(core) add a user.SessionID value for trigger formulas and granular access rules

Summary: This makes a `user.SessionID` value available in information about the user, for use with trigger formulas and granular access rules. The ID should be constant within a browser session for anonymous user. For logged in users it simply reflects their user id. This ID makes it possible to write access rules and trigger formulas that allow different anonymous users to create, view, and edit their own records in a document. For example, you could have a brain-storming document for puns, and allow anyone to add to it (without logging in), letting people edit their own records, but not showing the records to others until they are approved by a moderator. Without something like this, we could only let anonymous people add one field of a record, and not have a secure way to let them edit that field or others in the same record. Also adds a `user.IsLoggedIn` flag in passing. Test Plan: Added a test, updated tests. The test added is a mini-moderation doc, don't use it for real because it allows users to edit their entries after a moderator has approved them. Reviewers: georgegevoian Reviewed By: georgegevoian Subscribers: dsagal Differential Revision: https://phab.getgrist.com/D3273
2026-03-02 04:09:24 +00:00 · 2022-02-22 10:42:06 -05:00
parent 95592b81bd
commit accd640078
11 changed files with 73 additions and 10 deletions
--- a/sandbox/grist/test_completion.py
+++ b/sandbox/grist/test_completion.py
@@ -10,7 +10,9 @@ class TestCompletion(test_engine.EngineTestCase):
    'LinkKey': {},
    'Origin': None,
    'Email': 'foo@example.com',
-    'Access': 'owners'
+    'Access': 'owners',
+    'SessionID': 'u1',
+    'IsLoggedIn': True
  }

  def setUp(self):
@@ -85,9 +87,11 @@ class TestCompletion(test_engine.EngineTestCase):
      [
        'user.Access',
        'user.Email',
+        'user.IsLoggedIn',
        'user.LinkKey',
        'user.Name',
        'user.Origin',
+        'user.SessionID',
        'user.StudentInfo',
        'user.UserID'
      ]
@@ -114,16 +118,20 @@ class TestCompletion(test_engine.EngineTestCase):
      'Email': 'baro@example.com',
      'LinkKey': {},
      'UserID': 2,
-      'Access': 'owners'
+      'Access': 'owners',
+      'SessionID': 'u2',
+      'IsLoggedIn': True
    }
    self.assertEqual(
      self.engine.autocomplete("user.", "Schools", "lastModified", user2),
      [
        'user.Access',
        'user.Email',
+        'user.IsLoggedIn',
        'user.LinkKey',
        'user.Name',
        'user.Origin',
+        'user.SessionID',
        'user.UserID'
      ]
    )
--- a/sandbox/grist/test_renames.py
+++ b/sandbox/grist/test_renames.py
@@ -314,7 +314,9 @@ class TestRenames(test_engine.EngineTestCase):
      'LinkKey': {},
      'Origin': None,
      'Email': 'foo@example.com',
-      'Access': 'owners'
+      'Access': 'owners',
+      'SessionID': 'u1',
+      'IsLoggedIn': True
    }

    # Renaming a table should not leave the old name available for auto-complete.
--- a/sandbox/grist/test_trigger_formulas.py
+++ b/sandbox/grist/test_trigger_formulas.py
@@ -566,7 +566,9 @@ class TestTriggerFormulas(test_engine.EngineTestCase):
      'LinkKey': {},
      'Origin': None,
      'Email': 'foo.bar@getgrist.com',
-      'Access': 'owners'
+      'Access': 'owners',
+      'SessionID': 'u1',
+      'IsLoggedIn': True
    }
    user2 = {
      'Name': 'Baz Qux',
@@ -575,7 +577,9 @@ class TestTriggerFormulas(test_engine.EngineTestCase):
      'LinkKey': {},
      'Origin': None,
      'Email': 'baz.qux@getgrist.com',
-      'Access': 'owners'
+      'Access': 'owners',
+      'SessionID': 'u2',
+      'IsLoggedIn': True
    }
    # Use formula to store last modified by data (user name and email). Check that it works as expected.
    self.load_sample(self.sample)
--- a/sandbox/grist/test_user.py
+++ b/sandbox/grist/test_user.py
@@ -19,7 +19,9 @@ class TestUser(test_engine.EngineTestCase):
        'Param2': 'Param2Value'
      },
      'Origin': 'https://getgrist.com',
-      'StudentInfo': ['Students', 1]
+      'StudentInfo': ['Students', 1],
+      'SessionID': 'u1',
+      'IsLoggedIn': True
    }
    u = User(data, self.engine.tables)
    self.assertEqual(u.Name, 'Foo Bar')
@@ -45,7 +47,9 @@ class TestUser(test_engine.EngineTestCase):
        'Param2': 'Param2Value'
      },
      'Origin': 'https://getgrist.com',
-      'StudentInfo': ['Students', 1]
+      'StudentInfo': ['Students', 1],
+      'SessionID': 'u1',
+      'IsLoggedIn': True
    }
    u = User(data, self.engine.tables, is_sample=True)
    self.assertEqual(u.StudentInfo.id, 0)
--- a/sandbox/grist/user.py
+++ b/sandbox/grist/user.py
@@ -17,6 +17,8 @@ the following fields:
 - Name: string or None
 - Origin: string or None
 - LinkKey: dictionary
+ - SessionID: string or None
+ - IsLoggedIn: boolean

 Additional keys may be included, which may have a value that is
 either None or of type tuple with the following shape:
@@ -40,7 +42,8 @@ class User(object):
  typed equivalents, for use by autocompletion.
  """
  def __init__(self, data, tables, is_sample=False):
-    for attr in ('Access', 'UserID', 'Email', 'Name', 'Origin'):
+    for attr in ('Access', 'UserID', 'Email', 'Name', 'Origin', 'SessionID',
+                 'IsLoggedIn'):
      setattr(self, attr, data[attr])

    self.LinkKey = LinkKey(data['LinkKey'])