GRIST_SUPPORT_ANON and forms

[mmaura]

Hello,

In self-hosted grist with authentik SAML, using GRIST_FORCE_LOGIN=1 make infinite loop with authentik and the form url. And using GRIST_FORCE_LOGIN=0 and GRIST_SUPPORT_ANON=0 make forms can be posted by guest.

This faults the row access control mechanism using user.Email.

I think this is an undesirable operation ?

Thank you.

[inducer]

This also seems to affect OIDC, in my case using a Microsoft tenant as an IdP. Here's the relevant section of my docker-compose.yml:

  grist:
    image: docker.io/gristlabs/grist
    environment:
      GRIST_DEFAULT_EMAIL: "andreask@illinois.edu"
      GRIST_SESSION_SECRET: "***REDACTED***"
      APP_HOME_URL: "https://scicomp-grist.cs.illinois.edu"
      GRIST_SANDBOX_FLAVOR: "gvisor"
      GRIST_FORCE_LOGIN: "true"
      GRIST_ORG_IN_PATH: "true"
      PYTHON_VERSION: 3
      REDIS_URL: "redis://redis"
      GRIST_DOMAIN: "scicomp-grist.cs.illinois.edu"
      GRIST_OIDC_SP_HOST: "https://scicomp-grist.cs.illinois.edu"
      GRIST_OIDC_IDP_ISSUER: "https://login.microsoftonline.com/44467e6f-462c-4ea2-823f-7800de5434e3/v2.0/.well-known/openid-configuration"
      GRIST_OIDC_IDP_SCOPES: "openid profile email"
      GRIST_OIDC_IDP_CLIENT_ID: "***REDACTED***"
      GRIST_OIDC_IDP_CLIENT_SECRET: "***REDACTED***"
      GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: "true"
      GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED: "true"
      GRIST_DOCS_MINIO_ACCESS_KEY: grist
      GRIST_DOCS_MINIO_SECRET_KEY: ***REDACTED***
      GRIST_DOCS_MINIO_USE_SSL: 0
      GRIST_DOCS_MINIO_BUCKET: grist-docs
      GRIST_DOCS_MINIO_ENDPOINT: minio
      GRIST_DOCS_MINIO_PORT: 9000
    ports:
      - "8484:8484"
    volumes:
      - "/opt/grist/data:/persist"

[fflorent]

Hello @mmaura, @inducer,

I am curious about the reason you want to set GRIST_FORCE_LOGIN=1. You may be interested in setting GRIST_ANON_PLAYGROUND=false instead, which may fix the issues you encounter.

Maybe the role of GRIST_FORCE_LOGIN is confusing, we may have to work on clarifying things, or adapt its behavior…

And using GRIST_FORCE_LOGIN=0 and GRIST_SUPPORT_ANON=0 make forms can be posted by guest.

Could you share the error message you have? I wonder whether this is a regression we encountered in version 1.1.13 and whose fix is already included in #915

[mmaura]

Good morning,

It's actually a little difficult to understand how environment variables work. But grist is a well thought out and very practical tool. I think it's worth spending the time to get a custom instance. Thank you for the gift of making it available.

---

I would like to obtain a document where my entire establishment can respond to the survey without me having to declare them all on the document. Here is how I configured the document: Public access: to share by link to everyone in my establishment. Editor for the public to allow them to post.

In my idea, anonymous people should be redirected to Authentication. Logged in users should be able to post the form. So I would never get: user.Email = anon@getgrist.com

I made a test plan for the three environment variables:

Between each test I restart the gristlabs/grist docker.

Configuration	-	-	Anonymous user	Logged user
GRIST_SUPPORT_ANON	GRIST_ANON_PLAYGROUND	GRIST_FORCE_LOGIN
0	0	0	user.Email = anon@getgrist.com	user.Email = user address mail
0	0	1	Redirect to Auth	Infinite loop with auth
0	1	0	user.Email = anon@getgrist.com	user.Email = user address mail
0	1	1	Redirect to Auth	Infinite loop with auth
1	0	0	user.Email = anon@getgrist.com	user.Email = user address mail
1	0	1	Redirect to Auth	Infinite loop with auth
1	1	0	user.Email = anon@getgrist.com	user.Email = user address mail
1	1	1	Redirect to Auth	Infinite loop with auth

[vviers]

(@mmaura works for a french firefighting administration and is self-hosting)

It's actually a little difficult to understand how environment variables work.

@jordigh this is linked to #733 i think — he mentioned to us that making the docker image take into account env vars was a bit of a struggle

[mmaura]

I have make a new instance. The only major change are with teams supports this time. using : GRIST_ANON_PLAYGROUND=false GRIST_FORCE_LOGIN=true

work fine this time.

Anon => login saml => formulary.

Thank you.