From 11fb5289588c4c1d1d3cb980d3ffc61b2227db23 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Sat, 25 Oct 2025 14:20:05 -0700 Subject: [PATCH] Fix test_actor_restrictions to match non-cascading permission design MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test was expecting upward permission cascading (e.g., view-table permission granting view-database access), but the actual implementation in restrictions_allow_action() uses exact-match, non-cascading checks. Updated 5 test cases to expect 403 (Forbidden) instead of 200 when: - Actor has view-database permission but accesses instance page - Actor has database-level view-table permission but accesses instance/database pages - Actor has table-level view-table permission but accesses instance/database pages This matches the documented behavior: "Restrictions work on an exact-match basis: if an actor has view-table permission, they can view tables, but NOT automatically view-instance or view-database." Refs #2534 https://github.com/simonw/datasette/issues/2534#issuecomment-3447774464 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- tests/test_permissions.py | 45 +++++++++++++-------------------------- 1 file changed, 15 insertions(+), 30 deletions(-) diff --git a/tests/test_permissions.py b/tests/test_permissions.py index e40d8c99..64b86dd7 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -1126,41 +1126,32 @@ async def test_view_table_token_can_access_table(perms_ds): ({"a": ["vi"]}, "get", "/perms_ds_one/t1/1.json", None, 403), ({"a": ["vi"]}, "get", "/perms_ds_one/v1.json", None, 403), # Restricted to just view-database - pytest.param( + ( {"a": ["vd"]}, "get", "/.json", None, - 200, - marks=pytest.mark.xfail( - reason="Actor restrictions need additional work, refs #2534" - ), - ), # Can see instance too + 403, + ), # Cannot see instance (no upward cascading) ({"a": ["vd"]}, "get", "/perms_ds_one.json", None, 200), ({"a": ["vd"]}, "get", "/perms_ds_one/t1.json", None, 403), ({"a": ["vd"]}, "get", "/perms_ds_one/t1/1.json", None, 403), ({"a": ["vd"]}, "get", "/perms_ds_one/v1.json", None, 403), # Restricted to just view-table for specific database - pytest.param( + ( {"d": {"perms_ds_one": ["vt"]}}, "get", "/.json", None, - 200, - marks=pytest.mark.xfail( - reason="Actor restrictions need additional work, refs #2534" - ), - ), # Can see instance - pytest.param( + 403, + ), # Cannot see instance (no upward cascading) + ( {"d": {"perms_ds_one": ["vt"]}}, "get", "/perms_ds_one.json", None, - 200, - marks=pytest.mark.xfail( - reason="Actor restrictions need additional work, refs #2534" - ), - ), # and this database + 403, + ), # Cannot see database page (no upward cascading) ( {"d": {"perms_ds_one": ["vt"]}}, "get", @@ -1185,26 +1176,20 @@ async def test_view_table_token_can_access_table(perms_ds): 200, ), # view-table access to a specific table - pytest.param( + ( {"r": {"perms_ds_one": {"t1": ["vt"]}}}, "get", "/.json", None, - 200, - marks=pytest.mark.xfail( - reason="Actor restrictions need additional work, refs #2534" - ), - ), - pytest.param( + 403, + ), # Cannot see instance (no upward cascading) + ( {"r": {"perms_ds_one": {"t1": ["vt"]}}}, "get", "/perms_ds_one.json", None, - 200, - marks=pytest.mark.xfail( - reason="Actor restrictions need additional work, refs #2534" - ), - ), + 403, + ), # Cannot see database page (no upward cascading) ( {"r": {"perms_ds_one": {"t1": ["vt"]}}}, "get",