kopia lustrzana https://github.com/simonw/datasette
rodzic
adfcec51d6
commit
c41278b46f
|
@ -141,6 +141,11 @@ SETTINGS = (
|
|||
True,
|
||||
"Allow users to create and use signed API tokens",
|
||||
),
|
||||
Setting(
|
||||
"default_allow_sql",
|
||||
True,
|
||||
"Allow anyone to run arbitrary SQL queries",
|
||||
),
|
||||
Setting(
|
||||
"max_signed_tokens_ttl",
|
||||
0,
|
||||
|
|
|
@ -69,9 +69,15 @@ def permission_allowed_default(datasette, actor, action, resource):
|
|||
return result
|
||||
|
||||
# Check custom permissions: blocks
|
||||
return await _resolve_metadata_permissions_blocks(
|
||||
result = await _resolve_metadata_permissions_blocks(
|
||||
datasette, actor, action, resource
|
||||
)
|
||||
if result is not None:
|
||||
return result
|
||||
|
||||
# --setting default_allow_sql
|
||||
if action == "execute-sql" and not datasette.setting("default_allow_sql"):
|
||||
return False
|
||||
|
||||
return inner
|
||||
|
||||
|
|
|
@ -313,7 +313,13 @@ To limit access to the ``add_name`` canned query in your ``dogs.db`` database to
|
|||
Controlling the ability to execute arbitrary SQL
|
||||
------------------------------------------------
|
||||
|
||||
The ``"allow_sql"`` block can be used to control who is allowed to execute arbitrary SQL queries, both using the form on the database page e.g. https://latest.datasette.io/fixtures or by appending a ``?_where=`` parameter to the table page as seen on https://latest.datasette.io/fixtures/facetable?_where=city_id=1.
|
||||
Datasette defaults to allowing any site visitor to execute their own custom SQL queries, for example using the form on `the database page <https://latest.datasette.io/fixtures>`__ or by appending a ``?_where=`` parameter to the table page `like this <https://latest.datasette.io/fixtures/facetable?_where=_city_id=1>`__.
|
||||
|
||||
Access to this ability is controlled by the :ref:`permissions_execute_sql` permission.
|
||||
|
||||
The easiest way to disable arbitrary SQL queries is using the :ref:`default_allow_sql setting <setting_default_allow_sql>` when you first start Datasette running.
|
||||
|
||||
You can alternatively use the ``"allow_sql"`` to control who is allowed to execute arbitrary SQL queries.
|
||||
|
||||
To enable just the :ref:`root user<authentication_root>` to execute SQL for all databases in your instance, use the following:
|
||||
|
||||
|
@ -770,7 +776,7 @@ Actor is allowed to run arbitrary SQL queries against a specific database, e.g.
|
|||
``resource`` - string
|
||||
The name of the database
|
||||
|
||||
Default *allow*.
|
||||
Default *allow*. See also :ref:`the default_allow_sql setting <setting_default_allow_sql>`.
|
||||
|
||||
.. _permissions_permissions_debug:
|
||||
|
||||
|
|
|
@ -234,6 +234,8 @@ These can be passed to ``datasette serve`` using ``datasette serve --setting nam
|
|||
database files (default=True)
|
||||
allow_signed_tokens Allow users to create and use signed API tokens
|
||||
(default=True)
|
||||
default_allow_sql Allow anyone to run arbitrary SQL queries
|
||||
(default=True)
|
||||
max_signed_tokens_ttl Maximum allowed expiry time for signed API tokens
|
||||
(default=0)
|
||||
suggest_facets Calculate and display suggested facets
|
||||
|
|
|
@ -59,6 +59,21 @@ Settings
|
|||
|
||||
The following options can be set using ``--setting name value``, or by storing them in the ``settings.json`` file for use with :ref:`config_dir`.
|
||||
|
||||
.. _setting_default_allow_sql:
|
||||
|
||||
default_allow_sql
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
Should users be able to execute arbitrary SQL queries by default?
|
||||
|
||||
Setting this to ``off`` causes permission checks for :ref:`permissions_execute_sql` to fail by default.
|
||||
|
||||
::
|
||||
|
||||
datasette mydatabase.db --setting default_allow_sql off
|
||||
|
||||
There are two ways to achieve this: the other is to add ``"allow_sql": false`` to your ``metadata.json`` file, as described in :ref:`authentication_permissions_execute_sql`. This setting offers a more convenient way to do this.
|
||||
|
||||
.. _setting_default_page_size:
|
||||
|
||||
default_page_size
|
||||
|
|
|
@ -7,7 +7,7 @@ Datasette treats SQLite database files as read-only and immutable. This means it
|
|||
|
||||
The easiest way to execute custom SQL against Datasette is through the web UI. The database index page includes a SQL editor that lets you run any SELECT query you like. You can also construct queries using the filter interface on the tables page, then click "View and edit SQL" to open that query in the custom SQL editor.
|
||||
|
||||
Note that this interface is only available if the :ref:`permissions_execute_sql` permission is allowed.
|
||||
Note that this interface is only available if the :ref:`permissions_execute_sql` permission is allowed. See :ref:`authentication_permissions_execute_sql`.
|
||||
|
||||
Any Datasette SQL query is reflected in the URL of the page, allowing you to bookmark them, share them with others and navigate through previous queries using your browser back button.
|
||||
|
||||
|
|
|
@ -821,6 +821,7 @@ async def test_settings_json(ds_client):
|
|||
assert response.json() == {
|
||||
"default_page_size": 50,
|
||||
"default_facet_size": 30,
|
||||
"default_allow_sql": True,
|
||||
"facet_suggest_time_limit_ms": 50,
|
||||
"facet_time_limit_ms": 200,
|
||||
"max_returned_rows": 100,
|
||||
|
|
|
@ -216,6 +216,28 @@ def test_setting_type_validation():
|
|||
assert '"default_page_size" should be an integer' in result.stderr
|
||||
|
||||
|
||||
@pytest.mark.parametrize("default_allow_sql", (True, False))
|
||||
def test_setting_default_allow_sql(default_allow_sql):
|
||||
runner = CliRunner()
|
||||
result = runner.invoke(
|
||||
cli,
|
||||
[
|
||||
"--setting",
|
||||
"default_allow_sql",
|
||||
"on" if default_allow_sql else "off",
|
||||
"--get",
|
||||
"/_memory.json?sql=select+21&_shape=objects",
|
||||
],
|
||||
)
|
||||
if default_allow_sql:
|
||||
assert result.exit_code == 0, result.output
|
||||
assert json.loads(result.output)["rows"][0] == {"21": 21}
|
||||
else:
|
||||
assert result.exit_code == 1, result.output
|
||||
# This isn't JSON at the moment, maybe it should be though
|
||||
assert "Forbidden" in result.output
|
||||
|
||||
|
||||
def test_config_deprecated():
|
||||
# The --config option should show a deprecation message
|
||||
runner = CliRunner(mix_stderr=False)
|
||||
|
|
Ładowanie…
Reference in New Issue