🐛 Fix allow change team image for editor role users

2025-03-21 04:01:24 -05:00 · 2023-03-29 11:42:31 +02:00 · 2023-03-29 11:42:31 +02:00 · f05f527336
commit f05f527336
parent fa4c7a1eb7
3 changed files with 36 additions and 15 deletions
--- a/backend/src/app/rpc/commands/teams.clj
+++ b/backend/src/app/rpc/commands/teams.clj
@ -62,12 +62,18 @@
        :can-edit (or is-owner is-admin can-edit)
        :can-read true})))

+(def has-admin-permissions?
+  (perms/make-admin-predicate-fn get-permissions))
+
 (def has-edit-permissions?
  (perms/make-edition-predicate-fn get-permissions))

 (def has-read-permissions?
  (perms/make-read-predicate-fn get-permissions))

+(def check-admin-permissions!
+  (perms/make-check-fn has-admin-permissions?))
+
 (def check-edition-permissions!
  (perms/make-check-fn has-edit-permissions?))

@ -593,18 +599,19 @@
                  (retrieve-team pool profile-id team-id))
          photo (profile/upload-photo cfg params)]

-    ;; Mark object as touched for make it ellegible for tentative
-    ;; garbage collection.
-    (when-let [id (:photo-id team)]
-      (sto/touch-object! storage id))
+    (db/with-atomic [conn pool]
+      (check-admin-permissions! conn profile-id team-id)
+      ;; Mark object as touched for make it ellegible for tentative
+      ;; garbage collection.
+      (when-let [id (:photo-id team)]
+        (sto/touch-object! storage id))

-    ;; Save new photo
-    (db/update! pool :team
-                {:photo-id (:id photo)}
-                {:id team-id})
-
-    (assoc team :photo-id (:id photo))))
+      ;; Save new photo
+      (db/update! pool :team
+        {:photo-id (:id photo)}
+        {:id team-id})

+      (assoc team :photo-id (:id photo)))))

 ;; --- Mutation: Create Team Invitation

--- a/backend/src/app/rpc/permissions.clj
+++ b/backend/src/app/rpc/permissions.clj
@ -37,6 +37,14 @@
           :is-admin false
           :can-edit false)))

+(defn make-admin-predicate-fn
+  "A simple factory for admin permission predicate functions."
+  [qfn]
+  (us/assert fn? qfn)
+  (fn check
+    ([perms] (:is-admin perms))
+    ([conn & args] (check (apply qfn conn args)))))
+
 (defn make-edition-predicate-fn
  "A simple factory for edition permission predicate functions."
  [qfn]
--- a/frontend/src/app/main/ui/dashboard/team.cljs
+++ b/frontend/src/app/main/ui/dashboard/team.cljs
@ -900,6 +900,10 @@

        stats       (mf/deref refs/dashboard-team-stats)

+        you-owner?  (get-in team [:permissions :is-owner])
+        you-admin?  (get-in team [:permissions :is-admin])
+        can-edit?   (or you-owner? you-admin?)
+
        on-image-click
        (mf/use-callback #(dom/click (mf/ref-val finput)))

@ -931,12 +935,14 @@
         [:div.label (tr "dashboard.team-info")]
         [:div.name (:name team)]
         [:div.icon
-          [:span.update-overlay {:on-click on-image-click} i/image]
+          (when can-edit?
+            [:span.update-overlay {:on-click on-image-click} i/image])
          [:img {:src (cfg/resolve-team-photo-url team)}]
-          [:& file-uploader {:accept "image/jpeg,image/png"
-                             :multi false
-                             :ref finput
-                             :on-selected on-file-selected}]]]
+          (when can-edit?
+            [:& file-uploader {:accept "image/jpeg,image/png"
+                               :multi false
+                               :ref finput
+                               :on-selected on-file-selected}])]]

        [:div.block.owner-block
         [:div.label (tr "dashboard.team-members")]