(core) Only allow getFormulaError for clients with access to read the cell

Summary: The previous access check in `getFormulaError` was not strict enough, allowing users to read the values of individual formula cells that they shouldn't be able to. Now `getCellValue` is used to check the access for the specific cell first.

Test Plan: Extended GranularAccess server test.

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D3526
This commit is contained in:
Alex Hall 2022-07-14 13:29:22 +02:00
parent ec8ab598cb
commit 333ed863f4

View File

@ -1118,7 +1118,9 @@ export class ActiveDoc extends EventEmitter {
*/ */
public async getFormulaError(docSession: DocSession, tableId: string, colId: string, public async getFormulaError(docSession: DocSession, tableId: string, colId: string,
rowId: number): Promise<CellValue> { rowId: number): Promise<CellValue> {
if (!await this._granularAccess.hasTableAccess(docSession, tableId)) { return null; } // Throw an error if the user doesn't have access to read this cell.
await this._granularAccess.getCellValue(docSession, {tableId, colId, rowId});
this._log.info(docSession, "getFormulaError(%s, %s, %s, %s)", this._log.info(docSession, "getFormulaError(%s, %s, %s, %s)",
docSession, tableId, colId, rowId); docSession, tableId, colId, rowId);
await this.waitForInitialization(); await this.waitForInitialization();