(core) back-end support for tables that are accessible only by owners

Summary: This makes it possible to serve a table or tables only to owners. * The _grist_ACLResources table is abused (temporarily) such that rows of the form `{colId: '~o', tableId}` are interpreted as meaning that `tableId` is private to owners. * Many websocket and api endpoints are updated to preserve the privacy of these tables. * In a document where some tables are private, a lot of capabilities are turned off for non-owners to avoid leaking info indirectly. * The client is tweaked minimally, to show '-' where a page with some private material would otherwise go. No attempt is made to protect data from private tables pulled into non-private tables via formulas. There are some known leaks remaining: * Changes to the schema of private tables are still broadcast to all clients (fixable). * Non-owner may be able to access snapshots or make forks or use other corners of API (fixable). * Changing name of table makes it public, since tableId in ACLResource is not updated (fixable). Security will require some work, the attack surface is large. Test Plan: added tests Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D2604
2026-03-02 04:09:24 +00:00 · 2020-09-11 16:27:09 -04:00
parent 2ea8b8d71f
commit 45d2d5f897
10 changed files with 463 additions and 52 deletions
--- a/sandbox/grist/acl.py
+++ b/sandbox/grist/acl.py
@@ -119,6 +119,9 @@ class ResourceMap(object):
      table_id = resource.tableId or None
      if not resource.colIds:
        self._default_resources[table_id] = resource
+      elif resource.colIds.startswith('~'):
+        # Rows with colIds that start with '~' are for trial purposes - ignore.
+        pass
      else:
        col_id_set = set(resource.colIds.split(','))
        self._col_resources.setdefault(table_id, []).append((resource, col_id_set))