(core) apply SchemaEdit flag to metadata changes in general

Summary:
A user without SchemaEdit permission was able to reorder pages, since
this changes _grist_Pages, and that table was left under control of
regular access rules.  This diff tightens things up, to require
SchemaEdit for all metadata edits.  The one remaining exception is
_grist_Attachments, which needs some reworking to play well with
granular access.

Test Plan: extended test

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D3025
This commit is contained in:
Paul Fitzpatrick 2021-09-16 12:49:08 -04:00
parent 4fcdd2ba07
commit d5a7fb23fe

View File

@ -1664,13 +1664,16 @@ export class GranularAccess implements GranularAccessForBundle {
return dummyAccessCheck; return dummyAccessCheck;
} }
const tableId = getTableId(a); const tableId = getTableId(a);
if (STRUCTURAL_TABLES.has(tableId)) { if (tableId.startsWith('_grist') && tableId !== '_grist_Attachments') {
// Special case: ensure owners always have full access to ACL tables, so they // Actions on any metadata table currently require the schemaEdit flag.
// Exception: the attachments table, which needs to be reworked to be compatible
// with granular access.
// Another exception: ensure owners always have full access to ACL tables, so they
// can change rules and don't get stuck. // can change rules and don't get stuck.
if (isAclTable(tableId) && await this.isOwner(docSession)) { if (isAclTable(tableId) && await this.isOwner(docSession)) {
return dummyAccessCheck; return dummyAccessCheck;
} }
// Otherwise, access to structural tables currently follows the schemaEdit flag.
return accessChecks[severity].schemaEdit; return accessChecks[severity].schemaEdit;
} else if (a[0] === 'UpdateRecord' || a[0] === 'BulkUpdateRecord') { } else if (a[0] === 'UpdateRecord' || a[0] === 'BulkUpdateRecord') {
return accessChecks[severity].update; return accessChecks[severity].update;