gristlabs_grist-core/app/gen-server
Paul Fitzpatrick 35e18cc0ad (core) fix bug where sharing doc with everyone@ as viewer made it unlisted for site viewers
Summary:
Shares of the same role (e.g. viewer) at different levels could interact for a resource (e.g. a doc) shared with everyone@, potentially blocking the listing of that resource. This diff removes the interaction.

The permission of a user on a resource is calculated by finding all acl rules that link that resource to a group to which the user belongs, or to a group that has a subgroup to which the user belongs, etc, and then bitwise-or-ing the permissions on the acl rules. A later wrinkle was to allow public sharing via special users. A still later wrinkle was to avoid listing resources if they were only shared with the special everyone@ user, while allowing access to them if user has their full link. That wrinkle had a bug, where if e.g. a doc were shared with everyone@ as a viewer, and the org the doc was in was shared with someone@ as a viewer, and the doc inherited the org permissions via a workspace, then that doc would end up not being listed.

The fix is straightforward enough, but needs different code for postgres and sqlite, and is a bit verbose because we unwrap subgroups to a few levels rather than doing recursion (which looks cleaner but was slower in benchmarks).

Test Plan: added test that fails without this fix

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D3095
2021-10-28 12:48:31 -04:00
..
entity (core) Initial webhooks implementation 2021-09-23 14:35:39 +02:00
lib (core) fix bug where sharing doc with everyone@ as viewer made it unlisted for site viewers 2021-10-28 12:48:31 -04:00
migration (core) Initial webhooks implementation 2021-09-23 14:35:39 +02:00
ApiServer.ts (core) Adding import from google drive to the home screen 2021-08-05 20:46:11 +02:00
sqlUtils.ts (core) fix bug where sharing doc with everyone@ as viewer made it unlisted for site viewers 2021-10-28 12:48:31 -04:00