Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GRIST_SUPPORT_ANON and forms #950

Open
mmaura opened this issue Apr 26, 2024 · 5 comments
Open

GRIST_SUPPORT_ANON and forms #950

mmaura opened this issue Apr 26, 2024 · 5 comments
Labels
anct forms feedback for the forms feature

Comments

@mmaura
Copy link

mmaura commented Apr 26, 2024

Hello,

In self-hosted grist with authentik SAML, using GRIST_FORCE_LOGIN=1 make infinite loop with authentik and the form url. And using GRIST_FORCE_LOGIN=0 and GRIST_SUPPORT_ANON=0 make forms can be posted by guest.

This faults the row access control mechanism using user.Email.

I think this is an undesirable operation ?

Thank you.
@inducer
Copy link

inducer commented Apr 30, 2024

This also seems to affect OIDC, in my case using a Microsoft tenant as an IdP. Here's the relevant section of my docker-compose.yml:

  grist:
    image: docker.io/gristlabs/grist
    environment:
      GRIST_DEFAULT_EMAIL: "andreask@illinois.edu"
      GRIST_SESSION_SECRET: "***REDACTED***"
      APP_HOME_URL: "https://scicomp-grist.cs.illinois.edu"
      GRIST_SANDBOX_FLAVOR: "gvisor"
      GRIST_FORCE_LOGIN: "true"
      GRIST_ORG_IN_PATH: "true"
      PYTHON_VERSION: 3
      REDIS_URL: "redis://redis"
      GRIST_DOMAIN: "scicomp-grist.cs.illinois.edu"
      GRIST_OIDC_SP_HOST: "https://scicomp-grist.cs.illinois.edu"
      GRIST_OIDC_IDP_ISSUER: "https://login.microsoftonline.com/44467e6f-462c-4ea2-823f-7800de5434e3/v2.0/.well-known/openid-configuration"
      GRIST_OIDC_IDP_SCOPES: "openid profile email"
      GRIST_OIDC_IDP_CLIENT_ID: "***REDACTED***"
      GRIST_OIDC_IDP_CLIENT_SECRET: "***REDACTED***"
      GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: "true"
      GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED: "true"
      GRIST_DOCS_MINIO_ACCESS_KEY: grist
      GRIST_DOCS_MINIO_SECRET_KEY: ***REDACTED***
      GRIST_DOCS_MINIO_USE_SSL: 0
      GRIST_DOCS_MINIO_BUCKET: grist-docs
      GRIST_DOCS_MINIO_ENDPOINT: minio
      GRIST_DOCS_MINIO_PORT: 9000
    ports:
      - "8484:8484"
    volumes:
      - "/opt/grist/data:/persist"

@fflorent
Copy link
Collaborator

Hello @mmaura, @inducer,

I am curious about the reason you want to set GRIST_FORCE_LOGIN=1. You may be interested in setting GRIST_ANON_PLAYGROUND=false instead, which may fix the issues you encounter.

Maybe the role of GRIST_FORCE_LOGIN is confusing, we may have to work on clarifying things, or adapt its behavior…

And using GRIST_FORCE_LOGIN=0 and GRIST_SUPPORT_ANON=0 make forms can be posted by guest.

Could you share the error message you have? I wonder whether this is a regression we encountered in version 1.1.13 and whose fix is already included in #915

@mmaura
Copy link
Author

mmaura commented May 2, 2024

Good morning,

It's actually a little difficult to understand how environment variables work.
But grist is a well thought out and very practical tool. I think it's worth spending the time to get a custom instance.
Thank you for the gift of making it available.

I would like to obtain a document where my entire establishment can respond to the survey without me having to declare them all on the document. Here is how I configured the document:
4993f356303c44fb8e2622c8b9af473b
Public access: to share by link to everyone in my establishment.
Editor for the public to allow them to post.

In my idea, anonymous people should be redirected to Authentication. Logged in users should be able to post the form. So I would never get: user.Email = anon@getgrist.com
37ab61f8830043be8e8dba9351c94377

I made a test plan for the three environment variables:

Between each test I restart the gristlabs/grist docker.

Configuration - - Anonymous user Logged user
GRIST_SUPPORT_ANON GRIST_ANON_PLAYGROUND GRIST_FORCE_LOGIN
0 0 0 user.Email = anon@getgrist.com user.Email = user address mail
0 0 1 Redirect to Auth Infinite loop with auth
0 1 0 user.Email = anon@getgrist.com user.Email = user address mail
0 1 1 Redirect to Auth Infinite loop with auth
1 0 0 user.Email = anon@getgrist.com user.Email = user address mail
1 0 1 Redirect to Auth Infinite loop with auth
1 1 0 user.Email = anon@getgrist.com user.Email = user address mail
1 1 1 Redirect to Auth Infinite loop with auth

@vviers vviers added the anct label May 28, 2024
@vviers
Copy link
Sponsor Collaborator

vviers commented May 28, 2024
edited
Loading

(@mmaura works for a french firefighting administration and is self-hosting)

It's actually a little difficult to understand how environment variables work.

@jordigh this is linked to #733 i think — he mentioned to us that making the docker image take into account env vars was a bit of a struggle

@mmaura
Copy link
Author

mmaura commented Jul 5, 2024

I have make a new instance. The only major change are with teams supports this time.
using :
GRIST_ANON_PLAYGROUND=false
GRIST_FORCE_LOGIN=true

work fine this time.

Anon => login saml => formulary.

Thank you.

@fflorent fflorent added the forms feedback for the forms feature label Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
anct forms feedback for the forms feature
Projects
French administration Board
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@inducer @fflorent @vviers @mmaura