kopia lustrzana https://github.com/simonw/datasette
Nested permission checks for all views, refs #811
rodzic
86dec9e8ff
commit
4340845754
|
@ -19,6 +19,7 @@ class DatabaseView(DataView):
|
|||
name = "database"
|
||||
|
||||
async def data(self, request, database, hash, default_labels=False, _size=None):
|
||||
await self.check_permission(request, "view-instance")
|
||||
await self.check_permission(request, "view-database", "database", database)
|
||||
metadata = (self.ds.metadata("databases") or {}).get(database, {})
|
||||
self.ds.update_with_inherited_metadata(metadata)
|
||||
|
@ -90,6 +91,8 @@ class DatabaseDownload(DataView):
|
|||
name = "database_download"
|
||||
|
||||
async def view_get(self, request, database, hash, correct_hash_present, **kwargs):
|
||||
await self.check_permission(request, "view-instance")
|
||||
await self.check_permission(request, "view-database", "database", database)
|
||||
await self.check_permission(
|
||||
request, "view-database-download", "database", database
|
||||
)
|
||||
|
@ -132,6 +135,8 @@ class QueryView(DataView):
|
|||
|
||||
# Respect canned query permissions
|
||||
if canned_query:
|
||||
await self.check_permission(request, "view-instance")
|
||||
await self.check_permission(request, "view-database", "database", database)
|
||||
await self.check_permission(
|
||||
request, "view-query", "query", (database, canned_query)
|
||||
)
|
||||
|
@ -140,7 +145,10 @@ class QueryView(DataView):
|
|||
request.scope.get("actor", None), metadata.get("allow")
|
||||
):
|
||||
return Response("Permission denied", status=403)
|
||||
|
||||
else:
|
||||
await self.check_permission(request, "view-instance")
|
||||
await self.check_permission(request, "view-database", "database", database)
|
||||
await self.check_permission(request, "execute-query", "database", database)
|
||||
# Extract any :named parameters
|
||||
named_parameters = named_parameters or self.re_named_parameter.findall(sql)
|
||||
named_parameter_values = {
|
||||
|
|
|
@ -22,7 +22,7 @@ class IndexView(BaseView):
|
|||
self.ds = datasette
|
||||
|
||||
async def get(self, request, as_format):
|
||||
await self.check_permission(request, "view-index")
|
||||
await self.check_permission(request, "view-instance")
|
||||
databases = []
|
||||
for name, db in self.ds.databases.items():
|
||||
table_names = await db.table_names()
|
||||
|
|
|
@ -267,6 +267,8 @@ class TableView(RowTableShared):
|
|||
if not is_view and not table_exists:
|
||||
raise NotFound("Table not found: {}".format(table))
|
||||
|
||||
await self.check_permission(request, "view-instance")
|
||||
await self.check_permission(request, "view-database", "database", database)
|
||||
await self.check_permission(request, "view-table", "table", (database, table))
|
||||
|
||||
pks = await db.primary_keys(table)
|
||||
|
@ -846,6 +848,9 @@ class RowView(RowTableShared):
|
|||
|
||||
async def data(self, request, database, hash, table, pk_path, default_labels=False):
|
||||
pk_values = urlsafe_components(pk_path)
|
||||
await self.check_permission(request, "view-instance")
|
||||
await self.check_permission(request, "view-database", "database", database)
|
||||
await self.check_permission(request, "view-table", "table", (database, table))
|
||||
await self.check_permission(
|
||||
request, "view-row", "row", tuple([database, table] + list(pk_values))
|
||||
)
|
||||
|
|
|
@ -159,12 +159,12 @@ Permissions
|
|||
|
||||
This section lists all of the permission checks that are carried out by Datasette core, along with their ``resource_type`` and ``resource_identifier`` if those are passed.
|
||||
|
||||
.. _permissions_view_index:
|
||||
.. _permissions_view_instance:
|
||||
|
||||
view-index
|
||||
----------
|
||||
view-instance
|
||||
-------------
|
||||
|
||||
Actor is allowed to view the index page, e.g. https://latest.datasette.io/
|
||||
Top level permission - Actor is allowed to view any pages within this instance, starting at https://latest.datasette.io/
|
||||
|
||||
|
||||
.. _permissions_view_database:
|
||||
|
@ -232,6 +232,19 @@ Actor is allowed to view a :ref:`canned query <canned_queries>` page, e.g. https
|
|||
``resource_identifier`` - string
|
||||
The name of the canned query
|
||||
|
||||
.. _permissions_execute_query:
|
||||
|
||||
execute-query
|
||||
-------------
|
||||
|
||||
Actor is allowed to run arbitrary SQL queries against a specific database, e.g. https://latest.datasette.io/fixtures?sql=select+100
|
||||
|
||||
``resource_type`` - string
|
||||
"database"
|
||||
|
||||
``resource_identifier`` - string
|
||||
The name of the database
|
||||
|
||||
.. _permissions_permissions_debug:
|
||||
|
||||
permissions-debug
|
||||
|
|
|
@ -842,17 +842,25 @@ if __name__ == "__main__":
|
|||
)
|
||||
|
||||
|
||||
def assert_permission_checked(
|
||||
datasette, action, resource_type=None, resource_identifier=None
|
||||
):
|
||||
assert [
|
||||
pc
|
||||
for pc in datasette._permission_checks
|
||||
if pc["action"] == action
|
||||
and pc["resource_type"] == resource_type
|
||||
and pc["resource_identifier"] == resource_identifier
|
||||
], """Missing expected permission check: action={}, resource_type={}, resource_identifier={}
|
||||
Permission checks seen: {}
|
||||
""".format(
|
||||
action, resource_type, resource_identifier, datasette._permission_checks
|
||||
)
|
||||
def assert_permissions_checked(datasette, actions):
|
||||
# actions is a list of "action" or (action, resource_type, resource_identifier) tuples
|
||||
for action in actions:
|
||||
if isinstance(action, str):
|
||||
resource_type = None
|
||||
resource_identifier = None
|
||||
else:
|
||||
action, resource_type, resource_identifier = action
|
||||
assert [
|
||||
pc
|
||||
for pc in datasette._permission_checks
|
||||
if pc["action"] == action
|
||||
and pc["resource_type"] == resource_type
|
||||
and pc["resource_identifier"] == resource_identifier
|
||||
], """Missing expected permission check: action={}, resource_type={}, resource_identifier={}
|
||||
Permission checks seen: {}
|
||||
""".format(
|
||||
action,
|
||||
resource_type,
|
||||
resource_identifier,
|
||||
json.dumps(list(datasette._permission_checks), indent=4),
|
||||
)
|
||||
|
|
|
@ -4,7 +4,7 @@ from .fixtures import ( # noqa
|
|||
app_client_shorter_time_limit,
|
||||
app_client_two_attached_databases,
|
||||
app_client_with_hash,
|
||||
assert_permission_checked,
|
||||
assert_permissions_checked,
|
||||
make_app_client,
|
||||
METADATA,
|
||||
)
|
||||
|
@ -18,7 +18,7 @@ import urllib.parse
|
|||
|
||||
def test_homepage(app_client_two_attached_databases):
|
||||
response = app_client_two_attached_databases.get("/")
|
||||
assert_permission_checked(app_client_two_attached_databases.ds, "view-index")
|
||||
assert_permissions_checked(app_client_two_attached_databases.ds, ["view-instance"])
|
||||
assert response.status == 200
|
||||
assert "text/html; charset=utf-8" == response.headers["content-type"]
|
||||
soup = Soup(response.body, "html.parser")
|
||||
|
@ -77,11 +77,8 @@ def test_static_mounts():
|
|||
def test_memory_database_page():
|
||||
for client in make_app_client(memory=True):
|
||||
response = client.get("/:memory:")
|
||||
assert_permission_checked(
|
||||
client.ds,
|
||||
"view-database",
|
||||
resource_type="database",
|
||||
resource_identifier=":memory:",
|
||||
assert_permissions_checked(
|
||||
client.ds, ["view-instance", ("view-database", "database", ":memory:")]
|
||||
)
|
||||
assert response.status == 200
|
||||
|
||||
|
@ -95,11 +92,8 @@ def test_database_page_redirects_with_url_hash(app_client_with_hash):
|
|||
|
||||
def test_database_page(app_client):
|
||||
response = app_client.get("/fixtures")
|
||||
assert_permission_checked(
|
||||
app_client.ds,
|
||||
"view-database",
|
||||
resource_type="database",
|
||||
resource_identifier="fixtures",
|
||||
assert_permissions_checked(
|
||||
app_client.ds, ["view-instance", ("view-database", "database", "fixtures")]
|
||||
)
|
||||
soup = Soup(response.body, "html.parser")
|
||||
queries_ul = soup.find("h2", text="Queries").find_next_sibling("ul")
|
||||
|
@ -211,11 +205,13 @@ def test_row_page_does_not_truncate():
|
|||
for client in make_app_client(config={"truncate_cells_html": 5}):
|
||||
response = client.get("/fixtures/facetable/1")
|
||||
assert response.status == 200
|
||||
assert_permission_checked(
|
||||
assert_permissions_checked(
|
||||
client.ds,
|
||||
"view-row",
|
||||
resource_type="row",
|
||||
resource_identifier=("fixtures", "facetable", "1"),
|
||||
[
|
||||
"view-instance",
|
||||
("view-table", "table", ("fixtures", "facetable")),
|
||||
("view-row", "row", ("fixtures", "facetable", "1")),
|
||||
],
|
||||
)
|
||||
table = Soup(response.body, "html.parser").find("table")
|
||||
assert table["class"] == ["rows-and-columns"]
|
||||
|
@ -526,11 +522,13 @@ def test_templates_considered(app_client, path, expected_considered):
|
|||
|
||||
def test_table_html_simple_primary_key(app_client):
|
||||
response = app_client.get("/fixtures/simple_primary_key?_size=3")
|
||||
assert_permission_checked(
|
||||
assert_permissions_checked(
|
||||
app_client.ds,
|
||||
"view-table",
|
||||
resource_type="table",
|
||||
resource_identifier=("fixtures", "simple_primary_key"),
|
||||
[
|
||||
"view-instance",
|
||||
("view-database", "database", "fixtures"),
|
||||
("view-table", "table", ("fixtures", "simple_primary_key")),
|
||||
],
|
||||
)
|
||||
assert response.status == 200
|
||||
table = Soup(response.body, "html.parser").find("table")
|
||||
|
@ -887,6 +885,19 @@ def test_database_metadata(app_client):
|
|||
assert_footer_links(soup)
|
||||
|
||||
|
||||
def test_database_query_permission_checks(app_client):
|
||||
response = app_client.get("/fixtures?sql=select+1")
|
||||
assert response.status == 200
|
||||
assert_permissions_checked(
|
||||
app_client.ds,
|
||||
[
|
||||
"view-instance",
|
||||
("view-database", "database", "fixtures"),
|
||||
("execute-query", "database", "fixtures"),
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
def test_database_metadata_with_custom_sql(app_client):
|
||||
response = app_client.get("/fixtures?sql=select+*+from+simple_primary_key")
|
||||
assert response.status == 200
|
||||
|
@ -922,11 +933,13 @@ def test_database_download_allowed_for_immutable():
|
|||
assert len(soup.findAll("a", {"href": re.compile(r"\.db$")}))
|
||||
# Check we can actually download it
|
||||
assert 200 == client.get("/fixtures.db").status
|
||||
assert_permission_checked(
|
||||
assert_permissions_checked(
|
||||
client.ds,
|
||||
"view-database-download",
|
||||
resource_type="database",
|
||||
resource_identifier="fixtures",
|
||||
[
|
||||
"view-instance",
|
||||
("view-database", "database", "fixtures"),
|
||||
("view-database-download", "database", "fixtures"),
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
|
@ -1023,11 +1036,13 @@ def test_404_content_type(app_client):
|
|||
|
||||
def test_canned_query_with_custom_metadata(app_client):
|
||||
response = app_client.get("/fixtures/neighborhood_search?text=town")
|
||||
assert_permission_checked(
|
||||
assert_permissions_checked(
|
||||
app_client.ds,
|
||||
"view-query",
|
||||
resource_type="query",
|
||||
resource_identifier=("fixtures", "neighborhood_search"),
|
||||
[
|
||||
"view-instance",
|
||||
("view-database", "database", "fixtures"),
|
||||
("view-query", "query", ("fixtures", "neighborhood_search")),
|
||||
],
|
||||
)
|
||||
assert response.status == 200
|
||||
soup = Soup(response.body, "html.parser")
|
||||
|
|
Ładowanie…
Reference in New Issue