Fix permissions

wizard-server/src/Wizard/Service/DocumentTemplate/Bundle/DocumentTemplateBundleService.hs

@@ -70,6 +70,7 @@ importAndConvertBundle :: BSL.ByteString -> Bool -> AppContextM DocumentTemplate
 importAndConvertBundle contentS fromRegistry =
   case fromDocumentTemplateArchive contentS of
     Right (bundle, assetContents) -> do
+      checkPermission _DOC_TML_WRITE_PERM
       checkDocumentTemplateLimit
       let assetSize = foldl (\acc (_, content) -> acc + (fromIntegral . BS.length $ content)) 0 assetContents
       checkStorageSize assetSize

wizard-server/src/Wizard/Service/Locale/Bundle/LocaleBundleService.hs

@@ -38,14 +38,15 @@ getTemporaryFileWithBundle lclId =
 exportBundle :: String -> AppContextM BSL.ByteString
 exportBundle lclId =
   runInTransaction $ do
+    checkPermission _LOC_PERM
     locale <- findLocaleById lclId
     content <- retrieveLocale locale.lId
     return $ toLocaleArchive locale content
 
 pullBundleFromRegistry :: String -> AppContextM ()
 pullBundleFromRegistry lclId =
   runInTransaction $ do
-    checkPermission _DOC_TML_WRITE_PERM
+    checkPermission _LOC_PERM
     lb <- catchError (retrieveLocaleBundleById lclId) handleError
     _ <- importBundle lb True
     return ()

wizard-server/src/Wizard/Service/Package/Bundle/PackageBundleService.hs

@@ -60,6 +60,7 @@ getTemporaryFileWithBundle pbId =
 exportBundle :: String -> AppContextM PackageBundleDTO
 exportBundle pbId =
   runInTransaction $ do
+    checkPermission _PM_WRITE_PERM
     packages <- findSeriesOfPackagesRecursiveById pbId
     let newestPackage = last packages
     when

wizard-server/src/Wizard/Service/Questionnaire/Version/QuestionnaireVersionService.hs

@@ -95,7 +95,9 @@ revertToEvent :: U.UUID -> QuestionnaireVersionRevertDTO -> Bool -> AppContextM
 revertToEvent qtnUuid reqDto shouldSave =
   runInTransaction $ do
     qtn <- findQuestionnaireByUuid qtnUuid
-    when shouldSave (checkOwnerPermissionToQtn qtn.visibility qtn.permissions)
+    if shouldSave
+      then checkOwnerPermissionToQtn qtn.visibility qtn.permissions
+      else checkViewPermissionToQtn qtn.visibility qtn.sharing qtn.permissions
     let updatedEvents = takeWhileInclusive (\e -> getUuid e /= reqDto.eventUuid) qtn.events
     let updatedEventUuids = S.fromList . fmap getUuid $ updatedEvents
     let updatedVersions = filter (\v -> S.member v.eventUuid updatedEventUuids) qtn.versions

wizard-server/src/Wizard/Service/Tenant/Usage/UsageService.hs

@@ -10,6 +10,7 @@ import Wizard.Database.DAO.DocumentTemplate.DocumentTemplateDraftDAO
 import Wizard.Database.DAO.Questionnaire.QuestionnaireDAO
 import Wizard.Database.DAO.Tenant.TenantLimitBundleDAO
 import Wizard.Database.DAO.User.UserDAO
+import Wizard.Model.Context.AclContext
 import Wizard.Model.Context.AppContext
 import Wizard.Service.Tenant.Usage.UsageMapper
 import WizardLib.DocumentTemplate.Database.DAO.DocumentTemplate.DocumentTemplateAssetDAO
@@ -35,6 +36,7 @@ getUsage tenantUuid = do
 
 getUsageForCurrentApp :: AppContextM TenantUsageDTO
 getUsageForCurrentApp = do
+  checkPermission _CFG_PERM
   limitBundle <- findLimitBundleForCurrentTenant
   userCount <- countUsers
   activeUserCount <- countActiveUsers