diff --git a/backend/src/app/rpc/commands/files_thumbnails.clj b/backend/src/app/rpc/commands/files_thumbnails.clj index 0e318645d4..e4442ded40 100644 --- a/backend/src/app/rpc/commands/files_thumbnails.clj +++ b/backend/src/app/rpc/commands/files_thumbnails.clj @@ -409,10 +409,7 @@ [cfg {:keys [::rpc/profile-id file-id] :as params}] (db/tx-run! cfg (fn [{:keys [::db/conn] :as cfg}] - ;; TODO For now we check read permissions instead of write, - ;; to allow viewer users to update thumbnails. We might - ;; review this approach on the future. - (files/check-read-permissions! conn profile-id file-id) + (files/check-edition-permissions! conn profile-id file-id) (when-not (db/read-only? conn) (let [media (create-file-thumbnail cfg params)] {:uri (files/resolve-public-uri (:id media)) diff --git a/backend/test/backend_tests/rpc_file_thumbnails_test.clj b/backend/test/backend_tests/rpc_file_thumbnails_test.clj index 28134da5ff..6091ac14b8 100644 --- a/backend/test/backend_tests/rpc_file_thumbnails_test.clj +++ b/backend/test/backend_tests/rpc_file_thumbnails_test.clj @@ -154,7 +154,7 @@ (t/is (nil? (sto/get-object storage (:media-id row1)))) (t/is (some? (sto/get-object storage (:media-id row2)))) - ;; check that storage object is still exists but is marked as deleted + ;; check that storage object is still exists but is marked as deleted. (let [row (th/db-get :storage-object {:id (:media-id row1)} {::db/remove-deleted false})] (t/is (nil? row)))))) @@ -254,6 +254,32 @@ (t/is (some? (sto/get-object storage (:media-id row2))))))) +(t/deftest create-file-thumbnail-requires-edit-permissions + (let [owner (th/create-profile* 1) + viewer (th/create-profile* 2) + file (th/create-file* 1 {:profile-id (:id owner) + :project-id (:default-project-id owner) + :is-shared false + :revn 1}) + _ (th/create-file-role* {:file-id (:id file) + :profile-id (:id viewer) + :role :viewer}) + data {::th/type :create-file-thumbnail + ::rpc/profile-id (:id viewer) + :file-id (:id file) + :revn 1 + :media {:filename "sample.jpg" + :size 7923 + :path (th/tempfile "backend_tests/test_files/sample2.jpg") + :mtype "image/jpeg"}} + out (th/command! data) + error (:error out)] + + (t/is (nil? (:result out))) + (t/is (th/ex-info? error)) + (t/is (th/ex-of-type? error :not-found)) + (t/is (= 0 (count (th/db-query :file-thumbnail {:file-id (:id file)})))))) + (t/deftest error-on-direct-storage-obj-deletion (let [storage (::sto/storage th/*system*) profile (th/create-profile* 1) diff --git a/frontend/src/app/main/ui/dashboard/grid.cljs b/frontend/src/app/main/ui/dashboard/grid.cljs index c1a813adc4..d7504f42ef 100644 --- a/frontend/src/app/main/ui/dashboard/grid.cljs +++ b/frontend/src/app/main/ui/dashboard/grid.cljs @@ -96,7 +96,7 @@ visible? (h/use-visible container :once? true)] (mf/with-effect [file-id revn visible? thumbnail-id] - (when (and visible? (not thumbnail-id)) + (when (and can-edit visible? (not thumbnail-id)) (let [subscription (->> (ask-for-thumbnail file-id revn) (rx/subs! (fn [thumbnail-id] @@ -119,10 +119,11 @@ :src (cf/resolve-media thumbnail-id) :loading "lazy" :decoding "async"}] - [:> loader* {:class (stl/css :grid-loader) - :draggable (dm/str can-edit) - :overlay true - :title (tr "labels.loading")}]))])) + (when can-edit + [:> loader* {:class (stl/css :grid-loader) + :draggable (dm/str can-edit) + :overlay true + :title (tr "labels.loading")}])))])) ;; --- Grid Item Library