(core) respect table wildcard in granular acl rules for censorship

Summary:
The client relies on metadata tables for laying out pages and sections.
These tables are filtered according to what tables the user has access
to, in a crude way.  This diff updates the logic to at least support
the table wildcard.

Test Plan: added tests

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2690
This commit is contained in:
Paul Fitzpatrick 2020-12-15 09:28:51 -05:00
parent de35be6b0a
commit b2fabb0ebc

View File

@ -376,12 +376,12 @@ export class GranularAccess {
const columnCode = (tableRef: number, colId: string) => `${tableRef} ${colId}`; const columnCode = (tableRef: number, colId: string) => `${tableRef} ${colId}`;
const censoredColumnCodes: Set<string> = new Set(); const censoredColumnCodes: Set<string> = new Set();
const permInfo = await this._getAccess(docSession); const permInfo = await this._getAccess(docSession);
for (const tableId of this._ruleCollection.getAllTableIds()) { for (const rec of this._docData.getTable('_grist_Tables')!.getRecords()) {
const tableId = rec.tableId as string;
const tableRef = rec.id;
const tableAccess = permInfo.getTableAccess(tableId); const tableAccess = permInfo.getTableAccess(tableId);
let tableRef: number|undefined = 0;
if (tableAccess.read === 'deny') { if (tableAccess.read === 'deny') {
tableRef = this._docData.getTable('_grist_Tables')?.findRow('tableId', tableId); censoredTables.add(tableRef);
if (tableRef) { censoredTables.add(tableRef); }
} }
// TODO If some columns are allowed and the rest (*) are denied, we need to be able to // TODO If some columns are allowed and the rest (*) are denied, we need to be able to
// censor all columns outside a set. // censor all columns outside a set.
@ -389,10 +389,7 @@ export class GranularAccess {
if (Array.isArray(ruleSet.colIds)) { if (Array.isArray(ruleSet.colIds)) {
for (const colId of ruleSet.colIds) { for (const colId of ruleSet.colIds) {
if (permInfo.getColumnAccess(tableId, colId).read === 'deny') { if (permInfo.getColumnAccess(tableId, colId).read === 'deny') {
if (!tableRef) { censoredColumnCodes.add(columnCode(tableRef, colId));
tableRef = this._docData.getTable('_grist_Tables')?.findRow('tableId', tableId);
}
if (tableRef) { censoredColumnCodes.add(columnCode(tableRef, colId)); }
} }
} }
} }