Vulnerabilities we've responsibly disclosed to open-source projects.
Document editors can alter permissions via the documents update API.
Read-only users can create documents via post_document endpoint.