Add permission checks for writable routes

MuckRock / documentcloud-frontend

DocumentCloud's front end source code - Please report bugs, issues and feature requests to info@documentcloud.org

https://www.documentcloud.org

GNU Affero General Public License v3.0

15 stars 5 forks source link

Add permission checks for writable routes #510

Closed eyeseast closed 1 week ago

eyeseast commented 5 months ago

What routes should only be accessible if you're logged in? Or should we have a fallback view that tells you what to do?

upload
writable viewer routes (edit, modify, annotate, etc)

Lots of things are either disabled or just not visible to anonymous users.

eyeseast commented 4 months ago

For writable routes, I think it makes sense to just redirect back to the document. This might end up as a 404 if the document is private, but that's fine. It's also possible it'll be a 404 already, because we load the document in the layout.

Just confirmed: all the sub-document routes (modify, redact, annotate) will 404 if the user can't see the document, so that's done.

eyeseast commented 2 months ago

Routes that need edit_access permission:

annotate
redact
modify
upload (needs login and verification)
add-on dispatch (needs login and verification)

eyeseast commented 1 week ago

Add-on dispatch throws a 500 right now: https://next.www.documentcloud.org/add-ons/MuckRock/documentcloud-regex-addon/

This needs to be linkable for anonymous users, but shouldn't dispatch, obviously.