gristlabs_grist-core/app
Paul Fitzpatrick 35e18cc0ad (core) fix bug where sharing doc with everyone@ as viewer made it unlisted for site viewers
Summary:
Shares of the same role (e.g. viewer) at different levels could interact for a resource (e.g. a doc) shared with everyone@, potentially blocking the listing of that resource. This diff removes the interaction.

The permission of a user on a resource is calculated by finding all acl rules that link that resource to a group to which the user belongs, or to a group that has a subgroup to which the user belongs, etc, and then bitwise-or-ing the permissions on the acl rules. A later wrinkle was to allow public sharing via special users. A still later wrinkle was to avoid listing resources if they were only shared with the special everyone@ user, while allowing access to them if user has their full link. That wrinkle had a bug, where if e.g. a doc were shared with everyone@ as a viewer, and the org the doc was in was shared with someone@ as a viewer, and the doc inherited the org permissions via a workspace, then that doc would end up not being listed.

The fix is straightforward enough, but needs different code for postgres and sqlite, and is a bit verbose because we unwrap subgroups to a few levels rather than doing recursion (which looks cleaner but was slower in benchmarks).

Test Plan: added test that fails without this fix

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D3095
2021-10-28 12:48:31 -04:00
..
client (core) Convert CopySelection and tableUtil to typescript 2021-10-25 18:55:26 -04:00
common (core) ValueParser for Date columns 2021-10-26 13:03:19 +02:00
gen-server (core) fix bug where sharing doc with everyone@ as viewer made it unlisted for site viewers 2021-10-28 12:48:31 -04:00
plugin (core) Adding schema validation for records endpoint 2021-10-18 21:40:50 +02:00
server (core) Add LogMethods helper and use it for more JSON data in logs. Reduce unhelpful logging. 2021-10-25 10:25:18 -04:00
tsconfig.json (core) move home server into core 2020-07-21 20:39:10 -04:00