mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
(core) Implement checkbox for SchemaEdit permission in Access Rules UI.
Summary: - Introduces a fictitious "*SPECIAL:SchemaEdit" resource in UI only. - Hides "S" bit for the default rule section. - Shows a checkbox UI similar to other checkboxes, with an additional dismissable warning. Test Plan: Added a browser test Reviewers: paulfitz, georgegevoian Reviewed By: paulfitz, georgegevoian Differential Revision: https://phab.getgrist.com/D3765
This commit is contained in:
parent
18d016c745
commit
45c7602f49
@ -26,7 +26,7 @@ import {
|
|||||||
summarizePermissions,
|
summarizePermissions,
|
||||||
summarizePermissionSet
|
summarizePermissionSet
|
||||||
} from 'app/common/ACLPermissions';
|
} from 'app/common/ACLPermissions';
|
||||||
import {ACLRuleCollection, SPECIAL_RULES_TABLE_ID} from 'app/common/ACLRuleCollection';
|
import {ACLRuleCollection, isSchemaEditResource, SPECIAL_RULES_TABLE_ID} from 'app/common/ACLRuleCollection';
|
||||||
import {AclRuleProblem, AclTableDescription, getTableTitle} from 'app/common/ActiveDocAPI';
|
import {AclRuleProblem, AclTableDescription, getTableTitle} from 'app/common/ActiveDocAPI';
|
||||||
import {BulkColValues, getColValues, RowRecord, UserAction} from 'app/common/DocActions';
|
import {BulkColValues, getColValues, RowRecord, UserAction} from 'app/common/DocActions';
|
||||||
import {
|
import {
|
||||||
@ -45,6 +45,7 @@ import {
|
|||||||
Computed,
|
Computed,
|
||||||
Disposable,
|
Disposable,
|
||||||
dom,
|
dom,
|
||||||
|
DomContents,
|
||||||
DomElementArg,
|
DomElementArg,
|
||||||
IDisposableOwner,
|
IDisposableOwner,
|
||||||
MutableObsArray,
|
MutableObsArray,
|
||||||
@ -201,7 +202,7 @@ export class AccessRules extends Disposable {
|
|||||||
const rules = this._ruleCollection;
|
const rules = this._ruleCollection;
|
||||||
|
|
||||||
const [ , , aclResources] = await Promise.all([
|
const [ , , aclResources] = await Promise.all([
|
||||||
rules.update(this._gristDoc.docData, {log: console}),
|
rules.update(this._gristDoc.docData, {log: console, pullOutSchemaEdit: true}),
|
||||||
this._updateDocAccessData(),
|
this._updateDocAccessData(),
|
||||||
this._gristDoc.docComm.getAclResources(),
|
this._gristDoc.docComm.getAclResources(),
|
||||||
]);
|
]);
|
||||||
@ -217,7 +218,7 @@ export class AccessRules extends Disposable {
|
|||||||
);
|
);
|
||||||
|
|
||||||
const withDefaultRules = ['SeedRule'];
|
const withDefaultRules = ['SeedRule'];
|
||||||
const separateRules = ['FullCopies', 'AccessRules'];
|
const separateRules = ['SchemaEdit', 'FullCopies', 'AccessRules'];
|
||||||
|
|
||||||
SpecialRules.create(
|
SpecialRules.create(
|
||||||
this._specialRulesWithDefault, SPECIAL_RULES_TABLE_ID, this,
|
this._specialRulesWithDefault, SPECIAL_RULES_TABLE_ID, this,
|
||||||
@ -252,12 +253,20 @@ export class AccessRules extends Disposable {
|
|||||||
[{tableId: '*', colIds: '*'}],
|
[{tableId: '*', colIds: '*'}],
|
||||||
this._specialRulesWithDefault.get()?.getResources() || [],
|
this._specialRulesWithDefault.get()?.getResources() || [],
|
||||||
this._specialRulesSeparate.get()?.getResources() || [],
|
this._specialRulesSeparate.get()?.getResources() || [],
|
||||||
...this._tableRules.get().map(tr => tr.getResources()))
|
...this._tableRules.get().map(tr => tr.getResources())
|
||||||
|
)
|
||||||
|
// Skip the fake "*SPECIAL:SchemaEdit" resource (frontend-specific); these rules are saved to the default resource.
|
||||||
|
.filter(resource => !isSchemaEditResource(resource))
|
||||||
.map(r => ({id: -1, ...r}));
|
.map(r => ({id: -1, ...r}));
|
||||||
|
|
||||||
// Prepare userActions and a mapping of serializedResource to rowIds.
|
// Prepare userActions and a mapping of serializedResource to rowIds.
|
||||||
const resourceSync = syncRecords(resourcesTable, newResources, serializeResource);
|
const resourceSync = syncRecords(resourcesTable, newResources, serializeResource);
|
||||||
|
|
||||||
|
const defaultResourceRowId = resourceSync.rowIdMap.get(serializeResource({id: -1, tableId: '*', colIds: '*'}));
|
||||||
|
if (!defaultResourceRowId) {
|
||||||
|
throw new Error('Default resource missing in resource map');
|
||||||
|
}
|
||||||
|
|
||||||
// For syncing rules, we'll go by rowId that we store with each RulePart and with the RuleSet.
|
// For syncing rules, we'll go by rowId that we store with each RulePart and with the RuleSet.
|
||||||
const newRules: RowRecord[] = [];
|
const newRules: RowRecord[] = [];
|
||||||
for (const rule of this.getRules()) {
|
for (const rule of this.getRules()) {
|
||||||
@ -267,11 +276,17 @@ export class AccessRules extends Disposable {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Look up the rowId for the resource.
|
// Look up the rowId for the resource.
|
||||||
|
let resourceRowId: number|undefined;
|
||||||
|
// Assign the rules for the fake "*SPECIAL:SchemaEdit" resource to the default resource where they belong.
|
||||||
|
if (isSchemaEditResource(rule.resourceRec!)) {
|
||||||
|
resourceRowId = defaultResourceRowId;
|
||||||
|
} else {
|
||||||
const resourceKey = serializeResource(rule.resourceRec as RowRecord);
|
const resourceKey = serializeResource(rule.resourceRec as RowRecord);
|
||||||
const resourceRowId = resourceSync.rowIdMap.get(resourceKey);
|
resourceRowId = resourceSync.rowIdMap.get(resourceKey);
|
||||||
if (!resourceRowId) {
|
if (!resourceRowId) {
|
||||||
throw new Error(`Resource missing in resource map: ${resourceKey}`);
|
throw new Error(`Resource missing in resource map: ${resourceKey}`);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
newRules.push({
|
newRules.push({
|
||||||
id: rule.id || -1,
|
id: rule.id || -1,
|
||||||
resource: resourceRowId,
|
resource: resourceRowId,
|
||||||
@ -283,10 +298,6 @@ export class AccessRules extends Disposable {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// UserAttribute rules are listed in the same rulesTable.
|
// UserAttribute rules are listed in the same rulesTable.
|
||||||
const defaultResourceRowId = resourceSync.rowIdMap.get(serializeResource({id: -1, tableId: '*', colIds: '*'}));
|
|
||||||
if (!defaultResourceRowId) {
|
|
||||||
throw new Error('Default resource missing in resource map');
|
|
||||||
}
|
|
||||||
for (const userAttr of this._userAttrRules.get()) {
|
for (const userAttr of this._userAttrRules.get()) {
|
||||||
const rule = userAttr.getRule();
|
const rule = userAttr.getRule();
|
||||||
newRules.push({
|
newRules.push({
|
||||||
@ -829,9 +840,14 @@ class SpecialRules extends TableRules {
|
|||||||
owner: IDisposableOwner, accessRules: AccessRules, tableRules: TableRules,
|
owner: IDisposableOwner, accessRules: AccessRules, tableRules: TableRules,
|
||||||
ruleSet: RuleSet|undefined, initialColIds: string[],
|
ruleSet: RuleSet|undefined, initialColIds: string[],
|
||||||
): ColumnObsRuleSet {
|
): ColumnObsRuleSet {
|
||||||
|
if (isEqual(ruleSet?.colIds, ['SchemaEdit'])) {
|
||||||
|
// The special rule for "schemaEdit" permissions.
|
||||||
|
return SpecialSchemaObsRuleSet.create(owner, accessRules, tableRules, ruleSet, initialColIds);
|
||||||
|
} else {
|
||||||
return SpecialObsRuleSet.create(owner, accessRules, tableRules, ruleSet, initialColIds);
|
return SpecialObsRuleSet.create(owner, accessRules, tableRules, ruleSet, initialColIds);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Represents one RuleSet, for a combination of columns in one table, or the default RuleSet for
|
// Represents one RuleSet, for a combination of columns in one table, or the default RuleSet for
|
||||||
// all remaining columns in a table.
|
// all remaining columns in a table.
|
||||||
@ -1014,12 +1030,7 @@ abstract class ObsRuleSet extends Disposable {
|
|||||||
* Which permission bits to allow the user to set.
|
* Which permission bits to allow the user to set.
|
||||||
*/
|
*/
|
||||||
public getAvailableBits(): PermissionKey[] {
|
public getAvailableBits(): PermissionKey[] {
|
||||||
if (this._tableRules) {
|
|
||||||
return ['read', 'update', 'create', 'delete'];
|
return ['read', 'update', 'create', 'delete'];
|
||||||
} else {
|
|
||||||
// For the doc-wide rule set, expose the schemaEdit bit too.
|
|
||||||
return ['read', 'update', 'create', 'delete', 'schemaEdit'];
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1112,18 +1123,32 @@ class DefaultObsRuleSet extends ObsRuleSet {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
interface SpecialRuleBody {
|
||||||
|
permissions: string;
|
||||||
|
formula: string;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Properties we need to know about how a special rule should function and
|
* Properties we need to know about how a special rule should function and
|
||||||
* be rendered.
|
* be rendered.
|
||||||
*/
|
*/
|
||||||
interface SpecialRuleProperties {
|
interface SpecialRuleProperties extends SpecialRuleBody {
|
||||||
description: string;
|
description: string;
|
||||||
name: string;
|
name: string;
|
||||||
availableBits: PermissionKey[];
|
availableBits: PermissionKey[];
|
||||||
permissions: string;
|
|
||||||
formula: string;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const schemaEditRules: {[key: string]: SpecialRuleBody} = {
|
||||||
|
allowEditors: {
|
||||||
|
permissions: '+S',
|
||||||
|
formula: 'user.Access == EDITOR',
|
||||||
|
},
|
||||||
|
denyEditors: {
|
||||||
|
permissions: '-S',
|
||||||
|
formula: 'user.Access != OWNER',
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
const specialRuleProperties: Record<string, SpecialRuleProperties> = {
|
const specialRuleProperties: Record<string, SpecialRuleProperties> = {
|
||||||
AccessRules: {
|
AccessRules: {
|
||||||
name: t('Permission to view Access Rules'),
|
name: t('Permission to view Access Rules'),
|
||||||
@ -1147,6 +1172,13 @@ Useful for examples and templates, but not for sensitive data.`),
|
|||||||
permissions: '+CRUD',
|
permissions: '+CRUD',
|
||||||
formula: 'user.Access in [OWNER]',
|
formula: 'user.Access in [OWNER]',
|
||||||
},
|
},
|
||||||
|
SchemaEdit: {
|
||||||
|
name: t("Permission to edit document structure"),
|
||||||
|
description: t("Allow editors to edit structure (e.g. modify and delete tables, columns, " +
|
||||||
|
"layouts), and to write formulas, which give access to all data regardless of read restrictions."),
|
||||||
|
availableBits: ['schemaEdit'],
|
||||||
|
...schemaEditRules.denyEditors,
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
function getSpecialRuleProperties(name: string): SpecialRuleProperties {
|
function getSpecialRuleProperties(name: string): SpecialRuleProperties {
|
||||||
@ -1165,32 +1197,29 @@ class SpecialObsRuleSet extends ColumnObsRuleSet {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public buildRuleSetDom() {
|
public buildRuleSetDom() {
|
||||||
const isNonStandard: Observable<boolean> = Computed.create(null, this._body, (use, body) =>
|
const isNonStandard = this._createIsNonStandardObs();
|
||||||
!body.every(rule => rule.isBuiltInOrEmpty(use) || rule.matches(use, this.props.formula, this.props.permissions)));
|
const isChecked = this._createIsCheckedObs(isNonStandard);
|
||||||
|
|
||||||
const allowEveryone: Observable<boolean> = Computed.create(null, this._body,
|
|
||||||
(use, body) => !use(isNonStandard) && !body.every(rule => rule.isBuiltInOrEmpty(use)))
|
|
||||||
.onWrite(val => this._allowEveryone(val));
|
|
||||||
|
|
||||||
if (isNonStandard.get()) {
|
if (isNonStandard.get()) {
|
||||||
this._isExpanded.set(true);
|
this._isExpanded.set(true);
|
||||||
}
|
}
|
||||||
|
|
||||||
return dom('div',
|
return dom('div',
|
||||||
dom.autoDispose(allowEveryone),
|
dom.autoDispose(isChecked),
|
||||||
|
dom.autoDispose(isNonStandard),
|
||||||
cssRuleDescription(
|
cssRuleDescription(
|
||||||
{style: 'white-space: pre-line;'}, // preserve line breaks in long descriptions
|
|
||||||
cssIconButton(icon('Expand'),
|
cssIconButton(icon('Expand'),
|
||||||
dom.style('transform', (use) => use(this._isExpanded) ? 'rotate(90deg)' : ''),
|
dom.style('transform', (use) => use(this._isExpanded) ? 'rotate(90deg)' : ''),
|
||||||
dom.on('click', () => this._isExpanded.set(!this._isExpanded.get())),
|
dom.on('click', () => this._isExpanded.set(!this._isExpanded.get())),
|
||||||
testId('rule-special-expand'),
|
testId('rule-special-expand'),
|
||||||
|
{style: 'margin: -4px'}, // subtract padding to align better.
|
||||||
),
|
),
|
||||||
squareCheckbox(allowEveryone,
|
cssCheckbox(isChecked,
|
||||||
dom.prop('disabled', isNonStandard),
|
dom.prop('disabled', isNonStandard),
|
||||||
testId('rule-special-checkbox'),
|
testId('rule-special-checkbox'),
|
||||||
),
|
),
|
||||||
this.props.description,
|
this.props.description,
|
||||||
),
|
),
|
||||||
|
this._buildDomWarning(),
|
||||||
dom.maybe(this._isExpanded, () =>
|
dom.maybe(this._isExpanded, () =>
|
||||||
cssTableRounded(
|
cssTableRounded(
|
||||||
{style: 'margin-left: 56px'},
|
{style: 'margin-left: 56px'},
|
||||||
@ -1238,14 +1267,29 @@ class SpecialObsRuleSet extends ColumnObsRuleSet {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected _buildDomWarning(): DomContents {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Observable for whether this ruleSet is "standard", i.e. checked or unchecked state, without
|
||||||
|
// any strange rules that need to be shown expanded with the checkbox greyed out.
|
||||||
|
protected _createIsNonStandardObs(): Observable<boolean> {
|
||||||
|
return Computed.create(null, this._body, (use, body) =>
|
||||||
|
!body.every(rule => rule.isBuiltInOrEmpty(use) || rule.matches(use, this.props.formula, this.props.permissions)));
|
||||||
|
}
|
||||||
|
|
||||||
|
// Observable for whether the checkbox should be shown as checked. Writing to it will update
|
||||||
|
// rules so as to toggle the checkbox.
|
||||||
|
protected _createIsCheckedObs(isNonStandard: Observable<boolean>): Observable<boolean> {
|
||||||
|
return Computed.create(null, this._body,
|
||||||
|
(use, body) => !use(isNonStandard) && !body.every(rule => rule.isBuiltInOrEmpty(use)))
|
||||||
|
.onWrite(val => this._allowEveryone(val));
|
||||||
|
}
|
||||||
|
|
||||||
private _allowEveryone(value: boolean) {
|
private _allowEveryone(value: boolean) {
|
||||||
const builtInRules = this._body.get().filter(r => r.isBuiltIn());
|
const builtInRules = this._body.get().filter(r => r.isBuiltIn());
|
||||||
if (value) {
|
if (value) {
|
||||||
const rulePart: RulePart = {
|
const rulePart = makeRulePart(this.props);
|
||||||
aclFormula: this.props.formula,
|
|
||||||
permissionsText: this.props.permissions,
|
|
||||||
permissions: parsePermissions(this.props.permissions),
|
|
||||||
};
|
|
||||||
this._body.set([ObsRulePart.create(this._body, this, rulePart, true), ...builtInRules]);
|
this._body.set([ObsRulePart.create(this._body, this, rulePart, true), ...builtInRules]);
|
||||||
} else {
|
} else {
|
||||||
this._body.set(builtInRules);
|
this._body.set(builtInRules);
|
||||||
@ -1256,6 +1300,63 @@ class SpecialObsRuleSet extends ColumnObsRuleSet {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function makeRulePart({permissions, formula}: SpecialRuleBody): RulePart {
|
||||||
|
const rulePart: RulePart = {
|
||||||
|
aclFormula: formula,
|
||||||
|
permissionsText: permissions,
|
||||||
|
permissions: parsePermissions(permissions),
|
||||||
|
};
|
||||||
|
return rulePart;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* SchemaEdit permissions are moved out to a special fake resource "*SPECIAL:SchemaEdit" in the
|
||||||
|
* frontend, to be presented under their own checkbox option. Its behaviors are a bit different
|
||||||
|
* from other checkbox options; the differences are in the overridden methods here.
|
||||||
|
*/
|
||||||
|
class SpecialSchemaObsRuleSet extends SpecialObsRuleSet {
|
||||||
|
protected _buildDomWarning(): DomContents {
|
||||||
|
return dom.maybe(
|
||||||
|
(use) => use(this._body).every(rule => rule.isBuiltInOrEmpty(use)),
|
||||||
|
() => cssConditionError({style: 'margin-left: 56px; margin-bottom: 8px;'},
|
||||||
|
"This default should be changed if editors' access is to be limited. ",
|
||||||
|
dom('a', {style: 'color: inherit; text-decoration: underline'},
|
||||||
|
'Dismiss', dom.on('click', () => this._allowEditors('confirm'))),
|
||||||
|
testId('rule-schema-edit-warning'),
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// SchemaEdit rules support an extra "standard" state, where a no-op rule exists (explicit rule
|
||||||
|
// allowing EDITORs SchemaEdit permission), in which case we don't show a warning.
|
||||||
|
protected _createIsNonStandardObs(): Observable<boolean> {
|
||||||
|
return Computed.create(null, this._body, (use, body) =>
|
||||||
|
!body.every(rule => rule.isBuiltInOrEmpty(use) || rule.matches(use, this.props.formula, this.props.permissions)
|
||||||
|
|| rule.matches(use, schemaEditRules.allowEditors.formula, schemaEditRules.allowEditors.permissions)));
|
||||||
|
}
|
||||||
|
|
||||||
|
protected _createIsCheckedObs(isNonStandard: Observable<boolean>): Observable<boolean> {
|
||||||
|
return Computed.create(null, this._body,
|
||||||
|
(use, body) => body.every(rule => rule.isBuiltInOrEmpty(use)
|
||||||
|
|| rule.matches(use, schemaEditRules.allowEditors.formula, schemaEditRules.allowEditors.permissions)))
|
||||||
|
.onWrite(val => this._allowEditors(val));
|
||||||
|
}
|
||||||
|
|
||||||
|
// The third "confirm" option is used by the "Dismiss" link in the warning.
|
||||||
|
private _allowEditors(value: boolean|'confirm') {
|
||||||
|
const builtInRules = this._body.get().filter(r => r.isBuiltIn());
|
||||||
|
if (value === 'confirm') {
|
||||||
|
const rulePart = makeRulePart(schemaEditRules.allowEditors);
|
||||||
|
this._body.set([ObsRulePart.create(this._body, this, rulePart, true), ...builtInRules]);
|
||||||
|
} else if (!value) {
|
||||||
|
const rulePart = makeRulePart(schemaEditRules.denyEditors);
|
||||||
|
this._body.set([ObsRulePart.create(this._body, this, rulePart, true), ...builtInRules]);
|
||||||
|
} else {
|
||||||
|
this._body.set(builtInRules);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
class ObsUserAttributeRule extends Disposable {
|
class ObsUserAttributeRule extends Disposable {
|
||||||
public ruleStatus: Computed<RuleStatus>;
|
public ruleStatus: Computed<RuleStatus>;
|
||||||
|
|
||||||
@ -1943,9 +2044,14 @@ const cssRuleBody = styled('div', `
|
|||||||
const cssRuleDescription = styled('div', `
|
const cssRuleDescription = styled('div', `
|
||||||
color: ${theme.text};
|
color: ${theme.text};
|
||||||
display: flex;
|
display: flex;
|
||||||
align-items: center;
|
align-items: top;
|
||||||
margin: 16px 0 8px 0;
|
margin: 16px 0 8px 0;
|
||||||
gap: 8px;
|
gap: 12px;
|
||||||
|
white-space: pre-line; /* preserve line breaks in long descriptions */
|
||||||
|
`);
|
||||||
|
|
||||||
|
const cssCheckbox = styled(squareCheckbox, `
|
||||||
|
flex: none;
|
||||||
`);
|
`);
|
||||||
|
|
||||||
const cssCellContent = styled('div', `
|
const cssCellContent = styled('div', `
|
||||||
|
@ -190,3 +190,25 @@ export function summarizePermissions(perms: MixedPermissionValue[]): MixedPermis
|
|||||||
const perm = perms[0];
|
const perm = perms[0];
|
||||||
return perms.some(p => p !== perm) ? 'mixed' : perm;
|
return perms.some(p => p !== perm) ? 'mixed' : perm;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function isEmpty(permissions: PartialPermissionSet): boolean {
|
||||||
|
return Object.values(permissions).every(v => v === "");
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Divide up a PartialPermissionSet into two: one containing only the 'schemaEdit' permission bit,
|
||||||
|
* and the other containing everything else. Empty parts will be returned as undefined, except
|
||||||
|
* when both are empty, in which case nonSchemaEdit will be returned as an empty permission set.
|
||||||
|
*/
|
||||||
|
export function splitSchemaEditPermissionSet(permissions: PartialPermissionSet):
|
||||||
|
{schemaEdit?: PartialPermissionSet, nonSchemaEdit?: PartialPermissionSet} {
|
||||||
|
|
||||||
|
const schemaEdit = {...emptyPermissionSet(), schemaEdit: permissions.schemaEdit};
|
||||||
|
const nonSchemaEdit: PartialPermissionSet = {...permissions, schemaEdit: ""};
|
||||||
|
return {
|
||||||
|
schemaEdit: !isEmpty(schemaEdit) ? schemaEdit : undefined,
|
||||||
|
nonSchemaEdit: !isEmpty(nonSchemaEdit) || isEmpty(schemaEdit) ? nonSchemaEdit : undefined,
|
||||||
|
};
|
||||||
|
}
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
import {parsePermissions} from 'app/common/ACLPermissions';
|
import {parsePermissions, permissionSetToText, splitSchemaEditPermissionSet} from 'app/common/ACLPermissions';
|
||||||
import {AclRuleProblem} from 'app/common/ActiveDocAPI';
|
import {AclRuleProblem} from 'app/common/ActiveDocAPI';
|
||||||
import {ILogger} from 'app/common/BaseAPI';
|
import {ILogger} from 'app/common/BaseAPI';
|
||||||
import {DocData} from 'app/common/DocData';
|
import {DocData} from 'app/common/DocData';
|
||||||
import {AclMatchFunc, ParsedAclFormula, RulePart, RuleSet, UserAttributeRule} from 'app/common/GranularAccessClause';
|
import {AclMatchFunc, ParsedAclFormula, RulePart, RuleSet, UserAttributeRule} from 'app/common/GranularAccessClause';
|
||||||
import {getSetMapValue} from 'app/common/gutil';
|
import {getSetMapValue, isNonNullish} from 'app/common/gutil';
|
||||||
import {MetaRowRecord} from 'app/common/TableData';
|
import {MetaRowRecord} from 'app/common/TableData';
|
||||||
import {decodeObject} from 'app/plugin/objtypes';
|
import {decodeObject} from 'app/plugin/objtypes';
|
||||||
import sortBy = require('lodash/sortBy');
|
import sortBy = require('lodash/sortBy');
|
||||||
@ -34,7 +34,28 @@ const DEFAULT_RULE_SET: RuleSet = {
|
|||||||
}],
|
}],
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// Check if the given resource is the special "SchemaEdit" resource, which only exists as a
|
||||||
|
// frontend representation.
|
||||||
|
export function isSchemaEditResource(resource: {tableId: string, colIds: string}): boolean {
|
||||||
|
return resource.tableId === SPECIAL_RULES_TABLE_ID && resource.colIds === 'SchemaEdit';
|
||||||
|
}
|
||||||
|
|
||||||
const SPECIAL_RULE_SETS: Record<string, RuleSet> = {
|
const SPECIAL_RULE_SETS: Record<string, RuleSet> = {
|
||||||
|
SchemaEdit: {
|
||||||
|
tableId: SPECIAL_RULES_TABLE_ID,
|
||||||
|
colIds: ['SchemaEdit'],
|
||||||
|
body: [{
|
||||||
|
aclFormula: "user.Access in [EDITOR, OWNER]",
|
||||||
|
matchFunc: (input) => ['editors', 'owners'].includes(String(input.user.Access)),
|
||||||
|
permissions: parsePermissions('+S'),
|
||||||
|
permissionsText: '+S',
|
||||||
|
}, {
|
||||||
|
aclFormula: "",
|
||||||
|
matchFunc: defaultMatchFunc,
|
||||||
|
permissions: parsePermissions('-S'),
|
||||||
|
permissionsText: '-S',
|
||||||
|
}],
|
||||||
|
},
|
||||||
AccessRules: {
|
AccessRules: {
|
||||||
tableId: SPECIAL_RULES_TABLE_ID,
|
tableId: SPECIAL_RULES_TABLE_ID,
|
||||||
colIds: ['AccessRules'],
|
colIds: ['AccessRules'],
|
||||||
@ -191,6 +212,21 @@ export class ACLRuleCollection {
|
|||||||
} else {
|
} else {
|
||||||
specialRuleSets.set(specialType, {...ruleSet, body: [...ruleSet.body, ...specialDefault.body]});
|
specialRuleSets.set(specialType, {...ruleSet, body: [...ruleSet.body, ...specialDefault.body]});
|
||||||
}
|
}
|
||||||
|
} else if (options.pullOutSchemaEdit && ruleSet.tableId === '*' && ruleSet.colIds === '*') {
|
||||||
|
// If pullOutSchemaEdit is requested, we move out rules with SchemaEdit permissions from
|
||||||
|
// the default resource into the ficticious "*SPECIAL:SchemaEdit" resource. This is used
|
||||||
|
// in the frontend only, to present those rules in a separate section.
|
||||||
|
const schemaParts = ruleSet.body.map(part => splitSchemaEditRulePart(part).schemaEdit).filter(isNonNullish);
|
||||||
|
|
||||||
|
if (schemaParts.length > 0) {
|
||||||
|
const specialType = 'SchemaEdit';
|
||||||
|
const specialDefault = specialRuleSets.get(specialType)!;
|
||||||
|
specialRuleSets.set(specialType, {
|
||||||
|
tableId: SPECIAL_RULES_TABLE_ID,
|
||||||
|
colIds: ['SchemaEdit'],
|
||||||
|
body: [...schemaParts, ...specialDefault.body]
|
||||||
|
});
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -203,9 +239,15 @@ export class ACLRuleCollection {
|
|||||||
for (const ruleSet of ruleSets) {
|
for (const ruleSet of ruleSets) {
|
||||||
if (ruleSet.tableId === '*') {
|
if (ruleSet.tableId === '*') {
|
||||||
if (ruleSet.colIds === '*') {
|
if (ruleSet.colIds === '*') {
|
||||||
|
// If pullOutSchemaEdit is requested, skip the SchemaEdit rules for the default resource;
|
||||||
|
// those got pulled out earlier into the fictitious "*SPECIAL:SchemaEdit" resource.
|
||||||
|
const body = options.pullOutSchemaEdit ?
|
||||||
|
ruleSet.body.map(part => splitSchemaEditRulePart(part).nonSchemaEdit).filter(isNonNullish) :
|
||||||
|
ruleSet.body;
|
||||||
|
|
||||||
defaultRuleSet = {
|
defaultRuleSet = {
|
||||||
...ruleSet,
|
...ruleSet,
|
||||||
body: [...ruleSet.body, ...DEFAULT_RULE_SET.body],
|
body: [...body, ...DEFAULT_RULE_SET.body],
|
||||||
};
|
};
|
||||||
} else {
|
} else {
|
||||||
// tableId of '*' cannot list particular columns.
|
// tableId of '*' cannot list particular columns.
|
||||||
@ -341,6 +383,11 @@ export interface ReadAclOptions {
|
|||||||
// 1. They would show in the UI
|
// 1. They would show in the UI
|
||||||
// 2. They would be saved back after editing, causing them to accumulate
|
// 2. They would be saved back after editing, causing them to accumulate
|
||||||
includeHelperCols?: boolean;
|
includeHelperCols?: boolean;
|
||||||
|
|
||||||
|
// If true, rules with 'schemaEdit' permission are moved out of the '*:*' resource into a
|
||||||
|
// fictitious '*SPECIAL:SchemaEdit' resource. This is used only on the client, to present
|
||||||
|
// schemaEdit as a separate checkbox. Such rules are saved back to the '*:*' resource.
|
||||||
|
pullOutSchemaEdit?: boolean;
|
||||||
}
|
}
|
||||||
|
|
||||||
export interface ReadAclResults {
|
export interface ReadAclResults {
|
||||||
@ -474,3 +521,37 @@ function readAclRules(docData: DocData, {log, compile, includeHelperCols}: ReadA
|
|||||||
}
|
}
|
||||||
return {ruleSets, userAttributes};
|
return {ruleSets, userAttributes};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* In the UI, we present SchemaEdit rules in a separate section, even though in reality they live
|
||||||
|
* as schemaEdit permission bits among the rules for the default resource. This function splits a
|
||||||
|
* RulePart into two: one containing the schemaEdit permission bit, and the other containing the
|
||||||
|
* other bits. If either part is empty, it will be returned as undefined, but if both are empty,
|
||||||
|
* nonSchemaEdit will be included as a rule with empty permission bits.
|
||||||
|
*
|
||||||
|
* It's possible for both parts to be non-empty (for rules created before the updated UI), in
|
||||||
|
* which case the schemaEdit one will have a fake origRecord, to cause it to be saved as a new
|
||||||
|
* record when saving.
|
||||||
|
*/
|
||||||
|
function splitSchemaEditRulePart(rulePart: RulePart): {schemaEdit?: RulePart, nonSchemaEdit?: RulePart} {
|
||||||
|
const p = splitSchemaEditPermissionSet(rulePart.permissions);
|
||||||
|
let schemaEdit: RulePart|undefined;
|
||||||
|
let nonSchemaEdit: RulePart|undefined;
|
||||||
|
if (p.schemaEdit) {
|
||||||
|
schemaEdit = {...rulePart,
|
||||||
|
permissions: p.schemaEdit,
|
||||||
|
permissionsText: permissionSetToText(p.schemaEdit),
|
||||||
|
};
|
||||||
|
}
|
||||||
|
if (p.nonSchemaEdit) {
|
||||||
|
nonSchemaEdit = {...rulePart,
|
||||||
|
permissions: p.nonSchemaEdit,
|
||||||
|
permissionsText: permissionSetToText(p.nonSchemaEdit),
|
||||||
|
};
|
||||||
|
}
|
||||||
|
if (schemaEdit && nonSchemaEdit) {
|
||||||
|
schemaEdit.origRecord = {id: -1} as MetaRowRecord<'_grist_ACLRules'>;
|
||||||
|
}
|
||||||
|
return {schemaEdit, nonSchemaEdit};
|
||||||
|
}
|
||||||
|
@ -121,10 +121,12 @@ export function startsWith(value: string): RegExp {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Helper to scroll an element into view.
|
* Helper to scroll an element into view. Returns the passed-in element.
|
||||||
*/
|
*/
|
||||||
export function scrollIntoView(elem: WebElement): Promise<void> {
|
export function scrollIntoView(elem: WebElement): WebElementPromise {
|
||||||
return driver.executeScript((el: any) => el.scrollIntoView({behavior: 'auto'}), elem);
|
return new WebElementPromise(driver,
|
||||||
|
driver.executeScript((el: any) => el.scrollIntoView({behavior: 'auto'}), elem)
|
||||||
|
.then(() => elem));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
Loading…
Reference in New Issue
Block a user