Fix privilege escalation allowing granted users to delete collections (#12)

* fix: prevent granted users from renaming or deleting collections

Co-authored-by: Vitalii Melnychuk <vitaliimelnychuk@users.noreply.github.com>

* test: mock prisma dependency in collection access test

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Vitalii Melnychuk <vitaliimelnychuk@users.noreply.github.com>

Author: 3 people

src/server/access/collections.test.ts

@@ -0,0 +1,19 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("@/lib/prisma", () => ({
+  prisma: {},
+}));
+
+import { canRenameOrDeleteCollection } from "./collections";
+
+describe("canRenameOrDeleteCollection", () => {
+  it("allows owners and creators", () => {
+    expect(canRenameOrDeleteCollection({ kind: "owner" })).toBe(true);
+    expect(canRenameOrDeleteCollection({ kind: "creator" })).toBe(true);
+  });
+
+  it("denies granted users and non-members", () => {
+    expect(canRenameOrDeleteCollection({ kind: "grant" })).toBe(false);
+    expect(canRenameOrDeleteCollection({ kind: "none" })).toBe(false);
+  });
+});

src/server/access/collections.ts

@@ -13,7 +13,8 @@ export type CollectionAccessState =
 export function canRenameOrDeleteCollection(
   state: CollectionAccessState,
 ): boolean {
-  return state.kind !== "none";
+  // Restrict destructive collection-level operations to owner/creator.
+  return state.kind === "owner" || state.kind === "creator";
 }
 
 export async function loadCollectionAccessState(params: {