@sanity/sdk 2.11.1 → 2.13.0

package/src/document/documentStore.ts

@@ -17,15 +17,18 @@ import {
   Observable,
   of,
   pairwise,
+  retry,
   startWith,
   Subject,
   switchMap,
   tap,
   throttle,
+  throwError,
   timer,
   withLatestFrom,
 } from 'rxjs'
 
+import {getCurrentUserState} from '../auth/authStore'
 import {type ClientOptions, getClientState} from '../client/clientStore'
 import {
   type DocumentHandle,
@@ -44,7 +47,12 @@ import {type SanityInstance} from '../store/createSanityInstance'
 import {createStateSourceAction, type StateSource} from '../store/createStateSourceAction'
 import {defineStore, type StoreContext} from '../store/defineStore'
 import {type DocumentAction} from './actions'
-import {API_VERSION, INITIAL_OUTGOING_THROTTLE_TIME} from './documentConstants'
+import {
+  API_VERSION,
+  INITIAL_OUTGOING_THROTTLE_TIME,
+  OUT_OF_SYNC_RETRY_BASE_DELAY,
+  OUT_OF_SYNC_RETRY_MAX_DELAY,
+} from './documentConstants'
 import {
   type DocumentEvent,
   type DocumentTransactionSubmissionResult,
@@ -60,6 +68,7 @@ import {
   type Grant,
 } from './permissions'
 import {ActionError} from './processActions/processActions'
+import {isReleaseAction} from './processActions/releaseUtil'
 import {
   type AppliedTransaction,
   applyFirstQueuedTransaction,
@@ -81,6 +90,10 @@ export interface DocumentStoreState {
   applied: AppliedTransaction[]
   outgoing?: OutgoingTransaction
   grants?: Record<Grant, ExprNode>
+  /**
+   * The current user's identity (their user ID).
+   */
+  identity?: string
   error?: unknown
   sharedListener: SharedListener
   fetchDocument: (documentId: string) => Observable<SanityDocument | null>
@@ -140,6 +153,7 @@ export const documentStore = defineStore<DocumentStoreState, BoundResourceKey>({
       subscribeToSubscriptionsAndListenToDocuments(context),
       subscribeToAppliedAndSubmitNextTransaction(context),
       subscribeToClientAndFetchDatasetAcl(context),
+      subscribeToCurrentUserAndSetIdentity(context),
     ]
 
     return () => {
@@ -414,10 +428,11 @@ const subscribeToAppliedAndSubmitNextTransaction = ({
           outgoing,
         }))
 
-        // Any liveEdit action in the batch routes to the mutations API. For mixed batches
-        // non-liveEdit operations (e.g. publish) lose atomicity, but that is acceptable
-        // given how rare mixed batches are.
-        if (outgoing.actions.some((action) => action.liveEdit)) {
+        // liveEdit transactions route to the mutations API; everything else routes
+        // to the actions API. processActions rejects transactions that mix the two,
+        // and reducers won't batch across that boundary, so a batch is always
+        // entirely liveEdit or entirely not.
+        if (outgoing.actions.some((action) => !isReleaseAction(action) && action.liveEdit)) {
           return client.observable
             .mutate(outgoing.outgoingMutations as Mutation[], {
               transactionId: outgoing.transactionId,
@@ -430,7 +445,6 @@ const subscribeToAppliedAndSubmitNextTransaction = ({
             .pipe(revertOnError, toResult)
         }
 
-        // Pure non-liveEdit transactions use the actions API.
         return client.observable
           .action(outgoing.outgoingActions as Action[], {
             transactionId: outgoing.transactionId,
@@ -496,10 +510,15 @@ const subscribeToSubscriptionsAndListenToDocuments = (
           switchMap((e) => {
             if (!e.add) return EMPTY
             return listen(context, e.id).pipe(
-              catchError((error) => {
-                // retry on `OutOfSyncError`
-                if (error instanceof OutOfSyncError) listen(context, e.id)
-                throw error
+              retry({
+                delay: (error, retryCount) => {
+                  if (!(error instanceof OutOfSyncError)) return throwError(() => error)
+                  const backoff = Math.min(
+                    OUT_OF_SYNC_RETRY_BASE_DELAY * 2 ** (retryCount - 1),
+                    OUT_OF_SYNC_RETRY_MAX_DELAY,
+                  )
+                  return timer(backoff)
+                },
               }),
               tap((remote) =>
                 state.set('applyRemoteDocument', (prev) =>
@@ -547,3 +566,16 @@ const subscribeToClientAndFetchDatasetAcl = ({
       error: (error) => state.set('setError', {error}),
     })
 }
+
+const subscribeToCurrentUserAndSetIdentity = ({
+  instance,
+  state,
+}: StoreContext<DocumentStoreState, BoundResourceKey>) =>
+  getCurrentUserState(instance).observable.subscribe({
+    next: (currentUser) => state.set('setIdentity', {identity: currentUser?.id}),
+    // A transient identity-fetch failure (network blip, expired token, or a
+    // normal logout/re-login transition) should not brick all document
+    // operations. Reset the identity to `undefined` and keep going — GROQ's
+    // `identity()` then evaluates to null, matching the unauthenticated state.
+    error: () => state.set('setIdentity', {identity: undefined}),
+  })

package/src/document/events.test.ts

@@ -1,6 +1,6 @@
 import {describe, expect, it} from 'vitest'
 
-import {type DocumentAction} from '../document/actions'
+import {type Action, type DocumentAction} from '../document/actions'
 import {type DocumentEvent, getDocumentEvents} from '../document/events'
 import {type OutgoingTransaction} from '../document/reducers'
 
@@ -41,11 +41,66 @@ describe('getDocumentEvents', () => {
     expect(events).toHaveLength(outgoing.actions.length)
     events.forEach((event) => {
       const action = outgoing.actions.find(
-        (a) => 'documentId' in event && event.documentId === a.documentId,
+        (a) => 'documentId' in a && 'documentId' in event && event.documentId === a.documentId,
       )
       expect(action).toBeDefined()
       expect(event.type).toEqual(expectedMap[action!.type])
       expect((event as Extract<DocumentEvent, {outgoing: unknown}>).outgoing).toBe(outgoing)
     })
   })
+
+  it('emits created/edited/deleted events for release.create/edit/delete with release doc IDs', () => {
+    const outgoing: OutgoingTransaction = {
+      transactionId: 'txn-release',
+      actions: [
+        {type: 'release.create', releaseId: 'r1'} as Action,
+        {type: 'release.edit', releaseId: 'r2', patch: {set: {}}} as Action,
+        {type: 'release.delete', releaseId: 'r3'} as Action,
+      ],
+      disableBatching: false,
+      batchedTransactionIds: [],
+      outgoingActions: [],
+      outgoingMutations: [],
+      base: {},
+      working: {},
+      previous: {},
+      previousRevs: {},
+      timestamp: '2025-02-06T00:00:00.000Z',
+    }
+
+    const events = getDocumentEvents(outgoing)
+    expect(events).toEqual([
+      {type: 'created', documentId: '_.releases.r1', outgoing},
+      {type: 'edited', documentId: '_.releases.r2', outgoing},
+      {type: 'deleted', documentId: '_.releases.r3', outgoing},
+    ])
+  })
+
+  it('skips release actions that have no local mutation (publish/schedule/archive/etc.)', () => {
+    const outgoing: OutgoingTransaction = {
+      transactionId: 'txn-release-noop',
+      actions: [
+        {type: 'release.publish', releaseId: 'r1'} as Action,
+        {
+          type: 'release.schedule',
+          releaseId: 'r2',
+          publishAt: '2026-01-01T00:00:00.000Z',
+        } as Action,
+        {type: 'release.unschedule', releaseId: 'r3'} as Action,
+        {type: 'release.archive', releaseId: 'r4'} as Action,
+        {type: 'release.unarchive', releaseId: 'r5'} as Action,
+      ],
+      disableBatching: false,
+      batchedTransactionIds: [],
+      outgoingActions: [],
+      outgoingMutations: [],
+      base: {},
+      working: {},
+      previous: {},
+      previousRevs: {},
+      timestamp: '2025-02-06T00:00:00.000Z',
+    }
+
+    expect(getDocumentEvents(outgoing)).toEqual([])
+  })
 })

package/src/document/events.ts

@@ -1,6 +1,7 @@
 import {type MultipleMutationResult, type SanityClient} from '@sanity/client'
 
-import {type DocumentAction} from './actions'
+import {type DocumentAction, type ReleaseAction} from './actions'
+import {getReleaseDocumentId, isReleaseAction} from './processActions/releaseUtil'
 import {type OutgoingTransaction} from './reducers'
 
 /** @beta Response body from submitting an outgoing transaction (actions or mutations API). */
@@ -118,31 +119,49 @@ export interface DocumentDiscardedEvent {
   outgoing: OutgoingTransaction
 }
 
-export function getDocumentEvents(outgoing: OutgoingTransaction): DocumentEvent[] {
-  const documentIdsByAction = Object.entries(
-    outgoing.actions.reduce(
-      (acc, {type, documentId}) => {
-        const ids = acc[type] || new Set()
-        if (documentId) ids.add(documentId)
-        acc[type] = ids
-        return acc
-      },
-      {} as Record<DocumentAction['type'], Set<string>>,
-    ),
-  ) as [DocumentAction['type'], Set<string>][]
+// Release actions that write a mutation to the local release doc map onto
+// the regular per-document events with `documentId = '_.releases.<releaseId>'`.
+// The other release actions (publish/schedule/unschedule/archive/unarchive)
+// don't mutate local state, so they aren't in the map and get skipped — they
+// surface through the transaction-level `accepted`/`reverted` events instead.
+const actionMap = {
+  'document.create': 'created',
+  'document.delete': 'deleted',
+  'document.discard': 'discarded',
+  'document.edit': 'edited',
+  'document.publish': 'published',
+  'document.unpublish': 'unpublished',
+  'release.create': 'created',
+  'release.edit': 'edited',
+  'release.delete': 'deleted',
+} satisfies Partial<Record<DocumentAction['type'] | ReleaseAction['type'], DocumentEvent['type']>>
+
+type MappedActionType = keyof typeof actionMap
 
-  const actionMap = {
-    'document.create': 'created',
-    'document.delete': 'deleted',
-    'document.discard': 'discarded',
-    'document.edit': 'edited',
-    'document.publish': 'published',
-    'document.unpublish': 'unpublished',
-  } satisfies Record<DocumentAction['type'], DocumentEvent['type']>
+export function getDocumentEvents(outgoing: OutgoingTransaction): DocumentEvent[] {
+  const documentIdsByAction = outgoing.actions.reduce(
+    (acc, action) => {
+      if (!(action.type in actionMap)) return acc
+      const documentId = isReleaseAction(action)
+        ? getReleaseDocumentId(action.releaseId)
+        : action.documentId
+      if (!documentId) return acc
+      const type = action.type as MappedActionType
+      const ids = acc[type] ?? new Set<string>()
+      ids.add(documentId)
+      acc[type] = ids
+      return acc
+    },
+    {} as Partial<Record<MappedActionType, Set<string>>>,
+  )
 
-  return documentIdsByAction.flatMap(([actionType, documentIds]) =>
-    Array.from(documentIds).map(
-      (documentId): DocumentEvent => ({type: actionMap[actionType], documentId, outgoing}),
+  return Object.entries(documentIdsByAction).flatMap(([actionType, documentIds]) =>
+    Array.from(documentIds ?? []).map(
+      (documentId): DocumentEvent => ({
+        type: actionMap[actionType as MappedActionType],
+        documentId,
+        outgoing,
+      }),
     ),
   )
 }

package/src/document/listen.ts

@@ -20,7 +20,7 @@ import {type StoreContext} from '../store/defineStore'
 import {type DocumentStoreState} from './documentStore'
 import {processMutations} from './processMutations'
 
-const DEFAULT_MAX_BUFFER_SIZE = 20
+export const DEFAULT_MAX_BUFFER_SIZE = 20
 const DEFAULT_DEADLINE_MS = 30000
 
 export interface RemoteDocument {

package/src/document/permissions.test.ts

@@ -32,9 +32,11 @@ const alwaysDeny = parse('false')
 const createState = (
   docStates: Record<string, {local: unknown}>,
   grants?: Record<Grant, ExprNode>,
+  identity?: string,
 ): SyncTransactionState => ({
   documentStates: docStates as SyncTransactionState['documentStates'],
   grants,
+  identity,
   queued: [],
   applied: [],
 })
@@ -52,6 +54,18 @@ describe('createGrantsLookup', () => {
       expect(evaluateSync(grants[key], {params: {document: dummyDoc}}).data).toBe(true)
     })
   })
+
+  it('should ignore unknown permissions like "manage"', () => {
+    const datasetAcl = [
+      {filter: '_id != null', permissions: ['history', 'read', 'update', 'create', 'manage']},
+    ] as DatasetAcl
+    const grants = createGrantsLookup(datasetAcl)
+    const dummyDoc = {_id: 'doc1'}
+    ;(['read', 'update', 'create', 'history'] as Grant[]).forEach((key) => {
+      expect(grants[key]).toBeDefined()
+      expect(evaluateSync(grants[key], {params: {document: dummyDoc}}).data).toBe(true)
+    })
+  })
 })
 
 describe('calculatePermissions', () => {
@@ -234,4 +248,69 @@ describe('calculatePermissions', () => {
     const result2 = calculatePermissions({instance, state}, {actions: [{...action}]})
     expect(result1).toBe(result2)
   })
+
+  describe('identity-aware grants', () => {
+    // Mirrors the canvas ACL filter shape: only the document's creator may
+    // update it. Without an identity passed to groq, `identity()` is null and
+    // the expression collapses to null — which used to read as "denied".
+    const canvasUpdateAcl: DatasetAcl = [
+      {
+        filter: '_type == "sanity.canvas.document" && _system.createdBy == identity()',
+        permissions: ['read', 'update'],
+      },
+    ]
+
+    const canvasDoc = (createdBy: string): SanityDocument => ({
+      _id: 'canvas-1',
+      _type: 'sanity.canvas.document',
+      _createdAt: '2025-01-01T00:00:00.000Z',
+      _updatedAt: '2025-01-01T00:00:00.000Z',
+      _rev: 'rev-1',
+      _system: {createdBy},
+    })
+
+    const editAction: DocumentAction = {
+      documentId: 'canvas-1',
+      documentType: 'sanity.canvas.document',
+      type: 'document.edit',
+      liveEdit: true,
+    }
+
+    it('allows edits when identity matches the document creator', () => {
+      const state = createState(
+        {'canvas-1': {local: canvasDoc('user-A')}},
+        createGrantsLookup(canvasUpdateAcl),
+        'user-A',
+      )
+      expect(calculatePermissions({instance, state}, {actions: [editAction]})).toEqual({
+        allowed: true,
+      })
+    })
+
+    it('denies edits when identity does not match the document creator', () => {
+      const state = createState(
+        {'canvas-1': {local: canvasDoc('user-A')}},
+        createGrantsLookup(canvasUpdateAcl),
+        'user-B',
+      )
+      const result = calculatePermissions({instance, state}, {actions: [editAction]})
+      expect(result?.allowed).toBe(false)
+      expect(result?.reasons).toEqual(
+        expect.arrayContaining([expect.objectContaining({type: 'access', documentId: 'canvas-1'})]),
+      )
+    })
+
+    it('denies edits when identity is not yet loaded', () => {
+      const state = createState(
+        {'canvas-1': {local: canvasDoc('user-A')}},
+        createGrantsLookup(canvasUpdateAcl),
+        undefined,
+      )
+      const result = calculatePermissions({instance, state}, {actions: [editAction]})
+      expect(result?.allowed).toBe(false)
+      expect(result?.reasons).toEqual(
+        expect.arrayContaining([expect.objectContaining({type: 'access', documentId: 'canvas-1'})]),
+      )
+    })
+  })
 })

package/src/document/permissions.ts

@@ -1,6 +1,6 @@
 import {DocumentId, getDraftId, getPublishedId, getVersionId} from '@sanity/id-utils'
 import {type SanityDocument} from '@sanity/types'
-import {evaluateSync, type ExprNode, parse} from 'groq-js'
+import {type ExprNode, parse} from 'groq-js'
 import {createSelector} from 'reselect'
 
 import {isReleasePerspective} from '../releases/utils/isReleasePerspective'
@@ -8,6 +8,7 @@ import {type SelectorContext} from '../store/createStateSourceAction'
 import {MultiKeyWeakMap} from '../utils/MultiKeyWeakMap'
 import {type DocumentAction} from './actions'
 import {ActionError, PermissionActionError, processActions} from './processActions/processActions'
+import {checkGrant} from './processActions/shared'
 import {type DocumentSet} from './processMutations'
 import {type SyncTransactionState} from './reducers'
 
@@ -29,6 +30,8 @@ export function createGrantsLookup(datasetAcl: DatasetAcl): Record<Grant, ExprNo
   for (const entry of datasetAcl) {
     for (const grant of entry.permissions) {
       const set = filtersByGrant[grant]
+      // Ignore permissions we don't model (e.g. "manage")
+      if (!set) continue
       set.add(entry.filter)
       filtersByGrant[grant] = set
     }
@@ -140,11 +143,6 @@ const memoizedActionsSelector = createSelector(
   },
 )
 
-function checkGrant(grantExpr: ExprNode, document: SanityDocument): boolean {
-  const value = evaluateSync(grantExpr, {params: {document}})
-  return value.type === 'boolean' && value.data
-}
-
 /** @beta */
 export interface PermissionDeniedReason {
   type: 'precondition' | 'access'
@@ -172,11 +170,13 @@ export function calculatePermissions(
 const _calculatePermissions = createSelector(
   [
     ({state: {grants}}: SelectorContext<SyncTransactionState>) => grants,
+    ({state: {identity}}: SelectorContext<SyncTransactionState>) => identity,
     documentsSelector,
     memoizedActionsSelector,
   ],
   (
     grants: Record<Grant, ExprNode> | undefined,
+    identity: string | undefined,
     documents: DocumentSet | undefined,
     actions: DocumentAction[] | undefined,
   ): DocumentPermissionsResult | undefined => {
@@ -195,6 +195,7 @@ const _calculatePermissions = createSelector(
         base: documents,
         timestamp,
         grants,
+        identity,
       })
     } catch (error) {
       if (error instanceof PermissionActionError) {
@@ -244,7 +245,7 @@ const _calculatePermissions = createSelector(
               documentId: docId,
             })
           }
-        } else if (!checkGrant(grants.update, doc)) {
+        } else if (!checkGrant(grants.update, doc, identity)) {
           reasons.push({
             type: 'access',
             message: `You are not allowed to edit the document with ID "${docId}".`,

package/src/document/processActions/create.ts

@@ -16,7 +16,7 @@ export function handleCreate(
   action: CreateDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = getId(action.documentId)
@@ -51,7 +51,7 @@ export function handleCreate(
       timestamp,
     })
 
-    if (!checkGrant(grants.create, working[documentId] as SanityDocument)) {
+    if (!checkGrant(grants.create, working[documentId] as SanityDocument, identity)) {
       throw new PermissionActionError({
         documentId,
         transactionId,
@@ -111,13 +111,16 @@ export function handleCreate(
     timestamp,
   })
 
-  if (versionId && !checkGrant(grants.create, working[versionId] as SanityDocument)) {
+  if (versionId && !checkGrant(grants.create, working[versionId] as SanityDocument, identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,
       message: `You do not have permission to create a release version for document "${documentId}".`,
     })
-  } else if (!versionId && !checkGrant(grants.create, working[draftId] as SanityDocument)) {
+  } else if (
+    !versionId &&
+    !checkGrant(grants.create, working[draftId] as SanityDocument, identity)
+  ) {
     throw new PermissionActionError({
       documentId,
       transactionId,

package/src/document/processActions/delete.ts

@@ -16,7 +16,7 @@ export function handleDelete(
   action: DeleteDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = action.documentId
@@ -38,7 +38,7 @@ export function handleDelete(
       })
     }
 
-    if (!checkGrant(grants.update, working[documentId])) {
+    if (!checkGrant(grants.update, working[documentId], identity)) {
       throw new PermissionActionError({
         documentId,
         transactionId,
@@ -72,9 +72,9 @@ export function handleDelete(
     })
   }
 
-  const cantDeleteDraft = working[draftId] && !checkGrant(grants.update, working[draftId])
+  const cantDeleteDraft = working[draftId] && !checkGrant(grants.update, working[draftId], identity)
   const cantDeletePublished =
-    working[publishedId] && !checkGrant(grants.update, working[publishedId])
+    working[publishedId] && !checkGrant(grants.update, working[publishedId], identity)
 
   if (cantDeleteDraft || cantDeletePublished) {
     throw new PermissionActionError({

package/src/document/processActions/discard.ts

@@ -16,7 +16,7 @@ export function handleDiscard(
   action: DiscardDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = getId(action.documentId)
@@ -43,7 +43,7 @@ export function handleDiscard(
     })
   }
 
-  if (!checkGrant(grants.update, working[versionId])) {
+  if (!checkGrant(grants.update, working[versionId], identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,

package/src/document/processActions/edit.ts

@@ -9,6 +9,7 @@ import {
   ActionError,
   type ActionHandlerContext,
   type ActionHandlerResult,
+  applySingleDocPatch,
   checkGrant,
   PermissionActionError,
 } from './shared'
@@ -17,60 +18,25 @@ export function handleEdit(
   action: EditDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = getId(action.documentId)
 
   if (action.liveEdit) {
-    // Single-document mode (liveEdit or release perspective): edit directly without draft logic
-    const userPatches = action.patches?.map((patch) => ({patch: {id: documentId, ...patch}}))
-
-    // skip this action if there are no associated patches
-    if (!userPatches?.length) return {base, working}
-
-    if (!working[documentId] || !base[documentId]) {
-      throw new ActionError({
-        documentId,
-        transactionId,
-        message: `Cannot edit document because it does not exist.`,
-      })
-    }
-
-    const baseBefore = base[documentId] as SanityDocument
-    if (userPatches) {
-      base = processMutations({
-        documents: base,
-        transactionId,
-        mutations: userPatches,
-        timestamp,
-      })
-    }
-
-    const baseAfter = base[documentId] as SanityDocument
-    const patches = diffValue(baseBefore, baseAfter)
-
-    const workingBefore = working[documentId] as SanityDocument
-    if (!checkGrant(grants.update, workingBefore)) {
-      throw new PermissionActionError({
-        documentId,
-        transactionId,
-        message: `You do not have permission to edit document "${documentId}".`,
-      })
-    }
-
-    const workingMutations = patches.map((patch) => ({patch: {id: documentId, ...patch}}))
-
-    working = processMutations({
-      documents: working,
+    const result = applySingleDocPatch({
+      base,
+      working,
+      documentId,
+      patches: action.patches,
       transactionId,
-      mutations: workingMutations,
       timestamp,
+      grants,
+      identity,
     })
-
     // liveEdit documents use the mutation endpoint directly -- we don't send actions
-    outgoingMutations.push(...workingMutations)
-    return {base, working}
+    outgoingMutations.push(...result.workingMutations)
+    return {base: result.base, working: result.working}
   }
 
   const versionId = isReleasePerspective(action.perspective)
@@ -133,7 +99,7 @@ export function handleEdit(
   if (!isReleasePerspective(action.perspective) && !working[draftId] && working[publishedId]) {
     const newDraftFromPublished = {...working[publishedId], _id: draftId}
 
-    if (!checkGrant(grants.create, newDraftFromPublished)) {
+    if (!checkGrant(grants.create, newDraftFromPublished, identity)) {
       throw new PermissionActionError({
         documentId,
         transactionId,
@@ -146,7 +112,7 @@ export function handleEdit(
 
   // the first if statement should make this never be null or undefined
   const workingBefore = working[patchDocumentId] ?? working[publishedId]
-  if (!checkGrant(grants.update, workingBefore!)) {
+  if (!checkGrant(grants.update, workingBefore!, identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,