Oupsy https://betagouv.github.io/grist-previsionnel/signer-pdf not https://betagouv.github.io/grist-previsionnel/sign-pdf

Also @guillett, I have just tried your reproduction scenario without success. I wondered if there exist steps that I should follow as the editor instead of the owner.

@fflorent here a quick/fast 😅 demo
Capture vidéo du 2025-04-07 17-21-11-s.webm

@guillett thanks. I wonder if that's not due to the "view as" feature, simply. I'll try to reproduce that on my side.

Also I see that you closed the issue, is it a missclick?

Oh yes a missclick sorrryy

@fflorent I confirm I have the issue when adding an editor (on another browser) and trying to sign and upload a file.

Ah, I have made a mistake in my access rules. I know reproduce your issue @guillett!

Also I could locate the code of your widget: https://github.com/betagouv/grist-previsionnel/blob/main/pages/signer-pdf.js

Interestingly, to reproduce the issue, the editor MUST be removed the READ access to all the tables by default, which is the most important part:

If they are granted this access, the error does not occur anymore, even when they are forbidden update, creation and deletion rights to records by default (overridden by the specific rules for Table1):

@paulfitz we took a step back with @fflorent while reviewing this PR and came across this piece of code

Reading the comment, it looks like the fact that providing an AccessToken does not identify the user is actually on purpose, we assume for security reasons ? Could you explain what motivates this ? Would it be an issue if a custom widget with an auth token could fully impersonate a user in a document through the REST API (@guillett has shown in a comment above that access is limited to the document) ?

Trying to assert whether this limitation is by design or not, before looking at the best way to implement this 🙂

fwiw, @fflorent point out that the view-as helper defined here

Also, thinking out loud here, and probably not really a solution : wondering how soon-to-be-implemented ServiceAccounts could pave the way for a clever long term solution here 🤔 (I'm thinking, define a service account dedicated to a widget's access to the document ?) this doesn't feel right, or safe

@guillett we think there's another workaround to your issue.

Looking at your code (https://github.com/betagouv/grist-previsionnel/blob/80d573bbea25c8c27c6a672485da5bc81ea56d4a/pages/signer-pdf.js#L78-L98), you perform the attachment upload by the widget in 2 steps:

• step 1, upload the attachment using the Grist REST API and an AccessToken from the user (L78-86). This, as shown above in the PR, is technically performed by an anonymous user.
• step 2, add the newly uploaded attachment ids to the Table using a method of the grist-plugin-api (window.grist.getTable().update) (L90-98). This performs the action as if done by the connected user.

The fundamental issue is that, under "complicated access rules" context, Grist calls the isAttachmentUploadedByUser method in step 2 and concludes that no, the attachment you're trying to add to the table in step 2 was not uploaded by you in step 1.

We think there are two ways to solve this :

• make sure that calls to the RestAPI performed by the widget using an AccessToken are authenticated (what you propose in this PR)
• or you could modify your custom widget so that step 2 (adding attachments to the table) is done through the RestAPI (https://support.getgrist.com/api/#tag/records/operation/addRecords) as well instead of the grist-plugin-api, so that Grist considers that both steps were performed by the same (anonymous) user. This looks like this would be a quick fix that fits your need while we take the time to work on this PR (which I think would be the more satisfying solution). WDYT ?

Reading the comment, it looks like the fact that providing an AccessToken does not identify the user is actually on purpose, we assume for security reasons ? Could you explain what motivates this ?

It could be reasonable for the AccessToken to identify the user. A naive implementation in that area of the code, though, would result in making the request have the full power and credentials of the user. That could have unintended consequences, for example, allowing other unrelated documents that the user has access to to be enumerated and read and modified for example. But the token is supposed to be narrower than that.

Many ways to make this happen, some of them easy! The AccessToken work was a minimal piece of work needed to implement viewing attachments in a custom widget that happened to be somewhat more general purpose. But there wasn't time in the project to elaborate on it before moving on. I'd have loved to have built it out more. Sorry it is rough and ready!

@paulfitz what's you take on this PR ? As far as we're concerned we're OK with the current implementation. Should we spend more time on this ?

@guillett did you get a chance to try the workaround we suggested ?

I tried but it failed, I got a cannot access attachment error. betagouv/grist-previsionnel@fd42e71

I ended up adding a backend proxy with some level of check 😬
betagouv/grist-budget-agriculture@c9038ef

betagouv/grist-budget-agriculture@e37589f

It is an ok temporary solution

(and many many thanks for your time on this)

@paulfitz what's you take on this PR ? As far as we're concerned we're OK with the current implementation. Should we spend more time on this ?

@guillett @vviers I'd like to see this checked with non-doc endpoints such as /api/profile/apiKey. Doc endpoints are aware of these access tokens, and check for a doc match in the token. Non-doc endpoints are simply unaware of access tokens. So if you go ahead and authenticate as the user based on this access token, I think there is no further protection.

Many thanks @paulfitz for your insights. You are right with the current implementation it drop existing protection. I will dig a little to suggest another implementation.

This is superseeded by #1594 and #1614.