🐛 Prevent viewers from overwriting file thumbnails (#9285)

* 🐛 Prevent viewers from overwriting file thumbnails

* 🐛 Fix message

---------

Co-authored-by: jony376 <jony376@gmail.com>
Co-authored-by: Andrey Antukh <niwi@niwi.nz>

backend/src/app/rpc/commands/files_thumbnails.clj

@@ -409,10 +409,7 @@
 
   [cfg {:keys [::rpc/profile-id file-id] :as params}]
   (db/tx-run! cfg (fn [{:keys [::db/conn] :as cfg}]
-                    ;; TODO For now we check read permissions instead of write,
+                    (files/check-edition-permissions! conn profile-id file-id)
-                    ;; to allow viewer users to update thumbnails. We might
-                    ;; review this approach on the future.
-                    (files/check-read-permissions! conn profile-id file-id)
                     (when-not (db/read-only? conn)
                       (let [media (create-file-thumbnail cfg params)]
                         {:uri (files/resolve-public-uri (:id media))

backend/test/backend_tests/rpc_file_thumbnails_test.clj

@@ -154,7 +154,7 @@
       (t/is (nil? (sto/get-object storage (:media-id row1))))
       (t/is (some? (sto/get-object storage (:media-id row2))))
 
-      ;; check that storage object is still exists but is marked as deleted
+      ;; check that storage object is still exists but is marked as deleted.
       (let [row (th/db-get :storage-object {:id (:media-id row1)} {::db/remove-deleted false})]
         (t/is (nil? row))))))
 
@@ -254,6 +254,32 @@
 
       (t/is (some? (sto/get-object storage (:media-id row2)))))))
 
+(t/deftest create-file-thumbnail-requires-edit-permissions
+  (let [owner  (th/create-profile* 1)
+        viewer (th/create-profile* 2)
+        file   (th/create-file* 1 {:profile-id (:id owner)
+                                   :project-id (:default-project-id owner)
+                                   :is-shared false
+                                   :revn 1})
+        _      (th/create-file-role* {:file-id (:id file)
+                                      :profile-id (:id viewer)
+                                      :role :viewer})
+        data   {::th/type :create-file-thumbnail
+                ::rpc/profile-id (:id viewer)
+                :file-id (:id file)
+                :revn 1
+                :media {:filename "sample.jpg"
+                        :size 7923
+                        :path (th/tempfile "backend_tests/test_files/sample2.jpg")
+                        :mtype "image/jpeg"}}
+        out    (th/command! data)
+        error  (:error out)]
+
+    (t/is (nil? (:result out)))
+    (t/is (th/ex-info? error))
+    (t/is (th/ex-of-type? error :not-found))
+    (t/is (= 0 (count (th/db-query :file-thumbnail {:file-id (:id file)}))))))
+
 (t/deftest error-on-direct-storage-obj-deletion
   (let [storage (::sto/storage th/*system*)
         profile (th/create-profile* 1)

frontend/src/app/main/ui/dashboard/grid.cljs

@@ -96,7 +96,7 @@
         visible?     (h/use-visible container :once? true)]
 
     (mf/with-effect [file-id revn visible? thumbnail-id]
-      (when (and visible? (not thumbnail-id))
+      (when (and can-edit visible? (not thumbnail-id))
         (let [subscription
               (->> (ask-for-thumbnail file-id revn)
                    (rx/subs! (fn [thumbnail-id]
@@ -119,10 +119,11 @@
                 :src (cf/resolve-media thumbnail-id)
                 :loading "lazy"
                 :decoding "async"}]
-         [:> loader* {:class (stl/css :grid-loader)
+         (when can-edit
-                      :draggable (dm/str can-edit)
+           [:> loader* {:class (stl/css :grid-loader)
-                      :overlay true
+                        :draggable (dm/str can-edit)
-                      :title (tr "labels.loading")}]))]))
+                        :overlay true
+                        :title (tr "labels.loading")}])))]))
 
 ;; --- Grid Item Library