grist-core icon indicating copy to clipboard operation
grist-core copied to clipboard

Published 20 hours ago verified publisher icon gristlabs

GRIST_SUPPORT_ANON and forms

Open mmaura opened this issue 1 year ago • 5 comments

Hello,

In self-hosted grist with authentik SAML, using GRIST_FORCE_LOGIN=1 make infinite loop with authentik and the form url. And using GRIST_FORCE_LOGIN=0 and GRIST_SUPPORT_ANON=0 make forms can be posted by guest.

This faults the row access control mechanism using user.Email.

I think this is an undesirable operation ?

Thank you.

mmaura avatar Apr 26 '24 13:04 mmaura

This also seems to affect OIDC, in my case using a Microsoft tenant as an IdP. Here's the relevant section of my docker-compose.yml:

  grist:
    image: docker.io/gristlabs/grist
    environment:
      GRIST_DEFAULT_EMAIL: "[email protected]"
      GRIST_SESSION_SECRET: "***REDACTED***"
      APP_HOME_URL: "https://scicomp-grist.cs.illinois.edu"
      GRIST_SANDBOX_FLAVOR: "gvisor"
      GRIST_FORCE_LOGIN: "true"
      GRIST_ORG_IN_PATH: "true"
      PYTHON_VERSION: 3
      REDIS_URL: "redis://redis"
      GRIST_DOMAIN: "scicomp-grist.cs.illinois.edu"
      GRIST_OIDC_SP_HOST: "https://scicomp-grist.cs.illinois.edu"
      GRIST_OIDC_IDP_ISSUER: "https://login.microsoftonline.com/44467e6f-462c-4ea2-823f-7800de5434e3/v2.0/.well-known/openid-configuration"
      GRIST_OIDC_IDP_SCOPES: "openid profile email"
      GRIST_OIDC_IDP_CLIENT_ID: "***REDACTED***"
      GRIST_OIDC_IDP_CLIENT_SECRET: "***REDACTED***"
      GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: "true"
      GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED: "true"
      GRIST_DOCS_MINIO_ACCESS_KEY: grist
      GRIST_DOCS_MINIO_SECRET_KEY: ***REDACTED***
      GRIST_DOCS_MINIO_USE_SSL: 0
      GRIST_DOCS_MINIO_BUCKET: grist-docs
      GRIST_DOCS_MINIO_ENDPOINT: minio
      GRIST_DOCS_MINIO_PORT: 9000
    ports:
      - "8484:8484"
    volumes:
      - "/opt/grist/data:/persist"

inducer avatar Apr 30 '24 13:04 inducer

Hello @mmaura, @inducer,

I am curious about the reason you want to set GRIST_FORCE_LOGIN=1. You may be interested in setting GRIST_ANON_PLAYGROUND=false instead, which may fix the issues you encounter.

Maybe the role of GRIST_FORCE_LOGIN is confusing, we may have to work on clarifying things, or adapt its behavior…

And using GRIST_FORCE_LOGIN=0 and GRIST_SUPPORT_ANON=0 make forms can be posted by guest.

Could you share the error message you have? I wonder whether this is a regression we encountered in version 1.1.13 and whose fix is already included in #915

fflorent avatar Apr 30 '24 13:04 fflorent

Good morning,

It's actually a little difficult to understand how environment variables work. But grist is a well thought out and very practical tool. I think it's worth spending the time to get a custom instance. Thank you for the gift of making it available.

I would like to obtain a document where my entire establishment can respond to the survey without me having to declare them all on the document. Here is how I configured the document: 4993f356303c44fb8e2622c8b9af473b Public access: to share by link to everyone in my establishment. Editor for the public to allow them to post.

In my idea, anonymous people should be redirected to Authentication. Logged in users should be able to post the form. So I would never get: user.Email = [email protected] 37ab61f8830043be8e8dba9351c94377

I made a test plan for the three environment variables:

Between each test I restart the gristlabs/grist docker.

Configuration - - Anonymous user Logged user
GRIST_SUPPORT_ANON GRIST_ANON_PLAYGROUND GRIST_FORCE_LOGIN
0 0 0 user.Email = [email protected] user.Email = user address mail
0 0 1 Redirect to Auth Infinite loop with auth
0 1 0 user.Email = [email protected] user.Email = user address mail
0 1 1 Redirect to Auth Infinite loop with auth
1 0 0 user.Email = [email protected] user.Email = user address mail
1 0 1 Redirect to Auth Infinite loop with auth
1 1 0 user.Email = [email protected] user.Email = user address mail
1 1 1 Redirect to Auth Infinite loop with auth

mmaura avatar May 02 '24 10:05 mmaura

(@mmaura works for a french firefighting administration and is self-hosting)

It's actually a little difficult to understand how environment variables work.

@jordigh this is linked to #733 i think — he mentioned to us that making the docker image take into account env vars was a bit of a struggle

vviers avatar May 28 '24 13:05 vviers

I have make a new instance. The only major change are with teams supports this time. using : GRIST_ANON_PLAYGROUND=false GRIST_FORCE_LOGIN=true

work fine this time.

Anon => login saml => formulary.

Thank you.

mmaura avatar Jul 05 '24 09:07 mmaura