Fix permissions on project component edits (#5526)

apps/labrinth/fixtures/labrinth-seed-data-202508052143.sql

@@ -1112,10 +1112,13 @@ COPY public.loaders_project_types_games (loader_id, project_type_id, game_id) FR
 
 COPY public.users (id, github_id, username, email, avatar_url, bio, created, role, badges, balance, discord_id, gitlab_id, google_id, steam_id, microsoft_id, password, email_verified, totp_secret, paypal_country, paypal_email, paypal_id, venmo_handle, stripe_customer_id, raw_avatar_url, allow_friend_requests) FROM stdin;
 103587649610509	\N	Default admin user	admin@modrinth.invalid	https://avatars.githubusercontent.com/u/106493074	$ chmod 777 labrinth	2020-07-18 16:03:00.000000+00	admin	0	0.00000000000000000000	\N	\N	\N	\N	\N	$argon2i$v=19$m=4096,t=3,p=1$c2FsdEl0V2l0aFNhbHQ$xTGvQNICqetaNA0Wu1GwFmYhQjAreRcjBz6ornhaFXA	t	\N	\N	\N	\N	\N	\N	https://avatars.githubusercontent.com/u/106493074	t
+905016946785301	\N	Regular user	user@modrinth.invalid	https://avatars.githubusercontent.com/u/106493074	$ chmod 744 labrinth	2020-07-18 16:03:00.000000+00	developer	0	0.00000000000000000000	\N	\N	\N	\N	\N	$argon2i$v=19$m=4096,t=3,p=1$c2FsdEl0V2l0aFNhbHQ$xTGvQNICqetaNA0Wu1GwFmYhQjAreRcjBz6ornhaFXA	t	\N	\N	\N	\N	\N	\N	https://avatars.githubusercontent.com/u/106493074	t
 \.
 
 INSERT INTO sessions (id, session, user_id, created, last_login, expires, refresh_expires, city, country, ip, os, platform, user_agent)
-VALUES (93083445641246, 'mra_admin', 103587649610509, '2025-10-20 14:58:53.128901+00', '2025-10-20 14:58:53.128901+00', '2030-11-03 14:58:53.128901+00', '2030-12-19 14:58:53.128901+00', '', '', '127.0.0.1', 'Linux', 'Chrome', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36');
+VALUES
+    (93083445641246, 'mra_admin', 103587649610509, '2025-10-20 14:58:53.128901+00', '2025-10-20 14:58:53.128901+00', '2030-11-03 14:58:53.128901+00', '2030-12-19 14:58:53.128901+00', '', '', '127.0.0.1', 'Linux', 'Chrome', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36'),
+    (64214654438039, 'mra_user', 905016946785301, '2025-10-20 14:58:53.128901+00', '2025-10-20 14:58:53.128901+00', '2030-11-03 14:58:53.128901+00', '2030-12-19 14:58:53.128901+00', '', '', '127.0.0.1', 'Linux', 'Chrome', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36');
 
 INSERT INTO payouts_values (user_id, amount, created, date_available)
 VALUES (103587649610509, 1000.00000000000000000000, '2025-10-23 00:00:00+00', '2025-10-23 00:00:00+00');

apps/labrinth/src/routes/v3/projects.rs

@@ -998,12 +998,20 @@ pub async fn project_edit_internal(
         _project_id: DBProjectId,
         edit: Option<Option<E>>,
         mut component: &mut Option<E::Component>,
+        perms: ProjectPermissions,
     ) -> Result<(), ApiError> {
         let Some(edit) = edit else {
             // component is not specified in the input JSON - leave alone
             return Ok(());
         };
 
+        if !perms.contains(ProjectPermissions::EDIT_DETAILS) {
+            return Err(ApiError::CustomAuthentication(
+                "You do not have the permissions to edit the components of this project!"
+                    .to_string(),
+            ));
+        }
+
         match (&mut component, edit) {
             (None, None) => {}
             (Some(_), None) => {
@@ -1041,6 +1049,7 @@ pub async fn project_edit_internal(
         id,
         new_project.minecraft_server,
         &mut project_item.inner.components.minecraft_server,
+        perms,
     )
     .await?;
     update(
@@ -1048,6 +1057,7 @@ pub async fn project_edit_internal(
         id,
         new_project.minecraft_java_server,
         &mut project_item.inner.components.minecraft_java_server,
+        perms,
     )
     .await?;
     update(
@@ -1055,6 +1065,7 @@ pub async fn project_edit_internal(
         id,
         new_project.minecraft_bedrock_server,
         &mut project_item.inner.components.minecraft_bedrock_server,
+        perms,
     )
     .await?;