View list respects view-table permission, refs #811

Also makes a small change to the /fixtures.json JSON: "views": ["view_name"] Is now: "views": [{"name": "view_name", "private": true}]
2020-06-08 11:20:21 -07:00 · 2020-06-08 11:20:21 -07:00 · dcec89270a
commit dcec89270a
--- a/datasette/templates/database.html
+++ b/datasette/templates/database.html
@ -51,7 +51,7 @@
    <h2 id="views">Views</h2>
    <ul>
        {% for view in views %}
-            <li><a href="{{ database_url(database) }}/{{ view|urlencode }}">{{ view }}</a></li>
+            <li><a href="{{ database_url(database) }}/{{ view.name|urlencode }}">{{ view.name }}</a>{% if view.private %} 🔒{% endif %}</li>
        {% endfor %}
    </ul>
 {% endif %}
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -37,10 +37,19 @@ class DatabaseView(DataView):
        db = self.ds.databases[database]

        table_counts = await db.table_counts(5)
-        views = await db.view_names()
        hidden_table_names = set(await db.hidden_table_names())
        all_foreign_keys = await db.get_all_foreign_keys()

+        views = []
+        for view_name in await db.view_names():
+            visible, private = await check_visibility(
+                self.ds, request.actor, "view-table", "table", (database, view_name),
+            )
+            if visible:
+                views.append(
+                    {"name": view_name, "private": private,}
+                )
+
        tables = []
        for table in table_counts:
            visible, private = await check_visibility(
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@ -107,19 +107,27 @@ def test_table_list_respects_view_table():
        metadata={
            "databases": {
                "fixtures": {
-                    "tables": {"compound_three_primary_keys": {"allow": {"id": "root"}}}
+                    "tables": {
+                        "compound_three_primary_keys": {"allow": {"id": "root"}},
+                        # And a SQL view too:
+                        "paginated_view": {"allow": {"id": "root"}},
+                    }
                }
            }
        }
    ) as client:
-        html_fragment = '<a href="/fixtures/compound_three_primary_keys">compound_three_primary_keys</a> 🔒'
+        html_fragments = [
+            ">compound_three_primary_keys</a> 🔒",
+            ">paginated_view</a> 🔒",
+        ]
        anon_response = client.get("/fixtures")
-        assert html_fragment not in anon_response.text
-        assert '"/fixtures/compound_three_primary_keys"' not in anon_response.text
+        for html_fragment in html_fragments:
+            assert html_fragment not in anon_response.text
        auth_response = client.get(
            "/fixtures", cookies={"ds_actor": client.ds.sign({"id": "root"}, "actor")}
        )
-        assert html_fragment in auth_response.text
+        for html_fragment in html_fragments:
+            assert html_fragment in auth_response.text


@pytest.mark.parametrize(