From 92ef1f400cb8c0bc9494f395442348960a3ba969 Mon Sep 17 00:00:00 2001 From: Paul Fitzpatrick Date: Fri, 5 Mar 2021 12:12:17 -0500 Subject: [PATCH] (core) prevent cross-talk via cache when applying access control to tables Summary: This fixes a bug where one client's access control limits could remove data from others via a cache. Test Plan: added test Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D2748 --- app/server/lib/ActiveDoc.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/server/lib/ActiveDoc.ts b/app/server/lib/ActiveDoc.ts index 89285e7d..9cb51601 100644 --- a/app/server/lib/ActiveDoc.ts +++ b/app/server/lib/ActiveDoc.ts @@ -10,6 +10,7 @@ import * as bluebird from 'bluebird'; import {EventEmitter} from 'events'; import {IMessage, MsgType} from 'grain-rpc'; import * as imageSize from 'image-size'; +import cloneDeep = require('lodash/cloneDeep'); import flatten = require('lodash/flatten'); import remove = require('lodash/remove'); import zipObject = require('lodash/zipObject'); @@ -635,7 +636,8 @@ export class ActiveDoc extends EventEmitter { // If row-level access is being controlled, filter the data appropriately. // Likewise if column-level access is being controlled. if (this._granularAccess.getReadPermission(tableAccess) !== 'allow') { - await this._granularAccess.filterData(docSession, data!); + data = cloneDeep(data!); // Clone since underlying fetch may be cached and shared. + await this._granularAccess.filterData(docSession, data); } this.logInfo(docSession, "fetchQuery -> %d rows, cols: %s", data![2].length, Object.keys(data![3]).join(", "));