Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2026-03-02 04:09:24 +00:00
Code Issues Projects Releases Wiki Activity

(core) Don't throw error in onRecord(s) for insufficient access for includeColumns

Browse Source 
Summary:
This removes checking for full access in `onRecord/onRecords` when `includeColumns` is a non-default value. The check had two problems:

1. It relied on the access level being present in the URL query parameters, which doesn't work if the page has redirected. See the discussion in https://grist.slack.com/archives/C0234CPPXPA/p1702576602615509. There seems to be no way to reliably and synchronously check the access level.
2. Calling `onRecords` before `ready` and forgetting to handle an error from the access check meant that `ready` wouldn't be called, so Grist couldn't request the correct access level from the user. I made this mistake and it seems like a nasty footgun.

Ultimately this has no effect on security, as an error will still be raised, but in a place where the widget developer can't catch it. They'll still see an error message in the console, and they can still check the access level reliably using `onOptions`, so I think this is OK.

Test Plan: Updated nbrowser test

Reviewers: georgegevoian, paulfitz

Reviewed By: georgegevoian, paulfitz

Differential Revision: https://phab.getgrist.com/D4145
This commit is contained in:
Alex Hall
2023-12-20 15:42:06 +02:00
parent a2bd753649
commit 225a76c9cb
4 changed files with 30 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
app/plugin/grist-plugin-api.ts
View File

@@ -365,17 +365,6 @@ export function mapColumnNamesBack(data: any, options?: {
return mapColumnNames(data, {...options, reverse: true});
}
/**
* While `fetchSelected(Record|Table)` check the access level on 'the Grist side',
* `onRecord(s)` needs to check this in advance for the caller to be able to handle the error.
*/
function checkAccessLevelForColumns(options: FetchSelectedOptions) {
const accessLevel = new URL(window.location.href).searchParams.get("access");
if (accessLevel !== "full" && options.includeColumns && options.includeColumns !== "shown") {
throw new Error("Access not granted. Current access level " + accessLevel);
}
}
/**
* For custom widgets, add a handler that will be called whenever the
* row with the cursor changes - either by switching to a different row, or
@@ -388,7 +377,6 @@ export function onRecord(
callback: (data: RowRecord | null, mappings: WidgetColumnMap | null) => unknown,
options: FetchSelectedOptions = {},
) {
checkAccessLevelForColumns(options);
// TODO: currently this will be called even if the content of a different row changes.
on('message', async function(msg) {
if (!msg.tableId || !msg.rowId || msg.rowId === 'new') { return; }
@@ -418,7 +406,6 @@ export function onRecords(
callback: (data: RowRecord[], mappings: WidgetColumnMap | null) => unknown,
options: FetchSelectedOptions = {},
) {
checkAccessLevelForColumns(options);
options = {...options, format: options.format || 'rows'};
on('message', async function(msg) {
if (!msg.tableId || !msg.dataChange) { return; }