(core) treat summary tables like formulas for access control purposes

Summary: This unsets the `direct` flag for actions emitted when summary tables are updated. That means those actions will be ignored for access control purposes. So if a user has the right to change a source table, the resulting changes to the summary won't result in the overall action bundle being forbidden. I don't think I've actually seen the use case that inspired this issue being filed. I could imagine perhaps a user forbidden from creating rows globally making permitted updates that could add rows in a summary (and it being desirable to allow that). Test Plan: added tests Reviewers: jarek Reviewed By: jarek Subscribers: dsagal, alexmojaki, jarek Differential Revision: https://phab.getgrist.com/D3022
2026-03-02 04:09:24 +00:00 · 2021-09-15 16:18:00 -04:00
parent e5ebc4668c
commit 7907467dbc
4 changed files with 49 additions and 12 deletions
--- a/sandbox/grist/table.py
+++ b/sandbox/grist/table.py
@@ -294,7 +294,12 @@ class Table(object):
    if summary_table._summary_simple:
      @usertypes.formulaType(usertypes.Reference(summary_table.table_id))
      def _updateSummary(rec, table):  # pylint: disable=unused-argument
-        return summary_table.lookupOrAddDerived(**{c: getattr(rec, c) for c in groupby_cols})
+        try:
+          # summary table output should be treated as we treat formula columns, for acl purposes
+          self._engine.user_actions.enter_indirection()
+          return summary_table.lookupOrAddDerived(**{c: getattr(rec, c) for c in groupby_cols})
+        finally:
+          self._engine.user_actions.leave_indirection()
    else:
      @usertypes.formulaType(usertypes.ReferenceList(summary_table.table_id))
      def _updateSummary(rec, table):  # pylint: disable=unused-argument
@@ -333,9 +338,14 @@ class Table(object):
            new_row_ids.append(None)

        if new_row_ids and not self._engine.is_triggered_by_table_action(summary_table.table_id):
-          result += self._engine.user_actions.BulkAddRecord(
-            summary_table.table_id, new_row_ids, values_to_add
-          )
+          try:
+            # summary table output should be treated as we treat formula columns, for acl purposes
+            self._engine.user_actions.enter_indirection()
+            result += self._engine.user_actions.BulkAddRecord(
+              summary_table.table_id, new_row_ids, values_to_add
+            )
+          finally:
+            self._engine.user_actions.leave_indirection()

        return result