Enable viewers to upload attachments for documents in collections where they have edit permission (#4468)

server/routes/api/attachments.ts

@@ -40,10 +40,15 @@ router.post(
     assertPresent(name, "name is required");
     assertPresent(size, "size is required");
 
-    // Public attachments are only used for avatars, so this is loosely coupled –
-    // all user types can upload an avatar so no additional authorization is needed.
+    // All user types can upload an avatar so no additional authorization is needed.
     if (preset === AttachmentPreset.Avatar) {
       assertIn(contentType, AttachmentValidation.avatarContentTypes);
+    } else if (preset === AttachmentPreset.DocumentAttachment && documentId) {
+      assertUuid(documentId, "documentId must be a uuid");
+      const document = await Document.findByPk(documentId, {
+        userId: user.id,
+      });
+      authorize(user, "update", document);
     } else {
       authorize(user, "createAttachment", user.team);
     }
@@ -58,14 +63,6 @@ router.post(
       );
     }
 
-    if (documentId !== undefined) {
-      assertUuid(documentId, "documentId must be a uuid");
-      const document = await Document.findByPk(documentId, {
-        userId: user.id,
-      });
-      authorize(user, "update", document);
-    }
-
     const modelId = uuidv4();
     const acl = AttachmentHelper.presetToAcl(preset);
     const key = AttachmentHelper.getKey({