Skip to content

Require review owner for tabular settings edits#175

Open
lawyered0 wants to merge 1 commit into
Open-Legal-Products:mainfrom
lawyered0:fix/tabular-review-owner-settings
Open

Require review owner for tabular settings edits#175
lawyered0 wants to merge 1 commit into
Open-Legal-Products:mainfrom
lawyered0:fix/tabular-review-owner-settings

Conversation

@lawyered0

Copy link
Copy Markdown

Summary

  • require tabular review ownership before changing the review title
  • require tabular review ownership before changing the review document list
  • keep existing owner-only checks for columns, sharing, and project moves unchanged

Bug

PATCH /tabular-review/:reviewId already restricted columns, sharing, and project moves to the review owner, but it allowed any user with review access to change title or document_ids. That let collaborators rename another user’s review or add/remove documents and cells by calling the API directly, even though the UI treats these as owner-controlled structural settings.

Verification

  • npm run build --prefix backend

@CLAassistant

CLAassistant commented Jun 22, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants