Removed check_permission() from BaseView, closes #1677

Refs #1660
2025-12-10 16:51:24 +01:00 · 2022-03-21 11:41:56 -07:00 · 2022-03-21 11:41:56 -07:00 · 194e4f6c3f
commit 194e4f6c3f
parent dfafce6d96
6 changed files with 16 additions and 22 deletions
--- a/datasette/app.py
+++ b/datasette/app.py
@ -639,6 +639,7 @@ class Datasette:

        Raises datasette.Forbidden() if any of the checks fail
        """
+        assert actor is None or isinstance(actor, dict)
        for permission in permissions:
            if isinstance(permission, str):
                action = permission
--- a/datasette/views/base.py
+++ b/datasette/views/base.py
@ -66,16 +66,6 @@ class BaseView:
        response.body = b""
        return response

-    async def check_permission(self, request, action, resource=None):
-        ok = await self.ds.permission_allowed(
-            request.actor,
-            action,
-            resource=resource,
-            default=True,
-        )
-        if not ok:
-            raise Forbidden(action)
-
    def database_color(self, database):
        return "ff0000"

--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -229,7 +229,7 @@ class QueryView(DataView):
                None, "view-query", (database, canned_query), default=True
            )
        else:
-            await self.check_permission(request, "execute-sql", database)
+            await self.ds.ensure_permissions(request.actor, [("execute-sql", database)])

        # Extract any :named parameters
        named_parameters = named_parameters or await derive_named_parameters(
--- a/datasette/views/index.py
+++ b/datasette/views/index.py
@ -20,7 +20,7 @@ class IndexView(BaseView):

    async def get(self, request):
        as_format = request.url_vars["format"]
-        await self.check_permission(request, "view-instance")
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
        databases = []
        for name, db in self.ds.databases.items():
            visible, database_private = await check_visibility(
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@ -16,7 +16,7 @@ class JsonDataView(BaseView):

    async def get(self, request):
        as_format = request.url_vars["format"]
-        await self.check_permission(request, "view-instance")
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
        if self.needs_request:
            data = self.data_callback(request)
        else:
@ -47,7 +47,7 @@ class PatternPortfolioView(BaseView):
    has_json_alternate = False

    async def get(self, request):
-        await self.check_permission(request, "view-instance")
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
        return await self.render(["patterns.html"], request=request)


@ -95,7 +95,7 @@ class PermissionsDebugView(BaseView):
    has_json_alternate = False

    async def get(self, request):
-        await self.check_permission(request, "view-instance")
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
        if not await self.ds.permission_allowed(request.actor, "permissions-debug"):
            raise Forbidden("Permission denied")
        return await self.render(
@ -146,11 +146,11 @@ class MessagesDebugView(BaseView):
    has_json_alternate = False

    async def get(self, request):
-        await self.check_permission(request, "view-instance")
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
        return await self.render(["messages_debug.html"], request)

    async def post(self, request):
-        await self.check_permission(request, "view-instance")
+        await self.ds.ensure_permissions(request.actor, ["view-instance"])
        post = await request.post_vars()
        message = post.get("message", "")
        message_type = post.get("message_type") or "INFO"