(core) Fix owner view access to snapshots

Summary: Owners weren't able to access snapshots if access rules that denied access to non-owners existed. The backend was lowering snapshot document access to "viewers" as part of implementing read-only behavior; this is now done in the client, with document access for snapshots now accurately reflecting the user's trunk access. Additionally, sandboxes are no longer created for snapshots, and background intervals aren't started for snapshots. Test Plan: Browser test. Reviewers: jarek, paulfitz Reviewed By: jarek, paulfitz Differential Revision: https://phab.getgrist.com/D3849
2026-03-02 04:09:24 +00:00 · 2023-04-11 01:56:26 -04:00
parent 40ea6bb2bc
commit 36f3fd0120
6 changed files with 80 additions and 53 deletions
--- a/app/gen-server/lib/HomeDBManager.ts
+++ b/app/gen-server/lib/HomeDBManager.ts
@@ -1249,7 +1249,7 @@ export class HomeDBManager extends EventEmitter {
      doc.trunkAccess = doc.access;

      // Update access for fork.
-      this._setForkAccess(doc, {userId, forkUserId, snapshotId}, doc);
+      if (forkId) { this._setForkAccess(doc, {userId, forkUserId}, doc); }
      if (!doc.access) {
        throw new ApiError('access denied', 403);
      }
@@ -2484,9 +2484,9 @@ export class HomeDBManager extends EventEmitter {

    // If we are on a fork, make any access changes needed. Assumes results
    // have been flattened.
-    if (forkId || snapshotId) {
+    if (forkId) {
      for (const user of users) {
-        this._setForkAccess(doc, {userId: user.id, forkUserId, snapshotId}, user);
+        this._setForkAccess(doc, {userId: user.id, forkUserId}, user);
      }
    }

@@ -3259,12 +3259,12 @@ export class HomeDBManager extends EventEmitter {
   * their own in the db).
   *   - If fork is a tutorial:
   *     - User ~USERID from the fork id is owner, all others have no access.
-   *   - If fork is a snapshot, all users are at most viewers. Else:
+   *   - If fork is not a tutorial:
   *     - If there is no ~USERID in fork id, then all viewers of trunk are owners of the fork.
   *     - If there is a ~USERID in fork id, that user is owner, all others are at most viewers.
   */
  private _setForkAccess(doc: Document,
-                         ids: {userId: number, forkUserId?: number, snapshotId?: string},
+                         ids: {userId: number, forkUserId?: number},
                         res: {access: roles.Role|null}) {
    if (doc.type === 'tutorial') {
      if (ids.userId === this.getPreviewerUserId()) {
@@ -3283,13 +3283,9 @@ export class HomeDBManager extends EventEmitter {
          if (roles.canView(res.access)) { res.access = 'owners'; }
        } else {
          // reduce to viewer if not already viewer
-        res.access = roles.getWeakestRole('viewers', res.access);
+          res.access = roles.getWeakestRole('viewers', res.access);
        }
      }
-      // Finally, if we are viewing a snapshot, we can't edit it.
-      if (ids.snapshotId) {
-        res.access = roles.getWeakestRole('viewers', res.access);
-      }
    }
  }