Remove comment for guests with read-only permissions

2024-04-01 20:51:13 -04:00
parent 1af25db60e
commit e9df3db1ef
1 changed files with 5 additions and 2 deletions
--- a/server/policies/document.ts
+++ b/server/policies/document.ts
@@ -53,8 +53,11 @@ allow(User, "download", Document, (actor, document) =>

 allow(User, "comment", Document, (actor, document) =>
  and(
-    //
-    can(actor, "read", document),
+    // TODO: We'll introduce a separate permission for commenting
+    or(
+      and(can(actor, "read", document), !actor.isGuest),
+      and(can(actor, "update", document), actor.isGuest)
+    ),
    isTeamMutable(actor),
    !!document?.isActive,
    !document?.template