(core) process GristDocAPI calls from custom widgets in the client

Summary: Processing these calls in the client, rather than passing them on to the backend, means that access rules are more straightforward to apply. An unrelated fix is included to filter _grist_ tables when fetched individually - metadata could leak through this path. Test Plan: added tests Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D2954
2026-03-02 04:09:24 +00:00 · 2021-07-30 10:10:54 -04:00
parent 1d1a9297f8
commit 6b3ac07ca7
3 changed files with 60 additions and 9 deletions
--- a/app/server/lib/GranularAccess.ts
+++ b/app/server/lib/GranularAccess.ts
@@ -636,7 +636,7 @@ export class GranularAccess implements GranularAccessForBundle {
    // If user has right to read everything, return immediately.
    if (await this.canReadEverything(docSession)) { return tables; }
    // If we are going to modify metadata, make a copy.
-    tables = JSON.parse(JSON.stringify(tables));
+    tables = cloneDeep(tables);

    const permInfo = await this._getAccess(docSession);
    const censor = new CensorshipInfo(permInfo, this._ruler.ruleCollection, tables,