From c954795f9af9007e7c04d9b472bfd2faef647a87 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Thu, 8 Feb 2024 13:30:48 -0800
Subject: [PATCH] alter: true for row/-/update, refs #2101

---
 datasette/views/row.py  | 12 +++++++++++-
 docs/json_api.rst       |  2 ++
 tests/test_api_write.py | 43 +++++++++++++++++++++++++++++++++++++++--
 3 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/datasette/views/row.py b/datasette/views/row.py
index 7b43b893..4d20e41a 100644
--- a/datasette/views/row.py
+++ b/datasette/views/row.py
@@ -237,11 +237,21 @@ class RowUpdateView(BaseView):
         if not "update" in data or not isinstance(data["update"], dict):
             return _error(["JSON must contain an update dictionary"])
 
+        invalid_keys = set(data.keys()) - {"update", "return", "alter"}
+        if invalid_keys:
+            return _error(["Invalid keys: {}".format(", ".join(invalid_keys))])
+
         update = data["update"]
 
+        alter = data.get("alter")
+        if alter and not await self.ds.permission_allowed(
+            request.actor, "alter-table", resource=(resolved.db.name, resolved.table)
+        ):
+            return _error(["Permission denied for alter-table"], 403)
+
         def update_row(conn):
             sqlite_utils.Database(conn)[resolved.table].update(
-                resolved.pk_values, update
+                resolved.pk_values, update, alter=alter
             )
 
         try:
diff --git a/docs/json_api.rst b/docs/json_api.rst
index 000f532d..c401d97e 100644
--- a/docs/json_api.rst
+++ b/docs/json_api.rst
@@ -787,6 +787,8 @@ The returned JSON will look like this:
 
 Any errors will return ``{"errors": ["... descriptive message ..."], "ok": false}``, and a ``400`` status code for a bad input or a ``403`` status code for an authentication or permission error.
 
+Pass ``"alter: true`` to automatically add any missing columns to the table. This requires the :ref:`permissions_alter_table` permission.
+
 .. _RowDeleteView:
 
 Deleting a row
diff --git a/tests/test_api_write.py b/tests/test_api_write.py
index b43ee5a6..7cc38674 100644
--- a/tests/test_api_write.py
+++ b/tests/test_api_write.py
@@ -622,12 +622,17 @@ async def test_delete_row(ds_write, table, row_for_create, pks, delete_path):
 
 
 @pytest.mark.asyncio
-@pytest.mark.parametrize("scenario", ("no_token", "no_perm", "bad_table"))
+@pytest.mark.parametrize(
+    "scenario", ("no_token", "no_perm", "bad_table", "cannot_alter")
+)
 async def test_update_row_check_permission(ds_write, scenario):
     if scenario == "no_token":
         token = "bad_token"
     elif scenario == "no_perm":
         token = write_token(ds_write, actor_id="not-root")
+    elif scenario == "cannot_alter":
+        # update-row but no alter-table:
+        token = write_token(ds_write, permissions=["ur"])
     else:
         token = write_token(ds_write)
 
@@ -637,9 +642,13 @@ async def test_update_row_check_permission(ds_write, scenario):
         "docs" if scenario != "bad_table" else "bad_table", pk
     )
 
+    json_body = {"update": {"title": "New title"}}
+    if scenario == "cannot_alter":
+        json_body["alter"] = True
+
     response = await ds_write.client.post(
         path,
-        json={"update": {"title": "New title"}},
+        json=json_body,
         headers=_headers(token),
     )
     assert response.status_code == 403 if scenario in ("no_token", "bad_token") else 404
@@ -651,6 +660,36 @@ async def test_update_row_check_permission(ds_write, scenario):
     )
 
 
+@pytest.mark.asyncio
+async def test_update_row_invalid_key(ds_write):
+    token = write_token(ds_write)
+
+    pk = await _insert_row(ds_write)
+
+    path = "/data/docs/{}/-/update".format(pk)
+    response = await ds_write.client.post(
+        path,
+        json={"update": {"title": "New title"}, "bad_key": 1},
+        headers=_headers(token),
+    )
+    assert response.status_code == 400
+    assert response.json() == {"ok": False, "errors": ["Invalid keys: bad_key"]}
+
+
+@pytest.mark.asyncio
+async def test_update_row_alter(ds_write):
+    token = write_token(ds_write, permissions=["ur", "at"])
+    pk = await _insert_row(ds_write)
+    path = "/data/docs/{}/-/update".format(pk)
+    response = await ds_write.client.post(
+        path,
+        json={"update": {"title": "New title", "extra": "extra"}, "alter": True},
+        headers=_headers(token),
+    )
+    assert response.status_code == 200
+    assert response.json() == {"ok": True}
+
+
 @pytest.mark.asyncio
 @pytest.mark.parametrize(
     "input,expected_errors",