add some comments

gristlabs · Jul 24, 2024 · b6ec4c0 · b6ec4c0
1 parent 6e00834
commit b6ec4c0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/app/server/lib/GranularAccess.ts b/app/server/lib/GranularAccess.ts
@@ -1406,7 +1406,8 @@ export class GranularAccess implements GranularAccessForBundle {
     // approximate with the user's access rights at beginning of
     // bundle.
     // We also check for +S in scenarios that are hard to break down
-    // in a more granular way.
+    // in a more granular way, for example ConvertFromColumn and
+    // CopyFromColumn.
     if (scanActionsRecursively(actions, (a) => this.needEarlySchemaPermission(a))) {
       await this._assertSchemaAccess(docSession);
     }

diff --git a/test/server/lib/GranularAccess.ts b/test/server/lib/GranularAccess.ts
@@ -465,6 +465,12 @@ describe('GranularAccess', function() {
                               {id: 'B', type: 'Int'},
                               {id: 'C', type: 'Int'}]],
       ['AddRecord', '_grist_ACLResources', -1, {tableId: 'Table1', colIds: 'C'}],
+      // Add at least one access rule. Otherwise the test would succeed
+      // trivially, via shortcuts in place when the GranularAccess
+      // hasNuancedAccess test returns false. If there are no access
+      // rules present, editors can make any edit. Once a granular access
+      // rule is present, editors lose some rights that are simply too
+      // hard to compute or we haven't gotten around to.
       ['AddRecord', '_grist_ACLRules', null, {
         resource: -1, aclFormula: 'user.Access == OWNER', permissionsText: '-R',
       }],