From 333ed863f47289a1d067f7d9fa155feb1aae8042 Mon Sep 17 00:00:00 2001 From: Alex Hall Date: Thu, 14 Jul 2022 13:29:22 +0200 Subject: [PATCH] (core) Only allow getFormulaError for clients with access to read the cell Summary: The previous access check in `getFormulaError` was not strict enough, allowing users to read the values of individual formula cells that they shouldn't be able to. Now `getCellValue` is used to check the access for the specific cell first. Test Plan: Extended GranularAccess server test. Reviewers: paulfitz Reviewed By: paulfitz Subscribers: paulfitz Differential Revision: https://phab.getgrist.com/D3526 --- app/server/lib/ActiveDoc.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/server/lib/ActiveDoc.ts b/app/server/lib/ActiveDoc.ts index a2939d88..96a79f52 100644 --- a/app/server/lib/ActiveDoc.ts +++ b/app/server/lib/ActiveDoc.ts @@ -1118,7 +1118,9 @@ export class ActiveDoc extends EventEmitter { */ public async getFormulaError(docSession: DocSession, tableId: string, colId: string, rowId: number): Promise { - if (!await this._granularAccess.hasTableAccess(docSession, tableId)) { return null; } + // Throw an error if the user doesn't have access to read this cell. + await this._granularAccess.getCellValue(docSession, {tableId, colId, rowId}); + this._log.info(docSession, "getFormulaError(%s, %s, %s, %s)", docSession, tableId, colId, rowId); await this.waitForInitialization();