Add permissions checks for dimension updates

src/metabase/api/field.clj

@@ -102,7 +102,7 @@
   {dimension-type         (s/enum "internal" "external")
    dimension-name         su/NonBlankString
    human_readable_field_id (s/maybe su/IntGreaterThanZero)}
-  (let [field (api/read-check Field id)]
+  (let [field (api/write-check Field id)]
     (api/check (or (= dimension-type "internal")
                    (and (= dimension-type "external")
                         human_readable_field_id))
@@ -122,7 +122,7 @@
 (api/defendpoint DELETE "/:id/dimension"
   "Remove the dimension associated to field at ID"
   [id]
-  (let [field (api/read-check Field id)]
+  (let [field (api/write-check Field id)]
     (db/delete! Dimension :field_id id)
     api/generic-204-no-content))
 

test/metabase/api/field_test.clj

@@ -320,6 +320,12 @@
   (tt/with-temp* [Field [{field-id-1 :id} {:name "Field Test 1"}]]
     (dimension-post field-id-1 {:name "some dimension name", :type "external"})))
 
+;; Non-admin users can't update dimensions
+(expect
+  "You don't have permissions to do that."
+  (tt/with-temp* [Field [{field-id :id} {:name "Field Test 1"}]]
+    ((user->client :rasta) :post 403 (format "field/%d/dimension" field-id) {:name "some dimension name", :type "external"})))
+
 ;; Ensure we can delete a dimension
 (expect
   [{:id true
@@ -339,6 +345,12 @@
       [(tu/boolean-ids-and-timestamps new-dim)
        (dimension-for-field field-id)])))
 
+;; Non-admin users can't delete a dimension
+(expect
+  "You don't have permissions to do that."
+  (tt/with-temp* [Field [{field-id :id} {:name "Field Test 1"}]]
+    ((user->client :rasta) :delete 403 (format "field/%d/dimension" field-id))))
+
 ;; When an FK field gets it's special_type removed, we should clear the external dimension
 (expect
   [{:id true