The previous edit omitted an important restruction in Access Rules. (#2)

The edit to remove the SchemaEdit bit and simplify it to use a checkbox omitted the important restriction of other permissions that are granted by default to non-owners. This brings back that step. Also adds a warning on top of the README in the hopes of attracting attention of anyone who might be affected. Fix tests by force-installing an older chrome version that works with mocha-webdriver.
gristlabs · Aug 23, 2023 · 3ffd2a1 · 3ffd2a1
1 parent 7b6533b
commit 3ffd2a1
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 5 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,13 +14,19 @@ jobs:
           - 16
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
 
+      - name: "Install a version of Chrome that's supported by mocha-chromedriver"
+        run: |
+          VERSION_STRING="111.0.5563.146-1"
+          wget "https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${VERSION_STRING}_amd64.deb"
+          sudo dpkg -i "google-chrome-stable_${VERSION_STRING}_amd64.deb"
+
       - run: npm install
 
       - run: npm test

diff --git a/README.md b/README.md
@@ -4,6 +4,11 @@
 
 > Scripts to turn form submissions on webpages into new records in Grist documents.
 
+## :warning: Warning
+If you followed the instructions between June and August 2023, they had an omission that gave visitors too much access. Be sure that [this step](#default-rules) is included.
+
+## Summary
+
 This repo contains tools to make it easy to submit forms as new records added to
 [Grist](https://www.getgrist.com) documents.
 
@@ -55,7 +60,11 @@ This part of the instructions is the same for all of the methods.
    2. In the "Special Rules" section, uncheck the box "Allow editors to edit structure".
       The red warning below the checkbox should disappear.
 
-   3. Click "Add Table Rules" and select your table to hold submissions. Keep the default empty
+   3. <a id="default-rules"></a>
+      In the "Default Rules" section, add a rule with condition `user.Access != OWNER`, and
+      permission "Deny All" (it should show as all 4 red boxes).
+
+   4. Click "Add Table Rules" and select your table to hold submissions. Keep the default empty
       condition (which means "Everyone"), and click the "Create" permission (`C`) twice to make it green
       (i.e. allowed).
 
@@ -65,7 +74,7 @@ This part of the instructions is the same for all of the methods.
 
       Remember to click "Save" to save the rules.
 
-   4. Now open the Share menu, and click "Manage Users".
+   5. Now open the Share menu, and click "Manage Users".
       Turn [Public access](https://support.getgrist.com/sharing/#public-access-and-link-sharing)
       to "On", and
       set Public Access role to `Editor`. Your screen should look like this:

diff --git a/docs/sample-access-rules.png b/docs/sample-access-rules.png
diff --git a/package.json b/package.json
@@ -30,7 +30,7 @@
   },
   "overrides": {
     "mocha-webdriver": {
-      "chromedriver": "^113"
+      "chromedriver": "^111"
     }
   }
 }