(core) treat summary tables like formulas for access control purposes

Summary: This unsets the `direct` flag for actions emitted when summary tables are updated. That means those actions will be ignored for access control purposes. So if a user has the right to change a source table, the resulting changes to the summary won't result in the overall action bundle being forbidden. I don't think I've actually seen the use case that inspired this issue being filed. I could imagine perhaps a user forbidden from creating rows globally making permitted updates that could add rows in a summary (and it being desirable to allow that). Test Plan: added tests Reviewers: jarek Reviewed By: jarek Subscribers: dsagal, alexmojaki, jarek Differential Revision: https://phab.getgrist.com/D3022
2026-03-02 04:09:24 +00:00 · 2021-09-15 16:18:00 -04:00
parent e5ebc4668c
commit 7907467dbc
4 changed files with 49 additions and 12 deletions
--- a/app/common/ActiveDocAPI.ts
+++ b/app/common/ActiveDocAPI.ts
@@ -78,9 +78,7 @@ export interface ImportOptions {
 */
 interface BaseQuery {
  tableId: string;
-  filters: {
-    [colId: string]: any[];
-  };
+  filters: QueryFilters;
 }

 /**
@@ -101,6 +99,14 @@ export interface ServerQuery extends BaseQuery {
  limit?: number;
 }

+/**
+ * Type of the filters option to queries.
+ */
+export interface QueryFilters {
+  // TODO: check if "any" can be replaced with "CellValue".
+  [colId: string]: any[];
+}
+
 export type QueryOperation = "in" | "intersects";

 /**