(core) add some row-level access control

Summary: This implements a form of row-level access control where for a given table, you may specify that only owners have access to rows for which a given column has falsy values. For simplicity: * Only owners may edit that table. * Non-owners with the document open will have forced reloads whenever the table is modified. Baby steps... Test Plan: added tests Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D2633
2026-03-02 04:09:24 +00:00 · 2020-10-12 09:50:07 -04:00
parent 99ab09651e
commit a4929bde72
4 changed files with 214 additions and 28 deletions
--- a/app/common/GranularAccessClause.ts
+++ b/app/common/GranularAccessClause.ts
@@ -0,0 +1,37 @@
+/**
+ * All possible access clauses.  There aren't all that many yet.
+ * In future the clauses will become more generalized, and start specifying
+ * the principle / properties of the user to which they apply.
+ */
+export type GranularAccessClause =
+  GranularAccessDocClause |
+  GranularAccessTableClause |
+  GranularAccessRowClause;
+
+/**
+ * A clause that forbids anyone but owners from modifying the document structure.
+ */
+export interface GranularAccessDocClause {
+  kind: 'doc';
+  rule: 'only-owner-can-modify-structure';
+}
+
+/**
+ * A clause that forbids anyone but owners from accessing a particular table.
+ */
+export interface GranularAccessTableClause {
+  kind: 'table';
+  tableId: string;
+  rule: 'only-owner-can-access';
+}
+
+/**
+ * A clause that forbids anyone but owners from editing a particular table
+ * or viewing rows for which the named column contains a falsy value.
+ */
+export interface GranularAccessRowClause {
+  kind: 'row';
+  tableId: string;
+  colId: string;
+  rule: 'only-owner-can-edit-table-and-access-all-rows';
+}