fix(comments): permission check (#6057)

hermanwikner · web-flow · commit 2163ff0002d0 · 2024-03-20T08:52:18.000Z
diff --git a/packages/sanity/src/structure/comments/plugin/field/CommentsField.tsx b/packages/sanity/src/structure/comments/plugin/field/CommentsField.tsx
@@ -92,6 +92,7 @@ function CommentFieldInner(
 
   const {
     comments,
+    hasPermission,
     isCommentsOpen,
     isCreatingDataset,
     mentionOptions,
@@ -316,6 +317,11 @@ function CommentFieldInner(
     ],
   )
 
+  // Render the default field component if the user doesn't have permission
+  if (!hasPermission) {
+    return props.renderDefault(props)
+  }
+
   return (
     <FieldStack {...applyCommentsFieldAttr(PathUtils.toString(props.path))} ref={rootRef}>
       {props.renderDefault({
diff --git a/packages/sanity/src/structure/comments/plugin/input/components/CommentsPortableTextInput.tsx b/packages/sanity/src/structure/comments/plugin/input/components/CommentsPortableTextInput.tsx
@@ -63,8 +63,16 @@ export const CommentsPortableTextInputInner = React.memo(function CommentsPortab
   const currentUser = useCurrentUser()
   const portal = usePortal()
 
-  const {mentionOptions, comments, operation, onCommentsOpen, getComment, setStatus, status} =
-    useComments()
+  const {
+    comments,
+    getComment,
+    hasPermission,
+    mentionOptions,
+    onCommentsOpen,
+    operation,
+    setStatus,
+    status,
+  } = useComments()
   const {setSelectedPath, selectedPath} = useCommentsSelectedPath()
   const {scrollToComment, scrollToGroup} = useCommentsScroll()
   const {handleOpenDialog} = useCommentsUpsell()
@@ -502,6 +510,11 @@ export const CommentsPortableTextInputInner = React.memo(function CommentsPortab
   )
   const showFloatingInput = Boolean(nextCommentSelection && popoverAuthoringReferenceElement)
 
+  // Render the default input if the user doesn't have permission
+  if (!hasPermission) {
+    return props.renderDefault(props)
+  }
+
   return (
     <>
       <BoundaryElementProvider element={boundaryElement}>
diff --git a/packages/sanity/src/structure/comments/src/context/comments/CommentsProvider.tsx b/packages/sanity/src/structure/comments/src/context/comments/CommentsProvider.tsx
@@ -4,6 +4,7 @@ import {
   getPublishedId,
   useAddonDataset,
   useCurrentUser,
+  useDocumentValuePermissions,
   useEditState,
   useSchema,
   useUserListWithPermissions,
@@ -73,9 +74,23 @@ export const CommentsProvider = memo(function CommentsProvider(props: CommentsPr
 
   const {name: workspaceName, dataset, projectId} = useWorkspace()
 
+  const documentValue = useMemo(() => {
+    return editState.draft || editState.published
+  }, [editState.draft, editState.published])
+
+  const documentRevisionId = useMemo(() => documentValue?._rev, [documentValue])
+
   // A map to keep track of the latest transaction ID for each comment document.
   const transactionsIdMap = useMemo(() => new Map<DocumentId, TransactionId>(), [])
 
+  // We only need to check for read permission on the document since users with
+  // read permission on the document can both read and write comments.
+  // This is how permission work for the comments add-on dataset.
+  const [readPermission] = useDocumentValuePermissions({
+    document: documentValue || {_type: documentType, _id: publishedId},
+    permission: 'read',
+  })
+
   // When the latest transaction ID is received, we remove the transaction id from the map.
   const handleOnLatestTransactionIdReceived = useCallback(
     (commentDocumentId: string) => {
@@ -109,12 +124,6 @@ export const CommentsProvider = memo(function CommentsProvider(props: CommentsPr
     [transactionsIdMap],
   )
 
-  const documentValue = useMemo(() => {
-    return editState.draft || editState.published
-  }, [editState.draft, editState.published])
-
-  const documentRevisionId = useMemo(() => documentValue?._rev, [documentValue])
-
   const handleSetStatus = useCallback(
     (newStatus: CommentStatus) => {
       // Avoids going to "resolved" when using links to comments
@@ -267,6 +276,8 @@ export const CommentsProvider = memo(function CommentsProvider(props: CommentsPr
       isCommentsOpen,
       onCommentsOpen,
 
+      hasPermission: Boolean(readPermission?.granted),
+
       comments: {
         data: threadItemsByStatus,
         error,
@@ -282,20 +293,21 @@ export const CommentsProvider = memo(function CommentsProvider(props: CommentsPr
       mentionOptions,
     }),
     [
-      error,
+      isCreatingDataset,
+      status,
+      handleSetStatus,
       getComment,
       isCommentsOpen,
-      isCreatingDataset,
-      loading,
-      mentionOptions,
       onCommentsOpen,
+      readPermission?.granted,
+      threadItemsByStatus,
+      error,
+      loading,
       operation.create,
       operation.react,
       operation.remove,
       operation.update,
-      status,
-      handleSetStatus,
-      threadItemsByStatus,
+      mentionOptions,
     ],
   )
 
diff --git a/packages/sanity/src/structure/comments/src/context/comments/types.ts b/packages/sanity/src/structure/comments/src/context/comments/types.ts
@@ -19,6 +19,8 @@ export interface CommentsContextValue {
   isCommentsOpen?: boolean
   onCommentsOpen?: () => void
 
+  hasPermission: boolean
+
   comments: {
     data: {
       open: CommentThreadItem[]
