didimitrie
commented
4 years ago It's covering the case when A opens B's file with B's sender/receiver client in there, but A's account.
Reasoning goes like: if A can already access B's file, he should be able to edit the client and set it online/offline (what that endpoint is mostly used for). If he shouldn't be able to, there's some bigger structural issues there (ie, A stealing B's files from the network drive or something).
Open to different ways of doing things, but it would mean some client rewriting...
I'm doing some rewriting and was wondering why when we update a client we only check if the user can write to the stream? Shouldn't we check that the user can write to the client instead?
https://github.com/speckleworks/SpeckleServer/blob/c544a3404f41d266d660579513f685b1cad70bd9/app/api/clients/ClientPut.js#L17