Required rights and script APIs for saving documents

Hi everyone,

as I’m working on the implementation of required rights, I noticed that we need to be particularly careful when a script manipulates another document.

There are actually two scenarios:

  1. Content/XObjects of a document are changed and then directly executed.
  2. Content/XObjects of a document are changed and then saved.

The current concept of required rights is that required rights are similar to regular rights in the sense that they are stored as XObjects and that they are only applied when they have been saved.

Normally, in the two scenarios I listed, everything is fine because the author of the changed document is set to the context author of the secure document (unless the author of that document has programming right, in which case anything is possible, but let’s disregard this case for now). Now with required rights we could be in the situation that while the context author has programming right, the rights of the secure document are restricted due to required rights being enforced. In this case, we need to ensure that in none of the two listed scenarios these restrictions can be avoided by just putting the code to execute in another document.

In a discussion with @tmortagne, we first discussed taking required rights of the changed document into account to ensure that these rights cannot be modified in arbitrary ways. However, this turned out to be very complicated and bug-prone. In the chat, we then discussed another variant that I would like to propose here:

  1. When changing a property of a script API document, the modified document is marked as restricted to avoid executing any scripts being executed if (and only if) the secure document has required rights enforced and programming right isn’t allowed and one of the following is true:
    1. the changed document doesn’t have required rights enforced (in the version saved in the database)
    2. the changed document has required rights enforced, but it has (in the version saved in the database) more rights than the secure document
  2. When saving a document via the script API, if the secure document has required rights enforced and programming right isn’t allowed,
    1. Enforce required rights if they haven’t already been enforced in the changed document.
    2. Deny saving if the changed document has any required right that the secure document doesn’t have (this takes implied rights into account, so if the secure document has wiki admin right, script right on the changed document would be okay).

For proposal 1.2 there is actually a variant b: deny all edit operations when the context author doesn’t have edit right that @tmortagne preferred in the chat. Currently, a script can change any property of any editable document even if the context author doesn’t have edit right on that document - only when the script tries to save the document, rights are checked. We could change this either in general or only for the case of required rights. Any opinions on this?

None of this breaks any existing script as existing documents won’t have required rights enforced for now. These changes only affect scripts in documents with required rights enforced. Migrating all existing documents to enforce required rights as a separate process that needs to be started after the required rights feature has been finished.

Thank you very much in advance for your opinions on this proposal!