Allow to download attachment from custom widget link when ACL are applied #1853
Description
Describe the problem to be solved
Should be solved by #1614, but documenting it here so we can test :)
It is not currently possible to download an attachment from a custom widget, if acl are applied on the table containing the attachment.
Steps to reproduce:
- create a table with an "attachment" column, and a custom widget with an attachment download link built with grist.docApi.getAccessToken()
- Add an "email" column to the table and add a row with the email of another account, and an attachment in the "attachment" column
- Add acl to the table
user.Email == rec.Email--> everything allowed - Make the document public (or share the document as editor to your other account)
- In another browser, log in with this account and open the document
- Place your cursor on the row you're allowed to see, open the link displayed in the custom widget and see that you can't download the attachment:
error 403 Forbidden
"Cannot access attachment" - Remove the acl from the document, and see that the download is ok
ex file: https://public.getgrist.com/hnxjBVBRKJ1Z/Attachments-in-builder
Describe the solution you would like
Being able to download attachments even if there are acl on the table.
Linked to #1512 (comment)