From b2fabb0ebc66efe0832a4d0f9c77f1d5a80c316d Mon Sep 17 00:00:00 2001
From: Paul Fitzpatrick <paulfitz@alum.mit.edu>
Date: Tue, 15 Dec 2020 09:28:51 -0500
Subject: [PATCH] (core) respect table wildcard in granular acl rules for
 censorship

Summary:
The client relies on metadata tables for laying out pages and sections.
These tables are filtered according to what tables the user has access
to, in a crude way.  This diff updates the logic to at least support
the table wildcard.

Test Plan: added tests

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2690
---
 app/server/lib/GranularAccess.ts | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/app/server/lib/GranularAccess.ts b/app/server/lib/GranularAccess.ts
index 48f5112e..6860f5a1 100644
--- a/app/server/lib/GranularAccess.ts
+++ b/app/server/lib/GranularAccess.ts
@@ -376,12 +376,12 @@ export class GranularAccess {
     const columnCode = (tableRef: number, colId: string) => `${tableRef} ${colId}`;
     const censoredColumnCodes: Set<string> = new Set();
     const permInfo = await this._getAccess(docSession);
-    for (const tableId of this._ruleCollection.getAllTableIds()) {
+    for (const rec of this._docData.getTable('_grist_Tables')!.getRecords()) {
+      const tableId = rec.tableId as string;
+      const tableRef = rec.id;
       const tableAccess = permInfo.getTableAccess(tableId);
-      let tableRef: number|undefined = 0;
       if (tableAccess.read === 'deny') {
-        tableRef = this._docData.getTable('_grist_Tables')?.findRow('tableId', tableId);
-        if (tableRef) { censoredTables.add(tableRef); }
+        censoredTables.add(tableRef);
       }
       // TODO If some columns are allowed and the rest (*) are denied, we need to be able to
       // censor all columns outside a set.
@@ -389,10 +389,7 @@ export class GranularAccess {
         if (Array.isArray(ruleSet.colIds)) {
           for (const colId of ruleSet.colIds) {
             if (permInfo.getColumnAccess(tableId, colId).read === 'deny') {
-              if (!tableRef) {
-                tableRef = this._docData.getTable('_grist_Tables')?.findRow('tableId', tableId);
-              }
-              if (tableRef) { censoredColumnCodes.add(columnCode(tableRef, colId)); }
+              censoredColumnCodes.add(columnCode(tableRef, colId));
             }
           }
         }