feat(FR-2893): disable upload button when host lacks upload-file permission

ironAiken2 · ironAiken2 · commit 15bd06f8b9d1 · 2026-05-14T13:11:22.000+09:00
Derive `hasWriteContentPermission` from the existing `unitedAllowedPermissionByVolume` host permission set instead of hard-coding it to `true`. The host permission set already carries `upload-file` alongside `download-file`, so the same pattern used for download gating now also gates upload/edit. Delete capability remains hard-coded behind the FR-2619 follow-up note, since `delete-vfolder` is folder-level rather than file-level.
diff --git a/react/src/components/FolderExplorerModalV2.tsx b/react/src/components/FolderExplorerModalV2.tsx
@@ -159,17 +159,20 @@ const FolderExplorerModalV2: React.FC<FolderExplorerProps> = ({
     unitedAllowedPermissionByVolume[vfolderNode?.host ?? ''],
     'download-file',
   );
-  // TODO(needs-backend): write/delete capability should be derived from the
+  const hasWriteContentPermission = _.includes(
+    unitedAllowedPermissionByVolume[vfolderNode?.host ?? ''],
+    'upload-file',
+  );
+  // TODO(needs-backend): delete capability should be derived from the
   // caller's *effective* permission set on this entity (e.g.,
-  // `delete_content`, `write_content`), not from the folder's mount
-  // permission. The V2 schema currently exposes only the mount permission via
-  // `accessControl.permission` (`READ_ONLY` / `READ_WRITE` / `RW_DELETE`),
-  // which is what the folder is mounted *as* into a session — not what the
-  // caller is allowed to do on the folder itself. Until the backend exposes a
-  // proper effective permission set, allow all callers and let the server
-  // enforce authorization. See FR-2619 follow-up.
+  // `delete_content`), not from the folder's mount permission. The V2 schema
+  // currently exposes only the mount permission via `accessControl.permission`
+  // (`READ_ONLY` / `READ_WRITE` / `RW_DELETE`), which is what the folder is
+  // mounted *as* into a session — not what the caller is allowed to do on the
+  // folder itself. Until the backend exposes a proper effective permission
+  // set, allow all callers and let the server enforce authorization.
+  // See FR-2619 follow-up.
   const hasDeleteContentPermission = true;
-  const hasWriteContentPermission = true;
   // TODO: Skip permission check due to inaccurate API response. Update when API is fixed.
   const hasNoPermissions = false;
 
