Skip to content

OVERLEAF_NON_ADMIN_CAN_PUBLISH_TEMPLATES is read but never used in permission checks #43

Open
Open
OVERLEAF_NON_ADMIN_CAN_PUBLISH_TEMPLATES is read but never used in permission checks#43
Assignees
Musicminion
Labels
bugSomething isn't working

Description

@Musicminion
Musicminion
opened on Apr 2, 2026

Bug Description

Setting OVERLEAF_NON_ADMIN_CAN_PUBLISH_TEMPLATES=true has no effect. Non-admin users still cannot see or use the "Publish as Template" option.

Root Cause

The environment variable is read and stored in Settings.templates.nonAdminCanManage at modules/template-gallery/index.mjs:23, but this setting is never referenced in the actual permission checks.

The two places that check template publish permissions both only allow admins or the specific template owner user (OVERLEAF_TEMPLATES_USER_ID):

  1. modules/template-gallery/app/src/PermissionsMiddleware.mjs:12 (API access control):

    const isAdminOrTemplateOwner = hasAdminAccess(user) || Settings.templates?.user_id === userId

  2. app/src/Features/Project/ProjectController.mjs:733 (editor UI visibility):

    const isAdminOrTemplateOwner = hasAdminAccess(user) || Settings.templates?.user_id === userId
const showTemplatesServerPro = Features.hasFeature('templates-server-pro') && isAdminOrTemplateOwner

Neither location checks Settings.templates?.nonAdminCanManage.

Expected Behavior

When OVERLEAF_NON_ADMIN_CAN_PUBLISH_TEMPLATES=true, logged-in users && template owner should be able to publish templates, not just admins and the template owner user.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions