From a7df7be7be0400fa22af4696d47200d92cdf0e32 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Tue, 7 Apr 2026 11:06:03 +0000
Subject: [PATCH 1/2] fix: prevent granted users from renaming or deleting
 collections

Co-authored-by: Vitalii Melnychuk <vitaliimelnychuk@users.noreply.github.com>
---
 src/server/access/collections.test.ts | 14 ++++++++++++++
 src/server/access/collections.ts      |  3 ++-
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 src/server/access/collections.test.ts

diff --git a/src/server/access/collections.test.ts b/src/server/access/collections.test.ts
new file mode 100644
index 0000000..beba460
--- /dev/null
+++ b/src/server/access/collections.test.ts
@@ -0,0 +1,14 @@
+import { describe, expect, it } from "vitest";
+import { canRenameOrDeleteCollection } from "./collections";
+
+describe("canRenameOrDeleteCollection", () => {
+  it("allows owners and creators", () => {
+    expect(canRenameOrDeleteCollection({ kind: "owner" })).toBe(true);
+    expect(canRenameOrDeleteCollection({ kind: "creator" })).toBe(true);
+  });
+
+  it("denies granted users and non-members", () => {
+    expect(canRenameOrDeleteCollection({ kind: "grant" })).toBe(false);
+    expect(canRenameOrDeleteCollection({ kind: "none" })).toBe(false);
+  });
+});
diff --git a/src/server/access/collections.ts b/src/server/access/collections.ts
index 641c425..f73f353 100644
--- a/src/server/access/collections.ts
+++ b/src/server/access/collections.ts
@@ -13,7 +13,8 @@ export type CollectionAccessState =
 export function canRenameOrDeleteCollection(
   state: CollectionAccessState,
 ): boolean {
-  return state.kind !== "none";
+  // Restrict destructive collection-level operations to owner/creator.
+  return state.kind === "owner" || state.kind === "creator";
 }
 
 export async function loadCollectionAccessState(params: {

From c8f0ec18e57b93dbd8cddef0b356038b27086889 Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Tue, 7 Apr 2026 11:07:16 +0000
Subject: [PATCH 2/2] test: mock prisma dependency in collection access test

---
 src/server/access/collections.test.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/server/access/collections.test.ts b/src/server/access/collections.test.ts
index beba460..8a3761a 100644
--- a/src/server/access/collections.test.ts
+++ b/src/server/access/collections.test.ts
@@ -1,4 +1,9 @@
-import { describe, expect, it } from "vitest";
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("@/lib/prisma", () => ({
+  prisma: {},
+}));
+
 import { canRenameOrDeleteCollection } from "./collections";
 
 describe("canRenameOrDeleteCollection", () => {