Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2024-10-27 20:44:07 +00:00
Code Issues Projects Releases Wiki Activity

(core) make sure Calculate action has full access

Browse Source 
Summary:
Exceptional document operations (particularly `system` and `nascent`
operations) should never be denied by a granular access rule.

Test Plan: added test

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2792
This commit is contained in:
Paul Fitzpatrick 2021-04-28 15:45:06 -04:00
parent 2823727da1
commit 729774552f
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/server/lib/GranularAccess.ts
View File

@ -1377,14 +1377,15 @@ export class GranularAccess implements GranularAccessForBundle {
// TODO: deal with ReplaceTableData, which both deletes and creates rows. // TODO: deal with ReplaceTableData, which both deletes and creates rows.
private async _getAccessForActionType(docSession: OptDocSession, a: DocAction, private async _getAccessForActionType(docSession: OptDocSession, a: DocAction,
severity: 'check'|'fatal'): Promise<IAccessCheck> { severity: 'check'|'fatal'): Promise<IAccessCheck> {
if (docSession.mode === 'system' || docSession.mode === 'nascent') {
return dummyAccessCheck;
}
const tableId = getTableId(a); const tableId = getTableId(a);
if (STRUCTURAL_TABLES.has(tableId)) { if (STRUCTURAL_TABLES.has(tableId)) {
// Special case: ensure owners always have full access to ACL tables, so they // Special case: ensure owners always have full access to ACL tables, so they
// can change rules and don't get stuck. // can change rules and don't get stuck.
if (isAclTable(tableId) && await this.isOwner(docSession)) { if (isAclTable(tableId) && await this.isOwner(docSession)) {
return { return dummyAccessCheck;
get() { return 'allow'; }
};
} }
// Otherwise, access to structural tables currently follows the schemaEdit flag. // Otherwise, access to structural tables currently follows the schemaEdit flag.
return accessChecks[severity].schemaEdit; return accessChecks[severity].schemaEdit;
@ -1591,6 +1592,9 @@ export const accessChecks = {
// The AccessCheck for the "read" permission is used enough to merit a shortcut. // The AccessCheck for the "read" permission is used enough to merit a shortcut.
const readAccessCheck = accessChecks.check.read; const readAccessCheck = accessChecks.check.read;
// This AccessCheck allows everything.
const dummyAccessCheck = { get() { return 'allow'; } }
/** /**
* Manage censoring metadata. * Manage censoring metadata.