(core) deal with write access for attachments

Summary: Attachments are a special case for granular access control. A user is now allowed to read a given attachment if they have read access to a cell containing its id. So when a user writes to a cell in an attachment column, it is important that they can only write the ids of cells to which they have access. This diff allows a user to add an attachment id in a cell if: * The user already has access to that a attachment via some existing cell, or * The user recently updated the attachment, or * The attachment change is from an undo/redo of a previous action attributed to that user Test Plan: Updated tests Reviewers: georgegevoian, dsagal Reviewed By: georgegevoian, dsagal Differential Revision: https://phab.getgrist.com/D3681
2026-03-02 04:09:24 +00:00 · 2022-11-15 09:37:48 -05:00
parent 955fdf4ae7
commit ea71312d0e
11 changed files with 344 additions and 86 deletions
--- a/app/client/widgets/AttachmentsEditor.ts
+++ b/app/client/widgets/AttachmentsEditor.ts
@@ -203,6 +203,7 @@ export class AttachmentsEditor extends NewBaseEditor {
      ...this._docComm.getUrlParams(),
      name: filename,
      ...cell,
+      maybeNew: 1,  // The attachment may be uploaded by the user but not stored in the cell yet.
      attId,
      ...(inline ? {inline: 1} : {})
    });