fix(versionsource): "delegate" permission check to api (#179)

kptdobe · web-flow · commit 04b17f2ccce3 · 2025-10-03T11:29:15.000-06:00
diff --git a/src/utils/auth.js b/src/utils/auth.js
@@ -297,7 +297,7 @@ export async function getAclCtx(env, org, users, key, api) {
   // Expose the action trace or not?
   actionTrace = users.every((u) => aclTrace.includes(u.email)) ? actionTrace : undefined;
 
-  if (k === 'CONFIG') {
+  if (k === 'CONFIG' || api === 'versionsource') {
     actionSet.add('read');
   }
 
diff --git a/test/utils/auth.test.js b/test/utils/auth.test.js
@@ -302,7 +302,20 @@ describe('DA auth', () => {
       const users = [{email: "blah@foo.org"}];
       const aclCtx = await getAclCtx(env2, 'test', users, '/', 'config');
       assert(aclCtx.actionSet.has('read'));
-    })
+    });
+
+    it('test versionsource api always has read permission', async () => {
+      const users = [{email: "blah@foo.org"}];
+      const aclCtx = await getAclCtx(env2, 'test', users, '/', 'versionsource');
+      assert(aclCtx.actionSet.has('read'));
+    });
+
+    it('test versionsource api grants read permission even without explicit permissions', async () => {
+      const users = [{email: "unauthorized@example.com"}];
+      const aclCtx = await getAclCtx(env2, 'test', users, '/restricted', 'versionsource');
+      assert(aclCtx.actionSet.has('read'));
+      assert(!aclCtx.actionSet.has('write'));
+    });
   });
 
   describe('persmissions single sheet', () => {

Original file line number	Diff line number	Diff line change
`@@ -297,7 +297,7 @@ export async function getAclCtx(env, org, users, key, api) {`
`297`	`297`	`// Expose the action trace or not?`
`298`	`298`	`actionTrace = users.every((u) => aclTrace.includes(u.email)) ? actionTrace : undefined;`
`299`	`299`
`300`		`- if (k === 'CONFIG') {`
	`300`	`+ if (k === 'CONFIG' \|\| api === 'versionsource') {`
`301`	`301`	`actionSet.add('read');`
`302`	`302`	`}`
`303`	`303`