feature: New user-specific readOnly and canCreate settings (#4370)

Also: * Group the tests for readability. * Factor out some common test setup.
2025-04-22 08:26:16 -04:00 · 2020-09-28 06:22:06 -04:00 · 2020-09-28 06:22:06 -04:00 · bf9d613e95
commit bf9d613e95
parent 7bd5435f50
6 changed files with 260 additions and 155 deletions
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -30,6 +30,7 @@ exports.userCanModify = (padId, req) => {
  if (!settings.requireAuthentication) return true;
  const {session: {user} = {}} = req;
  assert(user); // If authn required and user == null, the request should have already been denied.
+  if (user.readOnly) return false;
  assert(user.padAuthorizations); // This is populated even if !settings.requireAuthorization.
  const level = exports.normalizeAuthzLevel(user.padAuthorizations[padId]);
  assert(level); // If !level, the request should have already been denied.