File upload with only update permissions can fail

[TheSlimvReal]

If a user has only update permissions for a entity and tries to upload an attachment for this entity for the first time, the action will fail.
This is because in order to upload attachments for an entity, another document has to be created in the app-attachments db and for this action the create permissions are required.
If the document already exists in this DB uploading further attachments can be done without create permissions.

This is inconsistent in terms of permission logic but in some way required if we want to stick with the CouchDB API in the replication backend as close as possible.

I am not fully sure what would be the best solution as it is not really possible in the backend to distinguish requests to a "normal" DB and the ones to the "attachments" DB. At the moment the backend treats both of them the same which gives a lot of flexibility.

---

somewhat related:
file delete can fail (with HTTP 403 error), despite being able to upload file in case of #2558

[sleidig]

I think from a platform and consistency angle, we need to check permissions for app-attachments differently then, so as to allow users with update permission to always upload files. How to achieve this elegantly, I am not sure ;-)

[sleidig]

We already check the entity ("app" db) doc for permissions when uploading a file to the app-attachments db (see replication-backend AttachmentController.ensurePermissions). Similarly, a PUT to create a new doc in app-attachments db could use a special permission check - not for create permission but for update permission on the related doc in "app" db. We do require the doc to be created in "app" db before the app-attachments upload already (--> #2410)