@sanity/sdk 2.12.0 → 2.14.0

package/src/auth/refreshStampedToken.ts

@@ -14,6 +14,7 @@ import {
 
 import {type StoreContext} from '../store/defineStore'
 import {DEFAULT_API_VERSION, REQUEST_TAG_PREFIX} from './authConstants'
+import {getAuthLogger} from './authLogger'
 import {AuthStateType} from './authStateType'
 import {type AuthState, type AuthStoreState} from './authStore'
 
@@ -141,7 +142,12 @@ function shouldRefreshToken(lastRefresh: number | undefined): boolean {
 /**
  * @internal
  */
-export const refreshStampedToken = ({state}: StoreContext<AuthStoreState>): Subscription => {
+export const refreshStampedToken = ({
+  state,
+  instance,
+}: StoreContext<AuthStoreState>): Subscription => {
+  const logger = getAuthLogger(instance)
+
   const {clientFactory, apiHost, storageArea, storageKey} = state.get().options
 
   const refreshToken$ = state.observable.pipe(
@@ -171,14 +177,17 @@ export const refreshStampedToken = ({state}: StoreContext<AuthStoreState>): Subs
         // Read the latest token directly from state inside refresh
         const currentState = state.get()
         if (currentState.authState.type !== AuthStateType.LOGGED_IN) {
+          logger.debug('Token refresh aborted - user logged out')
           throw new Error('User logged out before refresh could complete') // Abort refresh
         }
         const currentToken = currentState.authState.token
 
+        logger.debug('Refreshing stamped token')
         const response = await firstValueFrom(
           createTokenRefreshStream(currentToken, clientFactory, apiHost),
         )
 
+        logger.info('Token refreshed successfully')
         state.set('setRefreshStampedToken', (prev) => ({
           authState:
             prev.authState.type === AuthStateType.LOGGED_IN
@@ -276,6 +285,7 @@ export const refreshStampedToken = ({state}: StoreContext<AuthStoreState>): Subs
 
   return refreshToken$.subscribe({
     next: (response: {token: string}) => {
+      logger.debug('Token refresh completed, updating state')
       state.set('setRefreshStampedToken', (prev) => ({
         authState:
           prev.authState.type === AuthStateType.LOGGED_IN
@@ -289,6 +299,7 @@ export const refreshStampedToken = ({state}: StoreContext<AuthStoreState>): Subs
       storageArea?.setItem(storageKey, JSON.stringify({token: response.token}))
     },
     error: (error) => {
+      logger.error('Token refresh failed', {error})
       state.set('setRefreshStampedTokenError', {authState: {type: AuthStateType.ERROR, error}})
     },
   })

package/src/auth/subscribeToStateAndFetchCurrentUser.test.ts

@@ -1,6 +1,6 @@
 import {type CurrentUser} from '@sanity/types'
 import {delay, of, throwError} from 'rxjs'
-import {beforeEach, describe, it} from 'vitest'
+import {beforeEach, describe, expect, it, vi} from 'vitest'
 
 import {createSanityInstance} from '../store/createSanityInstance'
 import {createStoreState} from '../store/createStoreState'
@@ -8,13 +8,28 @@ import {AuthStateType} from './authStateType'
 import {authStore} from './authStore'
 import {subscribeToStateAndFetchCurrentUser} from './subscribeToStateAndFetchCurrentUser'
 
+// Mock logger to prevent actual logging during tests
+vi.mock('../utils/logger', async (importOriginal) => {
+  const original = await importOriginal<typeof import('../utils/logger')>()
+  return {
+    ...original,
+    createLogger: vi.fn(() => ({
+      info: vi.fn(),
+      debug: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      trace: vi.fn(),
+    })),
+  }
+})
+
 describe('subscribeToStateAndFetchCurrentUser', () => {
   beforeEach(() => {
     vi.clearAllMocks()
   })
 
   it('fetches the current user if the is logged in without a current user present', () => {
-    const mockUser = {id: 'example-user'} as CurrentUser
+    const mockUser = {id: 'example-user', email: 'user@example.com'} as CurrentUser
     const mockRequest = vi.fn().mockReturnValue(of(mockUser))
     const mockClient = {observable: {request: mockRequest}}
     const clientFactory = vi.fn().mockReturnValue(mockClient)

package/src/auth/subscribeToStateAndFetchCurrentUser.ts

@@ -11,6 +11,7 @@ import {
 
 import {type StoreContext} from '../store/defineStore'
 import {DEFAULT_API_VERSION, REQUEST_TAG_PREFIX} from './authConstants'
+import {getAuthLogger} from './authLogger'
 import {isStudioConfig} from './authMode'
 import {AuthStateType} from './authStateType'
 import {type AuthMethodOptions, type AuthState, type AuthStoreState} from './authStore'
@@ -30,6 +31,8 @@ export const subscribeToStateAndFetchCurrentUser = (
   {state, instance}: StoreContext<AuthStoreState>,
   fetchOptions?: {useProjectHostname?: boolean},
 ): Subscription => {
+  const logger = getAuthLogger(instance)
+
   const {clientFactory, apiHost} = state.get().options
   const useProjectHostname = fetchOptions?.useProjectHostname ?? isStudioConfig(instance.config)
   const projectId = instance.config.projectId
@@ -82,6 +85,7 @@ export const subscribeToStateAndFetchCurrentUser = (
              * @see SDK-1409
              */
             catchError((error) => {
+              logger.error('Failed to fetch current user', {error})
               state.set('setError', {authState: {type: AuthStateType.ERROR, error}})
               return EMPTY
             }),
@@ -91,6 +95,11 @@ export const subscribeToStateAndFetchCurrentUser = (
 
   return currentUser$.subscribe({
     next: (currentUser) => {
+      logger.info('Current user fetched successfully', {
+        hasEmail: !!currentUser.email,
+      })
+      // userId is PII, so only surface it at debug level
+      logger.debug('Current user details', {userId: currentUser.id})
       state.set('setCurrentUser', (prev) => ({
         authState:
           prev.authState.type === AuthStateType.LOGGED_IN

package/src/document/applyDocumentActions.test.ts

@@ -202,4 +202,28 @@ describe('applyDocumentActions', () => {
     childInstance.dispose()
     parentInstance.dispose()
   })
+
+  it('normalizes actions for the bound resource before queueing', async () => {
+    // A plain edit action with no `liveEdit` flag. Canvas forces liveEdit, so
+    // the queued action should come back with `liveEdit: true` — proving that
+    // `applyDocumentActions` runs `normalizeActionsForResource`.
+    const action: DocumentAction = {
+      type: 'document.edit',
+      documentId: 'doc1',
+      documentType: 'sanity.canvas.document',
+      patches: [{set: {foo: 'bar'}}],
+    }
+
+    // Don't await — we only need to inspect the synchronously-queued transaction.
+    applyDocumentActions(instance, {
+      actions: [action],
+      transactionId: 'txn-normalize',
+      resource: {canvasId: 'c'},
+    })
+
+    const queued = state.get().queued.find((t) => t.transactionId === 'txn-normalize')
+    expect(queued).toBeDefined()
+    const [queuedAction] = queued!.actions
+    expect(queuedAction).toMatchObject({type: 'document.edit', liveEdit: true})
+  })
 })

package/src/document/applyDocumentActions.ts

@@ -10,6 +10,7 @@ import {documentStore, type DocumentStoreState} from './documentStore'
 import {type DocumentTransactionSubmissionResult} from './events'
 import {type DocumentSet} from './processMutations'
 import {type AppliedTransaction, type QueuedTransaction, queueTransaction} from './reducers'
+import {normalizeActionsForResource} from './resourceRules'
 
 /** @beta */
 export interface ActionsResult<TDocument extends SanityDocument = SanityDocument> {
@@ -73,13 +74,23 @@ const boundApplyDocumentActions = bindActionByResource(documentStore, _applyDocu
 /** @internal */
 async function _applyDocumentActions(
   {state}: StoreContext<DocumentStoreState>,
-  {actions, transactionId = crypto.randomUUID(), disableBatching}: ApplyDocumentActionsOptions,
+  {
+    actions,
+    resource,
+    transactionId = crypto.randomUUID(),
+    disableBatching,
+  }: ApplyDocumentActionsOptions,
 ): Promise<ActionsResult> {
   const {events} = state.get()
 
+  // Rewrite edit actions to match the bound resource's editing model (e.g.
+  // forcing liveEdit for Canvas, stripping unsupported release perspectives).
+  // Non-edit and release actions pass through unchanged.
+  const normalizedActions = normalizeActionsForResource(actions, resource)
+
   const transaction: QueuedTransaction = {
     transactionId,
-    actions,
+    actions: normalizedActions,
     ...(disableBatching && {disableBatching}),
   }
 

package/src/document/documentConstants.ts

@@ -8,3 +8,10 @@
 export const DOCUMENT_STATE_CLEAR_DELAY = 1000
 export const INITIAL_OUTGOING_THROTTLE_TIME = 1000
 export const API_VERSION = 'v2025-05-06'
+
+/**
+ * Base delay (ms) before retrying a document listener after an `OutOfSyncError`.
+ * Backoff doubles on each successive retry, capped at {@link OUT_OF_SYNC_RETRY_MAX_DELAY}.
+ */
+export const OUT_OF_SYNC_RETRY_BASE_DELAY = 500
+export const OUT_OF_SYNC_RETRY_MAX_DELAY = 10_000

package/src/document/documentStore.test.ts

@@ -42,6 +42,7 @@ import {
   subscribeDocumentEvents,
 } from './documentStore'
 import {type ActionErrorEvent, type TransactionRevertedEvent} from './events'
+import {DEFAULT_MAX_BUFFER_SIZE} from './listen'
 import {type DatasetAcl} from './permissions'
 import {type DocumentSet, processMutations} from './processMutations'
 import {type HttpAction} from './reducers'
@@ -1006,6 +1007,72 @@ it('version edits are isolated from draft state', async () => {
   unsubscribeDraft()
 })
 
+it('subscribeToSubscriptionsAndListenToDocuments recovers from an OutOfSyncError instead of failing the document store', async () => {
+  const documentId = DocumentId('doc-out-of-sync-recovery')
+  const doc = createDocumentHandle({documentId, documentType: 'article'})
+  const documentState = getDocumentState<TestDocument>(instance, doc)
+  const unsubscribe = documentState.subscribe()
+  const draftId = getDraftId(documentId)
+
+  // Establish a synced document so the listener has a base revision.
+  const created = await applyDocumentActions(instance, {
+    actions: [createDocument(doc), editDocument(doc, {set: {title: 'initial'}})],
+  })
+  await created.submitted()
+  expect(documentState.getCurrent()?.title).toBe('initial')
+
+  // Capture the fetchDocument spy so we can detect when the listener
+  // re-subscribes. (every frest subscription re-runs fetchDocument)
+  const fetchDocumentSpy = vi.mocked(createFetchDocument).mock.results.at(-1)?.value as ReturnType<
+    typeof vi.fn
+  >
+  const fetchCallsBefore = fetchDocumentSpy.mock.calls.filter(([id]) => id === draftId).length
+
+  // Inject DEFAULT_MAX_BUFFER_SIZE mutations whose previousRev doesn't chain
+  // to the base revision (basically forcing the error)
+  const sharedListener = (
+    createSharedListener as unknown as () => {events: Subject<ListenEvent<SanityDocument>>}
+  )()
+  for (let i = 0; i < DEFAULT_MAX_BUFFER_SIZE; i++) {
+    sharedListener.events.next({
+      type: 'mutation',
+      documentId: draftId,
+      eventId: `bad-${i}`,
+      identity: 'user',
+      mutations: [],
+      timestamp: new Date().toISOString(),
+      transactionId: `bad-tx-${i}`,
+      transactionCurrentEvent: 0,
+      transactionTotalEvents: 1,
+      previousRev: `dangling-rev-${i}`,
+      resultRev: `bad-rev-${i}`,
+      transition: 'update',
+      visibility: 'query',
+    })
+  }
+
+  // The above should have triggered a retry and re-subscribed to the listener
+  await vi.waitFor(() => {
+    expect(fetchDocumentSpy.mock.calls.filter(([id]) => id === draftId).length).toBeGreaterThan(
+      fetchCallsBefore,
+    )
+  })
+
+  // The store stayed healthy through the OutOfSyncError.
+  expect(() => documentState.getCurrent()).not.toThrow()
+  expect(() => getDocumentSyncStatus(instance, doc).getCurrent()).not.toThrow()
+
+  // A follow-up edit still propagates through the recovered listener.
+  const edited = await applyDocumentActions(instance, {
+    actions: [editDocument(doc, {set: {title: 'after-recovery'}})],
+    resource,
+  })
+  await edited.submitted()
+  expect(documentState.getCurrent()?.title).toBe('after-recovery')
+
+  unsubscribe()
+})
+
 vi.mock('../client/clientStore.ts', () => ({
   getClientState: vi.fn().mockReturnValue({observable: new ReplaySubject(1)}),
 }))
@@ -1039,6 +1106,8 @@ vi.mock('./documentConstants.ts', async (importOriginal) => {
     ...original,
     INITIAL_OUTGOING_THROTTLE_TIME: 0,
     DOCUMENT_STATE_CLEAR_DELAY: 25,
+    OUT_OF_SYNC_RETRY_BASE_DELAY: 0,
+    OUT_OF_SYNC_RETRY_MAX_DELAY: 0,
   }
 })
 

package/src/document/documentStore.ts

@@ -17,15 +17,18 @@ import {
   Observable,
   of,
   pairwise,
+  retry,
   startWith,
   Subject,
   switchMap,
   tap,
   throttle,
+  throwError,
   timer,
   withLatestFrom,
 } from 'rxjs'
 
+import {getCurrentUserState} from '../auth/authStore'
 import {type ClientOptions, getClientState} from '../client/clientStore'
 import {
   type DocumentHandle,
@@ -44,7 +47,12 @@ import {type SanityInstance} from '../store/createSanityInstance'
 import {createStateSourceAction, type StateSource} from '../store/createStateSourceAction'
 import {defineStore, type StoreContext} from '../store/defineStore'
 import {type DocumentAction} from './actions'
-import {API_VERSION, INITIAL_OUTGOING_THROTTLE_TIME} from './documentConstants'
+import {
+  API_VERSION,
+  INITIAL_OUTGOING_THROTTLE_TIME,
+  OUT_OF_SYNC_RETRY_BASE_DELAY,
+  OUT_OF_SYNC_RETRY_MAX_DELAY,
+} from './documentConstants'
 import {
   type DocumentEvent,
   type DocumentTransactionSubmissionResult,
@@ -82,6 +90,10 @@ export interface DocumentStoreState {
   applied: AppliedTransaction[]
   outgoing?: OutgoingTransaction
   grants?: Record<Grant, ExprNode>
+  /**
+   * The current user's identity (their user ID).
+   */
+  identity?: string
   error?: unknown
   sharedListener: SharedListener
   fetchDocument: (documentId: string) => Observable<SanityDocument | null>
@@ -141,6 +153,7 @@ export const documentStore = defineStore<DocumentStoreState, BoundResourceKey>({
       subscribeToSubscriptionsAndListenToDocuments(context),
       subscribeToAppliedAndSubmitNextTransaction(context),
       subscribeToClientAndFetchDatasetAcl(context),
+      subscribeToCurrentUserAndSetIdentity(context),
     ]
 
     return () => {
@@ -497,10 +510,15 @@ const subscribeToSubscriptionsAndListenToDocuments = (
           switchMap((e) => {
             if (!e.add) return EMPTY
             return listen(context, e.id).pipe(
-              catchError((error) => {
-                // retry on `OutOfSyncError`
-                if (error instanceof OutOfSyncError) listen(context, e.id)
-                throw error
+              retry({
+                delay: (error, retryCount) => {
+                  if (!(error instanceof OutOfSyncError)) return throwError(() => error)
+                  const backoff = Math.min(
+                    OUT_OF_SYNC_RETRY_BASE_DELAY * 2 ** (retryCount - 1),
+                    OUT_OF_SYNC_RETRY_MAX_DELAY,
+                  )
+                  return timer(backoff)
+                },
               }),
               tap((remote) =>
                 state.set('applyRemoteDocument', (prev) =>
@@ -548,3 +566,16 @@ const subscribeToClientAndFetchDatasetAcl = ({
       error: (error) => state.set('setError', {error}),
     })
 }
+
+const subscribeToCurrentUserAndSetIdentity = ({
+  instance,
+  state,
+}: StoreContext<DocumentStoreState, BoundResourceKey>) =>
+  getCurrentUserState(instance).observable.subscribe({
+    next: (currentUser) => state.set('setIdentity', {identity: currentUser?.id}),
+    // A transient identity-fetch failure (network blip, expired token, or a
+    // normal logout/re-login transition) should not brick all document
+    // operations. Reset the identity to `undefined` and keep going — GROQ's
+    // `identity()` then evaluates to null, matching the unauthenticated state.
+    error: () => state.set('setIdentity', {identity: undefined}),
+  })

package/src/document/listen.ts

@@ -20,7 +20,7 @@ import {type StoreContext} from '../store/defineStore'
 import {type DocumentStoreState} from './documentStore'
 import {processMutations} from './processMutations'
 
-const DEFAULT_MAX_BUFFER_SIZE = 20
+export const DEFAULT_MAX_BUFFER_SIZE = 20
 const DEFAULT_DEADLINE_MS = 30000
 
 export interface RemoteDocument {

package/src/document/permissions.test.ts

@@ -32,9 +32,11 @@ const alwaysDeny = parse('false')
 const createState = (
   docStates: Record<string, {local: unknown}>,
   grants?: Record<Grant, ExprNode>,
+  identity?: string,
 ): SyncTransactionState => ({
   documentStates: docStates as SyncTransactionState['documentStates'],
   grants,
+  identity,
   queued: [],
   applied: [],
 })
@@ -52,6 +54,18 @@ describe('createGrantsLookup', () => {
       expect(evaluateSync(grants[key], {params: {document: dummyDoc}}).data).toBe(true)
     })
   })
+
+  it('should ignore unknown permissions like "manage"', () => {
+    const datasetAcl = [
+      {filter: '_id != null', permissions: ['history', 'read', 'update', 'create', 'manage']},
+    ] as DatasetAcl
+    const grants = createGrantsLookup(datasetAcl)
+    const dummyDoc = {_id: 'doc1'}
+    ;(['read', 'update', 'create', 'history'] as Grant[]).forEach((key) => {
+      expect(grants[key]).toBeDefined()
+      expect(evaluateSync(grants[key], {params: {document: dummyDoc}}).data).toBe(true)
+    })
+  })
 })
 
 describe('calculatePermissions', () => {
@@ -234,4 +248,69 @@ describe('calculatePermissions', () => {
     const result2 = calculatePermissions({instance, state}, {actions: [{...action}]})
     expect(result1).toBe(result2)
   })
+
+  describe('identity-aware grants', () => {
+    // Mirrors the canvas ACL filter shape: only the document's creator may
+    // update it. Without an identity passed to groq, `identity()` is null and
+    // the expression collapses to null — which used to read as "denied".
+    const canvasUpdateAcl: DatasetAcl = [
+      {
+        filter: '_type == "sanity.canvas.document" && _system.createdBy == identity()',
+        permissions: ['read', 'update'],
+      },
+    ]
+
+    const canvasDoc = (createdBy: string): SanityDocument => ({
+      _id: 'canvas-1',
+      _type: 'sanity.canvas.document',
+      _createdAt: '2025-01-01T00:00:00.000Z',
+      _updatedAt: '2025-01-01T00:00:00.000Z',
+      _rev: 'rev-1',
+      _system: {createdBy},
+    })
+
+    const editAction: DocumentAction = {
+      documentId: 'canvas-1',
+      documentType: 'sanity.canvas.document',
+      type: 'document.edit',
+      liveEdit: true,
+    }
+
+    it('allows edits when identity matches the document creator', () => {
+      const state = createState(
+        {'canvas-1': {local: canvasDoc('user-A')}},
+        createGrantsLookup(canvasUpdateAcl),
+        'user-A',
+      )
+      expect(calculatePermissions({instance, state}, {actions: [editAction]})).toEqual({
+        allowed: true,
+      })
+    })
+
+    it('denies edits when identity does not match the document creator', () => {
+      const state = createState(
+        {'canvas-1': {local: canvasDoc('user-A')}},
+        createGrantsLookup(canvasUpdateAcl),
+        'user-B',
+      )
+      const result = calculatePermissions({instance, state}, {actions: [editAction]})
+      expect(result?.allowed).toBe(false)
+      expect(result?.reasons).toEqual(
+        expect.arrayContaining([expect.objectContaining({type: 'access', documentId: 'canvas-1'})]),
+      )
+    })
+
+    it('denies edits when identity is not yet loaded', () => {
+      const state = createState(
+        {'canvas-1': {local: canvasDoc('user-A')}},
+        createGrantsLookup(canvasUpdateAcl),
+        undefined,
+      )
+      const result = calculatePermissions({instance, state}, {actions: [editAction]})
+      expect(result?.allowed).toBe(false)
+      expect(result?.reasons).toEqual(
+        expect.arrayContaining([expect.objectContaining({type: 'access', documentId: 'canvas-1'})]),
+      )
+    })
+  })
 })

package/src/document/permissions.ts

@@ -1,6 +1,6 @@
 import {DocumentId, getDraftId, getPublishedId, getVersionId} from '@sanity/id-utils'
 import {type SanityDocument} from '@sanity/types'
-import {evaluateSync, type ExprNode, parse} from 'groq-js'
+import {type ExprNode, parse} from 'groq-js'
 import {createSelector} from 'reselect'
 
 import {isReleasePerspective} from '../releases/utils/isReleasePerspective'
@@ -8,6 +8,7 @@ import {type SelectorContext} from '../store/createStateSourceAction'
 import {MultiKeyWeakMap} from '../utils/MultiKeyWeakMap'
 import {type DocumentAction} from './actions'
 import {ActionError, PermissionActionError, processActions} from './processActions/processActions'
+import {checkGrant} from './processActions/shared'
 import {type DocumentSet} from './processMutations'
 import {type SyncTransactionState} from './reducers'
 
@@ -29,6 +30,8 @@ export function createGrantsLookup(datasetAcl: DatasetAcl): Record<Grant, ExprNo
   for (const entry of datasetAcl) {
     for (const grant of entry.permissions) {
       const set = filtersByGrant[grant]
+      // Ignore permissions we don't model (e.g. "manage")
+      if (!set) continue
       set.add(entry.filter)
       filtersByGrant[grant] = set
     }
@@ -140,11 +143,6 @@ const memoizedActionsSelector = createSelector(
   },
 )
 
-function checkGrant(grantExpr: ExprNode, document: SanityDocument): boolean {
-  const value = evaluateSync(grantExpr, {params: {document}})
-  return value.type === 'boolean' && value.data
-}
-
 /** @beta */
 export interface PermissionDeniedReason {
   type: 'precondition' | 'access'
@@ -172,11 +170,13 @@ export function calculatePermissions(
 const _calculatePermissions = createSelector(
   [
     ({state: {grants}}: SelectorContext<SyncTransactionState>) => grants,
+    ({state: {identity}}: SelectorContext<SyncTransactionState>) => identity,
     documentsSelector,
     memoizedActionsSelector,
   ],
   (
     grants: Record<Grant, ExprNode> | undefined,
+    identity: string | undefined,
     documents: DocumentSet | undefined,
     actions: DocumentAction[] | undefined,
   ): DocumentPermissionsResult | undefined => {
@@ -195,6 +195,7 @@ const _calculatePermissions = createSelector(
         base: documents,
         timestamp,
         grants,
+        identity,
       })
     } catch (error) {
       if (error instanceof PermissionActionError) {
@@ -244,7 +245,7 @@ const _calculatePermissions = createSelector(
               documentId: docId,
             })
           }
-        } else if (!checkGrant(grants.update, doc)) {
+        } else if (!checkGrant(grants.update, doc, identity)) {
           reasons.push({
             type: 'access',
             message: `You are not allowed to edit the document with ID "${docId}".`,

package/src/document/processActions/create.ts

@@ -16,7 +16,7 @@ export function handleCreate(
   action: CreateDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = getId(action.documentId)
@@ -51,7 +51,7 @@ export function handleCreate(
       timestamp,
     })
 
-    if (!checkGrant(grants.create, working[documentId] as SanityDocument)) {
+    if (!checkGrant(grants.create, working[documentId] as SanityDocument, identity)) {
       throw new PermissionActionError({
         documentId,
         transactionId,
@@ -111,13 +111,16 @@ export function handleCreate(
     timestamp,
   })
 
-  if (versionId && !checkGrant(grants.create, working[versionId] as SanityDocument)) {
+  if (versionId && !checkGrant(grants.create, working[versionId] as SanityDocument, identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,
       message: `You do not have permission to create a release version for document "${documentId}".`,
     })
-  } else if (!versionId && !checkGrant(grants.create, working[draftId] as SanityDocument)) {
+  } else if (
+    !versionId &&
+    !checkGrant(grants.create, working[draftId] as SanityDocument, identity)
+  ) {
     throw new PermissionActionError({
       documentId,
       transactionId,

package/src/document/processActions/delete.ts

@@ -16,7 +16,7 @@ export function handleDelete(
   action: DeleteDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = action.documentId
@@ -38,7 +38,7 @@ export function handleDelete(
       })
     }
 
-    if (!checkGrant(grants.update, working[documentId])) {
+    if (!checkGrant(grants.update, working[documentId], identity)) {
       throw new PermissionActionError({
         documentId,
         transactionId,
@@ -72,9 +72,9 @@ export function handleDelete(
     })
   }
 
-  const cantDeleteDraft = working[draftId] && !checkGrant(grants.update, working[draftId])
+  const cantDeleteDraft = working[draftId] && !checkGrant(grants.update, working[draftId], identity)
   const cantDeletePublished =
-    working[publishedId] && !checkGrant(grants.update, working[publishedId])
+    working[publishedId] && !checkGrant(grants.update, working[publishedId], identity)
 
   if (cantDeleteDraft || cantDeletePublished) {
     throw new PermissionActionError({

package/src/document/processActions/discard.ts

@@ -16,7 +16,7 @@ export function handleDiscard(
   action: DiscardDocumentAction,
   ctx: ActionHandlerContext,
 ): ActionHandlerResult {
-  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  const {transactionId, timestamp, grants, identity, outgoingActions, outgoingMutations} = ctx
   let {base, working} = ctx
 
   const documentId = getId(action.documentId)
@@ -43,7 +43,7 @@ export function handleDiscard(
     })
   }
 
-  if (!checkGrant(grants.update, working[versionId])) {
+  if (!checkGrant(grants.update, working[versionId], identity)) {
     throw new PermissionActionError({
       documentId,
       transactionId,