Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2026-03-02 04:09:24 +00:00
Code Issues Projects Releases Wiki Activity

(core) Disallow the combination of Public Edit access and granular ACLs.

Browse Source 
Summary:
- When Public Edit access is enabled, Access Rules page shows a warning and
  prevents saving rules.
- When any ACL rules are present, attempts to set Public access to Editor role
  get downgraded to Viewer role, with a warning notification.
- No checks are made on the server side, so the combination may be achieved via
  the API (but we may block it in the future).

Test Plan: Added a test case.

Reviewers: paulfitz

Reviewed By: paulfitz

Differential Revision: https://phab.getgrist.com/D2767
This commit is contained in:
Dmitry S
2021-03-25 19:15:34 -04:00
parent 8c2bea0f73
commit 1a5bacc807
6 changed files with 81 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/client/aclui/ACLUsers.ts
View File

@@ -10,7 +10,8 @@ import {menuCssClass} from 'app/client/ui2018/menus';
import {userOverrideParams} from 'app/common/gristUrls';
import {FullUser} from 'app/common/LoginSessionAPI';
import * as roles from 'app/common/roles';
import {ANONYMOUS_USER_EMAIL, EVERYONE_EMAIL, getRealAccess, UserAccessData} from 'app/common/UserAPI';
import {ANONYMOUS_USER_EMAIL, EVERYONE_EMAIL} from 'app/common/UserAPI';
import {getRealAccess, PermissionData, UserAccessData} from 'app/common/UserAPI';
import {Disposable, dom, Observable, styled} from 'grainjs';
import {cssMenu, cssMenuWrap, defaultMenuOptions, IOpenController, setPopupToCreateDom} from 'popweasel';
@@ -54,16 +55,9 @@ export class ACLUsersPopup extends Disposable {
private _usersInDoc: UserAccessData[] = [];
private _currentUser: FullUser|null = null;
public async init(pageModel: DocPageModel) {
public init(pageModel: DocPageModel, permissionData: PermissionData|null) {
this._currentUser = pageModel.userOverride.get()?.user || pageModel.appModel.currentValidUser;
const doc = pageModel.currentDoc.get();
// Disabling "View as user" for forks for the moment. The getDocAccess endpoint
// only succeeds for documents that exist in the DB currently.
// TODO: modify the getDocAccess endpoint to accept forks, through the kind of
// manipulation that getDoc does. Then we can enable this button for forks.
if (doc && !doc.isFork) {
const permissionData = await pageModel.appModel.api.getDocAccess(doc.id);
if (this.isDisposed()) { return; }
if (permissionData) {
this._usersInDoc = permissionData.users.map(user => ({
...user,
access: getRealAccess(user, permissionData),