frontend/src/lib/shared/server/permissions.ts

@@ -20,6 +20,10 @@ export function hasWriteAll(locals: PermissionLocals): boolean {
  * — `hasWriteAll` returns false for a null user, so a single check covers both
  * the unauthenticated and the under-privileged case. Server-side gate; the
  * frontend canWrite flag only hides entry-point buttons.
+ *
+ * Other WRITE_ALL-gated author loads (e.g. `documents/[id]/edit`) still inline
+ * `if (!hasWriteAll(locals)) throw error(403)` — they can adopt this helper so
+ * the guard doesn't quietly diverge across routes.
  */
 export function requireWriteAll(locals: PermissionLocals): void {
 	if (!hasWriteAll(locals)) throw error(403, 'Forbidden');