(core) make sure Calculate action has full access

Summary: Exceptional document operations (particularly `system` and `nascent` operations) should never be denied by a granular access rule. Test Plan: added test Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D2792
3 years ago · 729774552f
parent 2823727da1
commit 729774552f
1 changed files with 7 additions and 3 deletions
--- a/app/server/lib/GranularAccess.ts
+++ b/app/server/lib/GranularAccess.ts
@ -1377,14 +1377,15 @@ export class GranularAccess implements GranularAccessForBundle {
  // TODO: deal with ReplaceTableData, which both deletes and creates rows.
  private async _getAccessForActionType(docSession: OptDocSession, a: DocAction,
                                        severity: 'check'|'fatal'): Promise<IAccessCheck> {
+    if (docSession.mode === 'system' || docSession.mode === 'nascent') {
+      return dummyAccessCheck;
+    }
    const tableId = getTableId(a);
    if (STRUCTURAL_TABLES.has(tableId)) {
      // Special case: ensure owners always have full access to ACL tables, so they
      // can change rules and don't get stuck.
      if (isAclTable(tableId) && await this.isOwner(docSession)) {
-        return {
-          get() { return 'allow'; }
-        };
+        return dummyAccessCheck;
      }
      // Otherwise, access to structural tables currently follows the schemaEdit flag.
      return accessChecks[severity].schemaEdit;
@ -1591,6 +1592,9 @@ export const accessChecks = {
 // The AccessCheck for the "read" permission is used enough to merit a shortcut.
 const readAccessCheck = accessChecks.check.read;

+// This AccessCheck allows everything.
+const dummyAccessCheck = { get() { return 'allow'; } }
+

 /**
 * Manage censoring metadata.