From b6ec4c0c766ce8e0fe3750380d26c0730b83aea3 Mon Sep 17 00:00:00 2001 From: Paul Fitzpatrick Date: Wed, 24 Jul 2024 10:32:32 -0400 Subject: [PATCH] add some comments --- app/server/lib/GranularAccess.ts | 3 ++- test/server/lib/GranularAccess.ts | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/app/server/lib/GranularAccess.ts b/app/server/lib/GranularAccess.ts index 89b3360e93..b90e8104ae 100644 --- a/app/server/lib/GranularAccess.ts +++ b/app/server/lib/GranularAccess.ts @@ -1406,7 +1406,8 @@ export class GranularAccess implements GranularAccessForBundle { // approximate with the user's access rights at beginning of // bundle. // We also check for +S in scenarios that are hard to break down - // in a more granular way. + // in a more granular way, for example ConvertFromColumn and + // CopyFromColumn. if (scanActionsRecursively(actions, (a) => this.needEarlySchemaPermission(a))) { await this._assertSchemaAccess(docSession); } diff --git a/test/server/lib/GranularAccess.ts b/test/server/lib/GranularAccess.ts index 8d15ade4c5..87225d2d31 100644 --- a/test/server/lib/GranularAccess.ts +++ b/test/server/lib/GranularAccess.ts @@ -465,6 +465,12 @@ describe('GranularAccess', function() { {id: 'B', type: 'Int'}, {id: 'C', type: 'Int'}]], ['AddRecord', '_grist_ACLResources', -1, {tableId: 'Table1', colIds: 'C'}], + // Add at least one access rule. Otherwise the test would succeed + // trivially, via shortcuts in place when the GranularAccess + // hasNuancedAccess test returns false. If there are no access + // rules present, editors can make any edit. Once a granular access + // rule is present, editors lose some rights that are simply too + // hard to compute or we haven't gotten around to. ['AddRecord', '_grist_ACLRules', null, { resource: -1, aclFormula: 'user.Access == OWNER', permissionsText: '-R', }],