fix(file-viewer): make all editor controls respect read-only permissions

Every interactive control that calls updateAttributes/dispatches a command mutates
the doc even when read-only (ProseMirror commands run regardless of editable), so
gate them on editor.isEditable:
- bubble menu: the Cmd/Ctrl+K shortcut and shouldShow now bail when not editable, so
  a read-only doc can't open the link bar and setLink into it (Cursor finding).
- code block: the language picker renders as a static label when read-only (its
  onSelect mutates); copy + view-only wrap stay.
- image: no drag-to-reorder (draggable=false, no drag handle) and no resize handle
  when read-only; the image still renders and follows its link.
- links: a plain click now follows the link in read-only (reader) mode, while edit
  mode still requires a modifier so a plain click can place the cursor (Cursor finding).
Verified with new read-only permission e2e tests.

Author: waleedlatif1

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/code-block.tsx

@@ -43,7 +43,7 @@ export const LANGUAGE_OPTIONS = [
 const CONTROL_CLASS =
   'flex size-[24px] items-center justify-center rounded-lg text-[var(--text-icon)] outline-none transition-colors hover-hover:bg-[var(--surface-hover)] hover-hover:text-[var(--text-body)] focus-visible:bg-[var(--surface-hover)] [&_svg]:size-[14px]'
 
-function CodeBlockView({ node, updateAttributes }: ReactNodeViewProps) {
+function CodeBlockView({ node, updateAttributes, editor }: ReactNodeViewProps) {
   const [wrap, setWrap] = useState(false)
   const [menuOpen, setMenuOpen] = useState(false)
   const { copied, copy } = useCopyToClipboard({ resetMs: 1500 })
@@ -63,33 +63,41 @@ function CodeBlockView({ node, updateAttributes }: ReactNodeViewProps) {
         )}
         contentEditable={false}
       >
-        <DropdownMenu onOpenChange={setMenuOpen}>
-          <DropdownMenuTrigger asChild>
-            <button
-              type='button'
-              aria-label='Code language'
-              className={cn(
-                chipVariants({ variant: 'default', flush: true }),
-                'h-[24px] gap-1 px-1.5 text-[var(--text-muted)] data-[state=open]:bg-[var(--surface-active)] data-[state=open]:text-[var(--text-body)]'
-              )}
-            >
-              {label}
-              <ChevronDown className='size-[14px] text-[var(--text-icon)]' />
-            </button>
-          </DropdownMenuTrigger>
-          <DropdownMenuContent align='end'>
-            {LANGUAGE_OPTIONS.map((option) => (
-              <DropdownMenuItem
-                key={option.value}
-                onSelect={() =>
-                  updateAttributes({ language: option.value === PLAIN ? null : option.value })
-                }
+        {editor.isEditable ? (
+          // Editable: a language picker. Read-only: a static label — selecting a language calls
+          // updateAttributes, which would mutate a doc that must not change.
+          <DropdownMenu onOpenChange={setMenuOpen}>
+            <DropdownMenuTrigger asChild>
+              <button
+                type='button'
+                aria-label='Code language'
+                className={cn(
+                  chipVariants({ variant: 'default', flush: true }),
+                  'h-[24px] gap-1 px-1.5 text-[var(--text-muted)] data-[state=open]:bg-[var(--surface-active)] data-[state=open]:text-[var(--text-body)]'
+                )}
               >
-                {option.label}
-              </DropdownMenuItem>
-            ))}
-          </DropdownMenuContent>
-        </DropdownMenu>
+                {label}
+                <ChevronDown className='size-[14px] text-[var(--text-icon)]' />
+              </button>
+            </DropdownMenuTrigger>
+            <DropdownMenuContent align='end'>
+              {LANGUAGE_OPTIONS.map((option) => (
+                <DropdownMenuItem
+                  key={option.value}
+                  onSelect={() =>
+                    updateAttributes({ language: option.value === PLAIN ? null : option.value })
+                  }
+                >
+                  {option.label}
+                </DropdownMenuItem>
+              ))}
+            </DropdownMenuContent>
+          </DropdownMenu>
+        ) : (
+          <span className='flex h-[24px] items-center px-1.5 text-[var(--text-muted)] text-caption'>
+            {label}
+          </span>
+        )}
         <button
           type='button'
           aria-label='Toggle line wrap'

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/image.tsx

@@ -152,7 +152,7 @@ export const MarkdownImage = Image.extend({
  * Drag-to-resize image node view (handle at the bottom-right, revealed on selection). Dragging
  * commits the new pixel width to the `width` attribute, which serializes to `<img width>`.
  */
-function ResizableImageView({ node, updateAttributes, selected }: ReactNodeViewProps) {
+function ResizableImageView({ node, updateAttributes, selected, editor }: ReactNodeViewProps) {
   const imageRef = useRef<HTMLImageElement>(null)
   const dragAbortRef = useRef<AbortController | null>(null)
   const [dragging, setDragging] = useState(false)
@@ -204,19 +204,23 @@ function ResizableImageView({ node, updateAttributes, selected }: ReactNodeViewP
   // untrusted and could be `javascript:`/`data:`; an unsafe value drops the link (image only).
   const safeHref = normalizeLinkHref(typeof attrs.href === 'string' ? attrs.href : '')
 
+  // Read-only: no drag-to-reorder and no resize handle — both call updateAttributes / dispatch a move,
+  // mutating a doc that must not change. The image still renders (and follows its link on click).
+  const editable = editor.isEditable
+
   const image = (
     <img
       ref={imageRef}
       src={attrs.src}
       alt={attrs.alt ?? ''}
       title={attrs.title ?? undefined}
-      // The image itself is the drag handle — grab anywhere on it to reorder. (The node view's
-      // wrapper is forced `draggable=false` by the React renderer, so the handle must be a child;
+      // When editable, the image itself is the drag handle — grab anywhere on it to reorder. (The node
+      // view's wrapper is forced `draggable=false` by the React renderer, so the handle must be a child;
       // the resize button sits outside this element, so it keeps its own pointer behavior.)
-      draggable
-      data-drag-handle
+      draggable={editable}
+      data-drag-handle={editable ? '' : undefined}
       style={widthStyle}
-      className='block max-w-full cursor-grab rounded-lg border border-[var(--border)]'
+      className={`block max-w-full rounded-lg border border-[var(--border)]${editable ? ' cursor-grab' : ''}`}
     />
   )
 
@@ -229,7 +233,7 @@ function ResizableImageView({ node, updateAttributes, selected }: ReactNodeViewP
       ) : (
         image
       )}
-      {(selected || dragging) && (
+      {editable && (selected || dragging) && (
         <button
           type='button'
           aria-label='Resize image'

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/menus/bubble-menu.tsx

@@ -119,6 +119,7 @@ export function EditorBubbleMenu({ editor }: EditorBubbleMenuProps) {
   useEffect(() => {
     const dom = editor.view.dom
     const openLinkOnShortcut = (event: KeyboardEvent) => {
+      if (!editor.isEditable) return
       if (!(event.metaKey || event.ctrlKey) || event.isComposing) return
       if (event.key?.toLowerCase() !== 'k') return
       const { from, to } = editor.state.selection
@@ -164,8 +165,11 @@ export function EditorBubbleMenu({ editor }: EditorBubbleMenuProps) {
       aria-label='Text formatting'
       updateDelay={0}
       shouldShow={({ editor: e, from, to }) => {
+        // Read-only never shows the menu — even mid-link-edit (e.g. a stream starting) — so a link
+        // can't be applied to a doc that must not mutate.
+        if (!e.isEditable) return false
         if (isEditingLink) return true
-        if (!e.isEditable || e.isActive('codeBlock')) return false
+        if (e.isActive('codeBlock')) return false
         return e.state.doc.textBetween(from, to, ' ').trim().length > 0
       }}
       className='fade-in-0 z-[var(--z-popover)] flex animate-in items-center gap-0.5 rounded-lg border border-[var(--border)] bg-[var(--bg)] p-1 shadow-sm duration-100 motion-reduce:animate-none'

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/rich-markdown-editor/rich-markdown-editor.tsx

@@ -235,10 +235,12 @@ export function LoadedRichMarkdownEditor({
         void onSaveShortcutRef.current()
         return true
       },
-      handleClick: (_view, _pos, event) => {
-        if (!(event.metaKey || event.ctrlKey)) return false
+      handleClick: (view, _pos, event) => {
         const href = (event.target as HTMLElement | null)?.closest('a')?.getAttribute('href')
         if (!href) return false
+        // Editing: require a modifier so a plain click can place the cursor. Read-only (a reader, e.g.
+        // the public share page): a plain click follows the link.
+        if (view.editable && !(event.metaKey || event.ctrlKey)) return false
         const normalized = normalizeLinkHref(href)
         if (!normalized) return false
         window.open(normalized, '_blank', 'noopener,noreferrer')