mirror of
https://github.com/gristlabs/grist-core.git
synced 2026-03-02 04:09:24 +00:00
(core) Don't throw error in onRecord(s) for insufficient access for includeColumns
Summary: This removes checking for full access in `onRecord/onRecords` when `includeColumns` is a non-default value. The check had two problems: 1. It relied on the access level being present in the URL query parameters, which doesn't work if the page has redirected. See the discussion in https://grist.slack.com/archives/C0234CPPXPA/p1702576602615509. There seems to be no way to reliably and synchronously check the access level. 2. Calling `onRecords` before `ready` and forgetting to handle an error from the access check meant that `ready` wouldn't be called, so Grist couldn't request the correct access level from the user. I made this mistake and it seems like a nasty footgun. Ultimately this has no effect on security, as an error will still be raised, but in a place where the widget developer can't catch it. They'll still see an error message in the console, and they can still check the access level reliably using `onOptions`, so I think this is OK. Test Plan: Updated nbrowser test Reviewers: georgegevoian, paulfitz Reviewed By: georgegevoian, paulfitz Differential Revision: https://phab.getgrist.com/D4145
This commit is contained in:
Alex Hall
32
test/fixtures/sites/fetchSelectedOptions/page.js
vendored
32
test/fixtures/sites/fetchSelectedOptions/page.js
vendored
@@ -2,16 +2,13 @@
|
||||
|
||||
function setup() {
|
||||
const data = {
|
||||
shown: 0,
|
||||
default: {},
|
||||
options: {},
|
||||
};
|
||||
let showCount = 0;
|
||||
|
||||
function showData() {
|
||||
showCount += 1;
|
||||
if (showCount < 12) {
|
||||
return;
|
||||
}
|
||||
data.shown += 1;
|
||||
document.getElementById('data').innerHTML = JSON.stringify(data, null, 2);
|
||||
}
|
||||
|
||||
@@ -40,24 +37,17 @@ function setup() {
|
||||
showData();
|
||||
});
|
||||
|
||||
try {
|
||||
grist.onRecord(function (rec) {
|
||||
data.options.onRecord = rec;
|
||||
showData();
|
||||
}, {keepEncoded: true, includeColumns: 'normal', format: 'columns'});
|
||||
} catch (e) {
|
||||
data.options.onRecord = String(e);
|
||||
// NOTE: These cases will hit an access error when trying to trigger the callback
|
||||
// when access level isn't full, and we can't catch that error.
|
||||
grist.onRecord(function (rec) {
|
||||
data.options.onRecord = rec;
|
||||
showData();
|
||||
}
|
||||
try {
|
||||
grist.onRecords(function (recs) {
|
||||
data.options.onRecords = recs;
|
||||
showData();
|
||||
}, {keepEncoded: true, includeColumns: 'all', format: 'columns'});
|
||||
} catch (e) {
|
||||
data.options.onRecords = String(e);
|
||||
}, {keepEncoded: true, includeColumns: 'normal', format: 'columns'});
|
||||
grist.onRecords(function (recs) {
|
||||
data.options.onRecords = recs;
|
||||
showData();
|
||||
}
|
||||
}, {keepEncoded: true, includeColumns: 'all', format: 'columns'});
|
||||
|
||||
grist.fetchSelectedTable(
|
||||
{keepEncoded: true, includeColumns: 'all', format: 'rows'}
|
||||
).then(function (table) {
|
||||
|
||||
Reference in New Issue
Block a user