Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2026-03-02 04:09:24 +00:00
Code Issues Projects Releases Wiki Activity

(core) add a user.SessionID value for trigger formulas and granular access rules

Browse Source 
Summary:
This makes a `user.SessionID` value available in information about the user, for use with trigger formulas and granular access rules. The ID should be constant within a browser session for anonymous user. For logged in users it simply reflects their user id.

This ID makes it possible to write access rules and trigger formulas that allow different anonymous users to create, view, and edit their own records in a document.

For example, you could have a brain-storming document for puns, and allow anyone to add to it (without logging in), letting people edit their own records, but not showing the records to others until they are approved by a moderator. Without something like this, we could only let anonymous people add one field of a record, and not have a secure way to let them edit that field or others in the same record.

Also adds a `user.IsLoggedIn` flag in passing.

Test Plan: Added a test, updated tests. The test added is a mini-moderation doc, don't use it for real because it allows users to edit their entries after a moderator has approved them.

Reviewers: georgegevoian

Reviewed By: georgegevoian

Subscribers: dsagal

Differential Revision: https://phab.getgrist.com/D3273
This commit is contained in:
Paul Fitzpatrick
2022-02-22 10:42:06 -05:00
parent 95592b81bd
commit accd640078
11 changed files with 73 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
app/server/lib/BrowserSession.ts
View File

@@ -53,6 +53,13 @@ export interface SessionObj {
// This gets set to encourage express-session to set a cookie. Was a boolean in the past.
alive?: number;
altSessionId?: string; // An ID unique to the session, but which isn't related
// to the session id used to lookup the cookie. This ID
// is suitable for embedding in documents that allows
// anonymous editing (e.g. to allow the user to edit
// something they just added, without allowing the suer
// to edit other people's contributions).
}
// Make an artificial change to a session to encourage express-session to set a cookie.
@@ -138,6 +145,7 @@ export function linkOrgWithEmail(session: SessionObj, email: string, org: string
export class ScopedSession {
private _sessionCache?: SessionObj;
private _live: boolean; // if set, never cache session in memory.
private _altSessionId?: string;
/**
* Create an interface to the session identified by _sessionId, in the store identified
@@ -220,6 +228,10 @@ export class ScopedSession {
await this._setSession(req, session);
}
public getAltSessionId(): string | undefined {
return this._altSessionId;
}
/**
* Read the state of the session.
*/
@@ -227,6 +239,7 @@ export class ScopedSession {
if (this._sessionCache) { return this._sessionCache; }
const session = ((await this._sessionStore.getAsync(this._sessionId)) || {}) as SessionObj;
if (!this._live) { this._sessionCache = session; }
this._altSessionId = session.altSessionId;
return session;
}