From 16257a7b5459550ee3782cf32c87a8241325878d Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Wed, 20 Nov 2024 21:00:03 -0500
Subject: [PATCH] fix: permission grants in open_item

---
 src/backend/src/routers/open_item.js | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/backend/src/routers/open_item.js b/src/backend/src/routers/open_item.js
index 1220d5aa62..ce7e2cb89b 100644
--- a/src/backend/src/routers/open_item.js
+++ b/src/backend/src/routers/open_item.js
@@ -84,11 +84,14 @@ module.exports = eggspress('/open_item', {
     // Note: We always grant write permission here. If the user only
     //       has read permission this is still safe; user permissions
     //       are always checked during an app access.
-    const permission = `fs:${subject.uid}:write`;
-    const svc_permission = Context.get('services').get('permission');
-    await svc_permission.grant_user_app_permission(
-        actor, app.uid, permission, {}, { reason: 'open_item' }
-    );
+    const PERMS = action === 'write' ? ['read', 'write'] : ['read'];
+    for ( const perm of PERMS ) {
+        const permission = `fs:${subject.uid}:${perm}`;
+        const svc_permission = Context.get('services').get('permission');
+        await svc_permission.grant_user_app_permission(
+            actor, app.uid, permission, {}, { reason: 'open_item' }
+        );
+    }
 
     // Generate user-app token
     const svc_auth = Context.get('services').get('auth');