kopia lustrzana https://github.com/simonw/datasette
Respect query permissions on database page, refs #800
rodzic
14f6b4d200
commit
3f83d4632a
|
@ -60,7 +60,7 @@
|
|||
<h2 id="queries">Queries</h2>
|
||||
<ul>
|
||||
{% for query in queries %}
|
||||
<li><a href="{{ database_url(database) }}/{{ query.name|urlencode }}{% if query.fragment %}#{{ query.fragment }}{% endif %}" title="{{ query.description or query.sql }}">{{ query.title or query.name }}</a></li>
|
||||
<li><a href="{{ database_url(database) }}/{{ query.name|urlencode }}{% if query.fragment %}#{{ query.fragment }}{% endif %}" title="{{ query.description or query.sql }}">{{ query.title or query.name }}</a> {% if query.requires_auth %} - requires authentication{% endif %}</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
{% endif %}
|
||||
|
|
|
@ -857,6 +857,7 @@ def call_with_supported_arguments(fn, **kwargs):
|
|||
|
||||
|
||||
def actor_matches_allow(actor, allow):
|
||||
actor = actor or {}
|
||||
if allow is None:
|
||||
return True
|
||||
for key, values in allow.items():
|
||||
|
|
|
@ -2,6 +2,7 @@ import os
|
|||
import jinja2
|
||||
|
||||
from datasette.utils import (
|
||||
actor_matches_allow,
|
||||
to_css_class,
|
||||
validate_sql_select,
|
||||
is_url,
|
||||
|
@ -53,6 +54,16 @@ class DatabaseView(DataView):
|
|||
)
|
||||
|
||||
tables.sort(key=lambda t: (t["hidden"], t["name"]))
|
||||
canned_queries = [
|
||||
dict(
|
||||
query,
|
||||
requires_auth=not actor_matches_allow(None, query.get("allow", None)),
|
||||
)
|
||||
for query in self.ds.get_canned_queries(database)
|
||||
if actor_matches_allow(
|
||||
request.scope.get("actor", None), query.get("allow", None)
|
||||
)
|
||||
]
|
||||
return (
|
||||
{
|
||||
"database": database,
|
||||
|
@ -60,7 +71,7 @@ class DatabaseView(DataView):
|
|||
"tables": tables,
|
||||
"hidden_count": len([t for t in tables if t["hidden"]]),
|
||||
"views": views,
|
||||
"queries": self.ds.get_canned_queries(database),
|
||||
"queries": canned_queries,
|
||||
},
|
||||
{
|
||||
"show_hidden": request.args.get("_show_hidden"),
|
||||
|
|
|
@ -24,6 +24,7 @@ def canned_write_client():
|
|||
"sql": "delete from names where rowid = :rowid",
|
||||
"write": True,
|
||||
"on_success_message": "Name deleted",
|
||||
"allow": {"id": "root"},
|
||||
},
|
||||
"update_name": {
|
||||
"sql": "update names set name = :name where rowid = :rowid",
|
||||
|
@ -52,7 +53,11 @@ def test_insert(canned_write_client):
|
|||
|
||||
def test_custom_success_message(canned_write_client):
|
||||
response = canned_write_client.post(
|
||||
"/data/delete_name", {"rowid": 1}, allow_redirects=False, csrftoken_from=True
|
||||
"/data/delete_name",
|
||||
{"rowid": 1},
|
||||
cookies={"ds_actor": canned_write_client.ds.sign({"id": "root"}, "actor")},
|
||||
allow_redirects=False,
|
||||
csrftoken_from=True,
|
||||
)
|
||||
assert 302 == response.status
|
||||
messages = canned_write_client.ds.unsign(
|
||||
|
@ -93,3 +98,27 @@ def test_insert_error(canned_write_client):
|
|||
def test_custom_params(canned_write_client):
|
||||
response = canned_write_client.get("/data/update_name?extra=foo")
|
||||
assert '<input type="text" id="qp3" name="extra" value="foo">' in response.text
|
||||
|
||||
|
||||
def test_canned_query_permissions_on_database_page(canned_write_client):
|
||||
# Without auth only shows three queries
|
||||
query_names = [
|
||||
q["name"] for q in canned_write_client.get("/data.json").json["queries"]
|
||||
]
|
||||
assert ["add_name", "add_name_specify_id", "update_name"] == query_names
|
||||
|
||||
# With auth shows four
|
||||
response = canned_write_client.get(
|
||||
"/data.json",
|
||||
cookies={"ds_actor": canned_write_client.ds.sign({"id": "root"}, "actor")},
|
||||
)
|
||||
assert 200 == response.status
|
||||
assert [
|
||||
{"name": "add_name", "requires_auth": False},
|
||||
{"name": "add_name_specify_id", "requires_auth": False},
|
||||
{"name": "delete_name", "requires_auth": True},
|
||||
{"name": "update_name", "requires_auth": False},
|
||||
] == [
|
||||
{"name": q["name"], "requires_auth": q["requires_auth"]}
|
||||
for q in response.json["queries"]
|
||||
]
|
||||
|
|
|
@ -466,6 +466,9 @@ def test_multi_params(data, should_raise):
|
|||
[
|
||||
({"id": "root"}, None, True),
|
||||
({"id": "root"}, {}, False),
|
||||
(None, None, True),
|
||||
(None, {}, False),
|
||||
(None, {"id": "root"}, False),
|
||||
# Special "*" value for any key:
|
||||
({"id": "root"}, {"id": "*"}, True),
|
||||
({}, {"id": "*"}, False),
|
||||
|
|
Ładowanie…
Reference in New Issue