Backported default_allow_sql for 0.63.x, closes #1409

2025-12-10 16:51:24 +01:00 · 2023-01-05 09:21:07 -08:00 · 2023-01-05 09:21:07 -08:00 · 1ec9c9995c
commit 1ec9c9995c
parent b8cf864fa6
7 changed files with 58 additions and 3 deletions
--- a/datasette/app.py
+++ b/datasette/app.py
@ -116,6 +116,11 @@ SETTINGS = (
        True,
        "Allow users to specify columns to facet using ?_facet= parameter",
    ),
+    Setting(
+        "default_allow_sql",
+        True,
+        "Allow anyone to run arbitrary SQL queries",
+    ),
    Setting(
        "allow_download",
        True,
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@ -36,12 +36,16 @@ def permission_allowed(datasette, actor, action, resource):
                return None
            return actor_matches_allow(actor, allow)
        elif action == "execute-sql":
+            # Only use default_allow_sql setting if it is set to False:
+            default_allow_sql = (
+                None if datasette.setting("default_allow_sql") else False
+            )
            # Use allow_sql block from database block, or from top-level
            database_allow_sql = datasette.metadata("allow_sql", database=resource)
            if database_allow_sql is None:
                database_allow_sql = datasette.metadata("allow_sql")
            if database_allow_sql is None:
-                return None
+                return default_allow_sql
            return actor_matches_allow(actor, database_allow_sql)

    return inner