Introduce GRIST_ANON_PLAYGROUND variable #642 (#651)

* `GRIST_ANON_PLAYGROUND`: When set to 'false' deny anonymous users access to the home page * `GRIST_FORCE_LOGIN`: Much like `GRIST_ANON_PLAYGROUND` but don't support anonymous access at all (features like sharing docs publicly requires authentication) --------- Co-authored-by: Florent FAYOLLE <florent.fayolle@beta.gouv.fr>
2026-03-02 04:09:24 +00:00 · 2023-09-08 15:05:52 +02:00
parent dc5ddc27b0
commit 5ff79703b4
11 changed files with 149 additions and 12 deletions
--- a/test/server/lib/DocApi.ts
+++ b/test/server/lib/DocApi.ts
@@ -120,6 +120,24 @@ describe('DocApi', function () {
    testDocApi();
  });

+  describe('With GRIST_ANON_PLAYGROUND disabled', async () => {
+    setup('anon-playground', async () => {
+      const additionalEnvConfiguration = {
+        ALLOWED_WEBHOOK_DOMAINS: `example.com,localhost:${webhooksTestPort}`,
+        GRIST_DATA_DIR: dataDir,
+        GRIST_ANON_PLAYGROUND: 'false'
+      };
+      home = docs = await TestServer.startServer('home,docs', tmpDir, suitename, additionalEnvConfiguration);
+      homeUrl = serverUrl = home.serverUrl;
+      hasHomeApi = true;
+    });
+
+    it('should not allow anonymous users to create new docs', async () => {
+      const resp = await axios.post(`${serverUrl}/api/docs`, null, nobody);
+      assert.equal(resp.status, 403);
+    });
+  });
+
  // the way these tests are written, non-merged server requires redis.
  if (process.env.TEST_REDIS_URL) {
    describe("should work with a home server and a docworker", async () => {