Check permissions on canned query page, refs #800

datasette/views/database.py

@@ -9,7 +9,7 @@ from datasette.utils import (
     path_with_added_args,
     path_with_removed_args,
 )
-from datasette.utils.asgi import AsgiFileDownload
+from datasette.utils.asgi import AsgiFileDownload, Response
 from datasette.plugins import pm
 
 from .base import DatasetteError, DataView
@@ -125,6 +125,14 @@ class QueryView(DataView):
             params.pop("sql")
         if "_shape" in params:
             params.pop("_shape")
+
+        # Respect canned query permissions
+        if canned_query:
+            if not actor_matches_allow(
+                request.scope.get("actor", None), metadata.get("allow")
+            ):
+                return Response("Permission denied", status=403)
+
         # Extract any :named parameters
         named_parameters = named_parameters or self.re_named_parameter.findall(sql)
         named_parameter_values = {

tests/test_canned_write.py

@@ -128,3 +128,11 @@ def test_canned_query_permissions_on_database_page(canned_write_client):
         {"name": q["name"], "requires_auth": q["requires_auth"]}
         for q in response.json["queries"]
     ]
+
+
+def test_canned_query_permissions(canned_write_client):
+    assert 403 == canned_write_client.get("/data/delete_name").status
+    assert 200 == canned_write_client.get("/data/update_name").status
+    cookies = {"ds_actor": canned_write_client.ds.sign({"id": "root"}, "actor")}
+    assert 200 == canned_write_client.get("/data/delete_name", cookies=cookies).status
+    assert 200 == canned_write_client.get("/data/update_name", cookies=cookies).status