From a7965771996e556414885a73a74f16fe64c1afb2 Mon Sep 17 00:00:00 2001
From: claude <claude@verso>
Date: Fri, 19 Jun 2026 10:17:24 +0000
Subject: [PATCH] fix(security): restrict publish-presentation routes to
 project owners

Read-only collaborators and token-link users could publish, unpublish,
and rotate presentation share tokens. Change all three write endpoints
from ensureUserCanReadProject to ensureUserCanAdminProject so only the
project owner can perform these actions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/web/app/src/router.mjs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/web/app/src/router.mjs b/services/web/app/src/router.mjs
index e61b303195..431906dd4f 100644
--- a/services/web/app/src/router.mjs
+++ b/services/web/app/src/router.mjs
@@ -695,17 +695,17 @@ async function initialize(webRouter, privateApiRouter, publicApiRouter) {
   )
   webRouter.post(
     '/project/:Project_id/publish-presentation',
-    AuthorizationMiddleware.ensureUserCanReadProject,
+    AuthorizationMiddleware.ensureUserCanAdminProject,
     PublishedPresentationController.publish
   )
   webRouter.post(
     '/project/:Project_id/publish-presentation/regenerate',
-    AuthorizationMiddleware.ensureUserCanReadProject,
+    AuthorizationMiddleware.ensureUserCanAdminProject,
     PublishedPresentationController.regenerate
   )
   webRouter.delete(
     '/project/:Project_id/publish-presentation',
-    AuthorizationMiddleware.ensureUserCanReadProject,
+    AuthorizationMiddleware.ensureUserCanAdminProject,
     PublishedPresentationController.unpublish
   )
   // On-demand export of a RevealJS deck (download menu): html | pdf.