Merge pull request #15163 from Budibase/cheeks-fixes

Prevent syncing row changes between users for views filtered by current user
2024-12-13 11:47:38 +00:00 · 2024-12-13 11:47:38 +00:00 · 640008dd97
parent 8144f04e05 df8e7bf903
commit 640008dd97
3 changed files with 42 additions and 7 deletions
--- a/packages/bbui/src/Layout/Page.svelte
+++ b/packages/bbui/src/Layout/Page.svelte
@ -43,12 +43,11 @@
    flex-direction: row;
    justify-content: flex-start;
    align-items: stretch;
-    overflow-y: scroll !important;
    flex: 1 1 auto;
    overflow-x: hidden;
  }
  .main {
-    overflow: auto;
+    overflow-y: scroll;
  }
  .content {
    display: flex;
--- a/packages/builder/src/global.css
+++ b/packages/builder/src/global.css
@ -61,7 +61,7 @@ a {
  height: 8px;
 }
 ::-webkit-scrollbar-track {
-  background: var(--spectrum-alias-background-color-default);
+  background: transparent;
 }
 ::-webkit-scrollbar-thumb {
  background-color: var(--spectrum-global-color-gray-400);
@ -71,6 +71,5 @@ a {
  background: var(--spectrum-alias-background-color-default);
 }
 html * {
-  scrollbar-color: var(--spectrum-global-color-gray-400)
-    var(--spectrum-alias-background-color-default);
+  scrollbar-color: var(--spectrum-global-color-gray-400) transparent;
 }
--- a/packages/server/src/websockets/grid.ts
+++ b/packages/server/src/websockets/grid.ts
@ -1,7 +1,7 @@
 import authorized from "../middleware/authorized"
 import currentApp from "../middleware/currentapp"
 import { BaseSocket } from "./websocket"
-import { auth, permissions } from "@budibase/backend-core"
+import { auth, permissions, context } from "@budibase/backend-core"
 import http from "http"
 import Koa from "koa"
 import { getSourceId } from "../api/controllers/row/utils"
@ -10,6 +10,12 @@ import { Socket } from "socket.io"
 import { GridSocketEvent } from "@budibase/shared-core"
 import { userAgent } from "koa-useragent"
 import { createContext, runMiddlewares } from "./middleware"
+import sdk from "../sdk"
+import {
+  findHBSBlocks,
+  isJSBinding,
+  decodeJSBinding,
+} from "@budibase/string-templates"

 const { PermissionType, PermissionLevel } = permissions

@ -18,15 +24,46 @@ export default class GridSocket extends BaseSocket {
    super(app, server, "/socket/grid")
  }

+  // Checks if a view's query contains any current user bindings
+  containsCurrentUserBinding(view: ViewV2): boolean {
+    return findHBSBlocks(JSON.stringify(view.query))
+      .map(binding => {
+        const sanitizedBinding = binding.replace(/\\"/g, '"')
+        if (isJSBinding(sanitizedBinding)) {
+          return decodeJSBinding(sanitizedBinding)
+        } else {
+          return sanitizedBinding
+        }
+      })
+      .some(binding => binding?.includes("[user]"))
+  }
+
  async onConnect(socket: Socket) {
    // Initial identification of connected spreadsheet
    socket.on(GridSocketEvent.SelectDatasource, async (payload, callback) => {
      const ds = payload.datasource
      const appId = payload.appId
      const resourceId = ds?.type === "table" ? ds?.tableId : ds?.id
+      let valid = true

-      // Ignore if no table or app specified
+      // Validate datasource
      if (!resourceId || !appId) {
+        // Ignore if no table or app specified
+        valid = false
+      } else if (ds.type === "viewV2") {
+        // If this is a view filtered by current user, don't sync changes
+        try {
+          await context.doInAppContext(appId, async () => {
+            const view = await sdk.views.get(ds.id)
+            if (this.containsCurrentUserBinding(view)) {
+              valid = false
+            }
+          })
+        } catch (err) {
+          valid = false
+        }
+      }
+      if (!valid) {
        socket.disconnect(true)
        return
      }