From 719274ef88162b28b7912537c7b50e5cc79517cc Mon Sep 17 00:00:00 2001 From: Marcel Date: Sun, 14 Jun 2026 00:33:38 +0200 Subject: [PATCH] docs(permissions): note requireWriteAll can replace the inline guard elsewhere Architect/Developer review suggestion: flag that other WRITE_ALL-gated author loads (e.g. documents/[id]/edit) still inline the throw-403 guard and can adopt requireWriteAll so it doesn't diverge. Comment-only. Addresses PR #832 review (Architect suggestion). Co-Authored-By: Claude Opus 4.8 --- frontend/src/lib/shared/server/permissions.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/frontend/src/lib/shared/server/permissions.ts b/frontend/src/lib/shared/server/permissions.ts index bdd5d36c..bfb6f263 100644 --- a/frontend/src/lib/shared/server/permissions.ts +++ b/frontend/src/lib/shared/server/permissions.ts @@ -20,6 +20,10 @@ export function hasWriteAll(locals: PermissionLocals): boolean { * — `hasWriteAll` returns false for a null user, so a single check covers both * the unauthenticated and the under-privileged case. Server-side gate; the * frontend canWrite flag only hides entry-point buttons. + * + * Other WRITE_ALL-gated author loads (e.g. `documents/[id]/edit`) still inline + * `if (!hasWriteAll(locals)) throw error(403)` — they can adopt this helper so + * the guard doesn't quietly diverge across routes. */ export function requireWriteAll(locals: PermissionLocals): void { if (!hasWriteAll(locals)) throw error(403, 'Forbidden');