[1.2.3]
Update grist-core to 1.7.15
Full Changelog
OAuth support extended to home API endpoints. GET /orgs, GET /orgs/:oid/workspaces, POST /workspaces/:wid/docs, and a new GET /profile/user now accept OAuth tokens, with resource-level filtering so a scoped token sees only the orgs and documents it was granted, and is rejected when creating documents in un-granted workspaces or orgs. (commit)
Harden value interpolation in server-rendered pages. Values embedded into inline <script> blocks in sendAppPage and OAuth2Clients are now escaped with jsesc and inserted without interpreting String.replace patterns (such as $' and $&), and openerOrigin is canonicalized to its bare origin. (commit)
Require a matching authenticated session to reconnect a websocket. A clientId alone is no longer enough to attach to an existing session; the new connection must belong to the same authenticated user, so a clientId cannot be used on its own to impersonate a user. (commit)
Disallow same-origin custom-widget URLs. A new disallowCustomWidgetUrl() helper refuses widgets whose URL is same-origin or on Grist's configured base domain, as defense in depth against an XSS payload being weaponized through a widget URL. (commit)
Disable triggers when a document is downloaded or copied. Webhooks and email triggers are turned off in a downloaded or copied document and must be re-enabled by hand, preventing accidental sends from forks and clones. Webhook secrets are also regenerated correctly when a document with webhooks is uploaded. (commit)
Sanitize link URLs in two more places. URLs from the next parameter on /welcome/select-account are now sanitized and required to be same-origin, and URLs in document tours are sanitized too. (commit)
Close a metadata leakage in GET /forms. The endpoint read table metadata directly instead of through fetchMetaTables, and did not check that the section was actually a form. Anyone could pass the section ID of a non-form widget and read metadata that access rules would otherwise censor. (commit)
Crash instead of silently failing when login middleware cannot initialize. When GRIST_IN_SERVICE=true and the configured identity provider is unreachable at startup, the server now exits rather than falling back to the boot-key login page, so an auto-restart can retry instead of leaving users unable to sign in. (#2384)
Fix card widget bugs. New card widgets no longer borrow the record card's layout while record cards are disabled, and a card whose saved layout references only stale fields now falls back to a default layout instead of throwing and leaving the widget broken. (#2379)
Dependency bumps. ws 8.18.0 to 8.20.1 (fixes an uninitialized memory disclosure in websocket.close()) (#2370), axios 1.15.2 to 1.16.0 (the fetch adapter now enforces maxBodyLength and maxContentLength) (#2375), tmp 0.2.5 to 0.2.6 (#2369), shell-quote 1.8.1 to 1.8.4 (#2386), and an upgrade of picomatch, minimatch, glob, and serialize-javascript that cuts the high-severity advisories reported by yarn audit (#2381).