kopia lustrzana https://github.com/simonw/datasette
Check permissions on canned query page, refs #800
rodzic
070838bfa1
commit
966eec7f75
|
@ -9,7 +9,7 @@ from datasette.utils import (
|
|||
path_with_added_args,
|
||||
path_with_removed_args,
|
||||
)
|
||||
from datasette.utils.asgi import AsgiFileDownload
|
||||
from datasette.utils.asgi import AsgiFileDownload, Response
|
||||
from datasette.plugins import pm
|
||||
|
||||
from .base import DatasetteError, DataView
|
||||
|
@ -125,6 +125,14 @@ class QueryView(DataView):
|
|||
params.pop("sql")
|
||||
if "_shape" in params:
|
||||
params.pop("_shape")
|
||||
|
||||
# Respect canned query permissions
|
||||
if canned_query:
|
||||
if not actor_matches_allow(
|
||||
request.scope.get("actor", None), metadata.get("allow")
|
||||
):
|
||||
return Response("Permission denied", status=403)
|
||||
|
||||
# Extract any :named parameters
|
||||
named_parameters = named_parameters or self.re_named_parameter.findall(sql)
|
||||
named_parameter_values = {
|
||||
|
|
|
@ -128,3 +128,11 @@ def test_canned_query_permissions_on_database_page(canned_write_client):
|
|||
{"name": q["name"], "requires_auth": q["requires_auth"]}
|
||||
for q in response.json["queries"]
|
||||
]
|
||||
|
||||
|
||||
def test_canned_query_permissions(canned_write_client):
|
||||
assert 403 == canned_write_client.get("/data/delete_name").status
|
||||
assert 200 == canned_write_client.get("/data/update_name").status
|
||||
cookies = {"ds_actor": canned_write_client.ds.sign({"id": "root"}, "actor")}
|
||||
assert 200 == canned_write_client.get("/data/delete_name", cookies=cookies).status
|
||||
assert 200 == canned_write_client.get("/data/update_name", cookies=cookies).status
|
||||
|
|
Ładowanie…
Reference in New Issue