lawyered0 locks folder deletion to project owners

A permissions fix so that being invited to a shared project no longer means you can wipe out its folders.

securitymulti-tenant

As things stand, the delete path apparently treats everyone with access to a shared project the same, so any member can remove a folder, not just the person who owns the project. lawyered0's change adds an ownership check: only the project owner gets to delete a folder.

The fix also handles the knock-on effect. Deleting a folder takes the documents nested inside it too, so the same restriction has to cover the contents, not only the top-level folder. lawyered0 flags this directly, which suggests the guard protects the whole tree of documents underneath rather than a single button. This is squarely an access-control tightening in the project and document management layer; the substance is the permission logic itself, and it is still an open proposal on the upstream project.

So what Anyone running Mike with shared client or matter workspaces should care, since it closes a gap where a collaborator could delete work they were only meant to view.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?