns if the user has permission to manage the given space.
+func CanManageSpace(ctx domain.RequestContext, s store.Store, spaceID string) bool {
+	roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)
+	if err == sql.ErrNoRows {
+		err = nil
+	}
+	if err != nil {
+		return false
+	}
+	for _, role := range roles {
+		if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
+			pm.ContainsPermission(role.Action, pm.SpaceManage, pm.SpaceOwner) {
+			return true
+		}
+	}
+
+	return false
+}
+
+
 // CanViewSpace returns if the user has permission to view the given spaceID.
 func CanViewSpace(ctx domain.RequestContext, s store.Store, spaceID string) bool {
 	roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)

domain/space/endpoint.go

@@ -487,11 +487,6 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
 	method := "space.update"
 	ctx := domain.GetRequestContext(r)
 
-	if !ctx.Editor {
-		response.WriteForbiddenError(w)
-		return
-	}
-
 	spaceID := request.Param(r, "spaceID")
 	if len(spaceID) == 0 {
 		response.WriteMissingDataError(w, method, "spaceID")
@@ -522,6 +517,13 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
 
 	sp.RefID = spaceID
 
+	// Check permissions (either Documize admin OR space owner/manager).
+	canManage := perm.CanViewSpace(ctx, *h.Store, spaceID)
+	if !canManage && !ctx.Administrator {
+		response.WriteForbiddenError(w)
+		return
+	}
+
 	// Retreive previous record for comparison later.
 	prev, err := h.Store.Space.Get(ctx, spaceID)
 	if err != nil {