mirror of
https://github.com/gristlabs/grist-core.git
synced 2026-03-02 04:09:24 +00:00
(core) treat summary tables like formulas for access control purposes
Summary: This unsets the `direct` flag for actions emitted when summary tables are updated. That means those actions will be ignored for access control purposes. So if a user has the right to change a source table, the resulting changes to the summary won't result in the overall action bundle being forbidden. I don't think I've actually seen the use case that inspired this issue being filed. I could imagine perhaps a user forbidden from creating rows globally making permitted updates that could add rows in a summary (and it being desirable to allow that). Test Plan: added tests Reviewers: jarek Reviewed By: jarek Subscribers: dsagal, alexmojaki, jarek Differential Revision: https://phab.getgrist.com/D3022
This commit is contained in:
Paul Fitzpatrick
@@ -78,9 +78,7 @@ export interface ImportOptions {
|
||||
*/
|
||||
interface BaseQuery {
|
||||
tableId: string;
|
||||
filters: {
|
||||
[colId: string]: any[];
|
||||
};
|
||||
filters: QueryFilters;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -101,6 +99,14 @@ export interface ServerQuery extends BaseQuery {
|
||||
limit?: number;
|
||||
}
|
||||
|
||||
/**
|
||||
* Type of the filters option to queries.
|
||||
*/
|
||||
export interface QueryFilters {
|
||||
// TODO: check if "any" can be replaced with "CellValue".
|
||||
[colId: string]: any[];
|
||||
}
|
||||
|
||||
export type QueryOperation = "in" | "intersects";
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import {ActionSummary} from 'app/common/ActionSummary';
|
||||
import {ApplyUAResult} from 'app/common/ActiveDocAPI';
|
||||
import {ApplyUAResult, QueryFilters} from 'app/common/ActiveDocAPI';
|
||||
import {BaseAPI, IOptions} from 'app/common/BaseAPI';
|
||||
import {BillingAPI, BillingAPIImpl} from 'app/common/BillingAPI';
|
||||
import {BrowserSettings} from 'app/common/BrowserSettings';
|
||||
@@ -337,7 +337,7 @@ export interface UserAPI {
|
||||
* reasons, such as downloads.
|
||||
*/
|
||||
export interface DocAPI {
|
||||
getRows(tableId: string): Promise<TableColValues>;
|
||||
getRows(tableId: string, options?: { filters?: QueryFilters }): Promise<TableColValues>;
|
||||
updateRows(tableId: string, changes: TableColValues): Promise<number[]>;
|
||||
addRows(tableId: string, additions: BulkColValues): Promise<number[]>;
|
||||
removeRows(tableId: string, removals: number[]): Promise<number[]>;
|
||||
@@ -728,8 +728,9 @@ export class DocAPIImpl extends BaseAPI implements DocAPI {
|
||||
this._url = `${url}/api/docs/${docId}`;
|
||||
}
|
||||
|
||||
public async getRows(tableId: string): Promise<TableColValues> {
|
||||
return this.requestJson(`${this._url}/tables/${tableId}/data`);
|
||||
public async getRows(tableId: string, options?: { filters?: QueryFilters }): Promise<TableColValues> {
|
||||
const query = options?.filters ? ("?filter=" + encodeURIComponent(JSON.stringify(options.filters))) : '';
|
||||
return this.requestJson(`${this._url}/tables/${tableId}/data${query}`);
|
||||
}
|
||||
|
||||
public async updateRows(tableId: string, changes: TableColValues): Promise<number[]> {
|
||||
|
||||
Reference in New Issue
Block a user