You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The share endpoint currently rejects role='viewer' because enforcement isn't wired. The infrastructure (_current_role ContextVar + _require_editor() helper) exists; it just needs plumbing into every mutation endpoint.
Acceptance criteria:
Every write endpoint (/grid/cell, /grid/range, /grid/clear, /agent/apply, /agent/chat/chain, /workbook/sheet*, /system/save, chart/macro CRUD) calls _require_editor() at the top.
Unit test via TestClient that a viewer caller gets 403 on each.
The share endpoint currently rejects
role='viewer'because enforcement isn't wired. The infrastructure (_current_roleContextVar +_require_editor()helper) exists; it just needs plumbing into every mutation endpoint.Acceptance criteria:
/grid/cell,/grid/range,/grid/clear,/agent/apply,/agent/chat/chain,/workbook/sheet*,/system/save, chart/macro CRUD) calls_require_editor()at the top.TestClientthat a viewer caller gets 403 on each.role='viewer'again.