lawyered0 wants folder deletes locked to the owner
A collaborator on a shared project could wipe out documents they never owned, just by deleting the folder they sat in.
lawyered0 spotted a sharp edge in how Mike handles deletion. Deleting a folder doesn't just remove the folder - it cascades, taking every document nested inside it with it, permanently. But the permission check only asked whether you had access to the project at all. That meant anyone invited into a shared workspace, not just its owner, could trigger the whole teardown and destroy files that belonged to someone else.
The proposed fix reclassifies folder deletion as a privileged, owner-only action, so a low-trust collaborator can no longer reach a high-stakes destructive button. It's a small, defensive change aimed squarely at limiting the blast radius of a mistake or a bad actor. Worth noting: the pull request was closed without being merged, so it isn't clear whether the gap was closed another way or is still open.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?