view-instance permission for debug URLs, closes #833

2025-12-10 16:51:24 +01:00 · 2020-06-11 15:14:51 -07:00 · 2020-06-11 15:14:51 -07:00 · 29c5ff493a
commit 29c5ff493a
parent 09bf3c6322
2 changed files with 36 additions and 2 deletions
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@ -14,6 +14,7 @@ class JsonDataView(BaseView):
        self.needs_request = needs_request

    async def get(self, request, as_format):
+        await self.check_permission(request, "view-instance")
        if self.needs_request:
            data = self.data_callback(request)
        else:
@ -46,6 +47,7 @@ class PatternPortfolioView(BaseView):
        self.ds = datasette

    async def get(self, request):
+        await self.check_permission(request, "view-instance")
        return await self.render(["patterns.html"], request=request)


@ -77,8 +79,8 @@ class PermissionsDebugView(BaseView):
        self.ds = datasette

    async def get(self, request):
-        if not await self.ds.permission_allowed(request.actor, "permissions-debug"):
-            return Response("Permission denied", status=403)
+        await self.check_permission(request, "view-instance")
+        await self.check_permission(request, "permissions-debug")
        return await self.render(
            ["permissions_debug.html"],
            request,
@ -93,9 +95,11 @@ class MessagesDebugView(BaseView):
        self.ds = datasette

    async def get(self, request):
+        await self.check_permission(request, "view-instance")
        return await self.render(["messages_debug.html"], request)

    async def post(self, request):
+        await self.check_permission(request, "view-instance")
        post = await request.post_vars()
        message = post.get("message", "")
        message_type = post.get("message_type") or "INFO"
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@ -316,3 +316,33 @@ def test_permissions_debug(app_client):
 def test_allow_unauthenticated(allow, expected):
    with make_app_client(metadata={"allow": allow}) as client:
        assert expected == client.get("/").status
+
+
+@pytest.fixture(scope="session")
+def view_instance_client():
+    with make_app_client(metadata={"allow": {}}) as client:
+        yield client
+
+
+@pytest.mark.parametrize(
+    "path",
+    [
+        "/",
+        "/fixtures",
+        "/fixtures/facetable",
+        "/-/metadata",
+        "/-/versions",
+        "/-/plugins",
+        "/-/config",
+        "/-/threads",
+        "/-/databases",
+        "/-/actor",
+        "/-/permissions",
+        "/-/messages",
+        "/-/patterns",
+    ],
+)
+def test_view_instance(path, view_instance_client):
+    assert 403 == view_instance_client.get(path).status
+    if path not in ("/-/permissions", "/-/messages", "/-/patterns"):
+        assert 403 == view_instance_client.get(path + ".json").status