mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
(core) apply SchemaEdit flag to metadata changes in general
Summary: A user without SchemaEdit permission was able to reorder pages, since this changes _grist_Pages, and that table was left under control of regular access rules. This diff tightens things up, to require SchemaEdit for all metadata edits. The one remaining exception is _grist_Attachments, which needs some reworking to play well with granular access. Test Plan: extended test Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D3025
This commit is contained in:
parent
4fcdd2ba07
commit
d5a7fb23fe
@ -1664,13 +1664,16 @@ export class GranularAccess implements GranularAccessForBundle {
|
|||||||
return dummyAccessCheck;
|
return dummyAccessCheck;
|
||||||
}
|
}
|
||||||
const tableId = getTableId(a);
|
const tableId = getTableId(a);
|
||||||
if (STRUCTURAL_TABLES.has(tableId)) {
|
if (tableId.startsWith('_grist') && tableId !== '_grist_Attachments') {
|
||||||
// Special case: ensure owners always have full access to ACL tables, so they
|
// Actions on any metadata table currently require the schemaEdit flag.
|
||||||
|
// Exception: the attachments table, which needs to be reworked to be compatible
|
||||||
|
// with granular access.
|
||||||
|
|
||||||
|
// Another exception: ensure owners always have full access to ACL tables, so they
|
||||||
// can change rules and don't get stuck.
|
// can change rules and don't get stuck.
|
||||||
if (isAclTable(tableId) && await this.isOwner(docSession)) {
|
if (isAclTable(tableId) && await this.isOwner(docSession)) {
|
||||||
return dummyAccessCheck;
|
return dummyAccessCheck;
|
||||||
}
|
}
|
||||||
// Otherwise, access to structural tables currently follows the schemaEdit flag.
|
|
||||||
return accessChecks[severity].schemaEdit;
|
return accessChecks[severity].schemaEdit;
|
||||||
} else if (a[0] === 'UpdateRecord' || a[0] === 'BulkUpdateRecord') {
|
} else if (a[0] === 'UpdateRecord' || a[0] === 'BulkUpdateRecord') {
|
||||||
return accessChecks[severity].update;
|
return accessChecks[severity].update;
|
||||||
|
Loading…
Reference in New Issue
Block a user