mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
(core) Only allow getFormulaError for clients with access to read the cell
Summary: The previous access check in `getFormulaError` was not strict enough, allowing users to read the values of individual formula cells that they shouldn't be able to. Now `getCellValue` is used to check the access for the specific cell first. Test Plan: Extended GranularAccess server test. Reviewers: paulfitz Reviewed By: paulfitz Subscribers: paulfitz Differential Revision: https://phab.getgrist.com/D3526
This commit is contained in:
parent
ec8ab598cb
commit
333ed863f4
@ -1118,7 +1118,9 @@ export class ActiveDoc extends EventEmitter {
|
|||||||
*/
|
*/
|
||||||
public async getFormulaError(docSession: DocSession, tableId: string, colId: string,
|
public async getFormulaError(docSession: DocSession, tableId: string, colId: string,
|
||||||
rowId: number): Promise<CellValue> {
|
rowId: number): Promise<CellValue> {
|
||||||
if (!await this._granularAccess.hasTableAccess(docSession, tableId)) { return null; }
|
// Throw an error if the user doesn't have access to read this cell.
|
||||||
|
await this._granularAccess.getCellValue(docSession, {tableId, colId, rowId});
|
||||||
|
|
||||||
this._log.info(docSession, "getFormulaError(%s, %s, %s, %s)",
|
this._log.info(docSession, "getFormulaError(%s, %s, %s, %s)",
|
||||||
docSession, tableId, colId, rowId);
|
docSession, tableId, colId, rowId);
|
||||||
await this.waitForInitialization();
|
await this.waitForInitialization();
|
||||||
|
Loading…
Reference in New Issue
Block a user