feat: Allow read-only shared-drive members to create read-only share-by-link permissions

docs/shared-drives.md

@@ -778,7 +778,7 @@ Authorization rules:
 
 - The shared-drive owner can create a link.
 - A write-capable recipient can create a link.
-- A read-only recipient cannot create a link.
+- A read-only recipient can create a read-only link.
 
 Validation:
 
@@ -787,6 +787,7 @@ Validation:
 - Selectors are not supported.
 - The target must belong to the shared drive and must be readable by the
   caller.
+- A read-only recipient cannot request writable verbs.
 - Only one share-by-link permission can exist per target. A second creation
   attempt on the same target returns a conflict, regardless of which member
   created the existing link.
@@ -795,8 +796,8 @@ Status codes:
 
 - `200 OK` created
 - `400 Bad Request` invalid permission set or invalid target
-- `403 Forbidden` caller lacks access to the target or is read-only on the
-  shared drive
+- `403 Forbidden` caller lacks access to the target or requests a permission
+  set larger than their shared-drive access
 - `409 Conflict` a share-by-link permission already exists for this target
 
 ### PATCH /sharings/drives/:id/permissions/:perm-id
@@ -809,13 +810,15 @@ Authorization rules:
 - The creator of a share-by-link permission can patch the permission they
   created.
 - Creator resolution works for same-stack and cross-stack recipients.
+- A read-only shared-drive recipient can patch only the read-only permission
+  they created.
 - Public share tokens (`share`, `share-preview`) cannot patch permissions.
 
 Allowed updates:
 
 - `password`
 - `expires_at`
-- `permissions` (same target only)
+- `permissions` (same target only, owner or write-capable creator only)
 
 Validation:
 
@@ -826,16 +829,19 @@ Validation:
   inside the shared drive.
 - A write-capable creator or the owner can promote a read-only link to a
   writable link if their current token grants those verbs.
-- A read-only shared-drive recipient cannot patch a permission set to add
-  writable verbs.
+- A read-only shared-drive recipient can only update `password` and
+  `expires_at`.
+- A read-only shared-drive recipient cannot patch `permissions`, even if the
+  result would stay read-only.
 
 Status codes:
 
 - `200 OK` updated
-- `400 Bad Request` invalid payload (for example trying to update `permissions`
-  or `codes`), invalid `password` / `expires_at` attribute format
-- `403 Forbidden` caller is not owner/creator, or caller identity cannot be
-  verified for a shared-drive token
+- `400 Bad Request` invalid payload (for example trying to update `codes`),
+  invalid `password` / `expires_at` attribute format
+- `403 Forbidden` caller is not owner/creator, caller identity cannot be
+  verified for a shared-drive token, or a read-only recipient attempts to
+  patch `permissions`
 - `404 Not Found` permission ID does not exist
 
 ### DELETE /sharings/drives/:id/permissions/:perm-id
@@ -847,7 +853,8 @@ Authorization rules:
 - The shared-drive owner can revoke any share-by-link permission.
 - The creator of a share-by-link permission can revoke the permission they
   created.
-- A read-only shared-drive recipient cannot revoke a permission.
+- A read-only shared-drive recipient can revoke the read-only permission they
+  created.
 - Public share tokens (`share`, `share-preview`) cannot revoke permissions.
 
 Status codes: