github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

view-instance permission for debug URLs, closes #833

Browse source
This commit is contained in:
Simon Willison 2020-06-11 15:14:51 -07:00
commit 29c5ff493a
2 changed files with 36 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
datasette/views/special.py
View file

@ -14,6 +14,7 @@ class JsonDataView(BaseView):
self.needs_request = needs_request self.needs_request = needs_request
async def get(self, request, as_format): async def get(self, request, as_format):
await self.check_permission(request, "view-instance")
if self.needs_request: if self.needs_request:
data = self.data_callback(request) data = self.data_callback(request)
else: else:
@ -46,6 +47,7 @@ class PatternPortfolioView(BaseView):
self.ds = datasette self.ds = datasette
async def get(self, request): async def get(self, request):
await self.check_permission(request, "view-instance")
return await self.render(["patterns.html"], request=request) return await self.render(["patterns.html"], request=request)
@ -77,8 +79,8 @@ class PermissionsDebugView(BaseView):
self.ds = datasette self.ds = datasette
async def get(self, request): async def get(self, request):
if not await self.ds.permission_allowed(request.actor, "permissions-debug"): await self.check_permission(request, "view-instance")
return Response("Permission denied", status=403) await self.check_permission(request, "permissions-debug")
return await self.render( return await self.render(
["permissions_debug.html"], ["permissions_debug.html"],
request, request,
@ -93,9 +95,11 @@ class MessagesDebugView(BaseView):
self.ds = datasette self.ds = datasette
async def get(self, request): async def get(self, request):
await self.check_permission(request, "view-instance")
return await self.render(["messages_debug.html"], request) return await self.render(["messages_debug.html"], request)
async def post(self, request): async def post(self, request):
await self.check_permission(request, "view-instance")
post = await request.post_vars() post = await request.post_vars()
message = post.get("message", "") message = post.get("message", "")
message_type = post.get("message_type") or "INFO" message_type = post.get("message_type") or "INFO"

30
tests/test_permissions.py
View file

@ -316,3 +316,33 @@ def test_permissions_debug(app_client):
def test_allow_unauthenticated(allow, expected): def test_allow_unauthenticated(allow, expected):
with make_app_client(metadata={"allow": allow}) as client: with make_app_client(metadata={"allow": allow}) as client:
assert expected == client.get("/").status assert expected == client.get("/").status
@pytest.fixture(scope="session")
def view_instance_client():
with make_app_client(metadata={"allow": {}}) as client:
yield client
@pytest.mark.parametrize(
"path",
[
"/",
"/fixtures",
"/fixtures/facetable",
"/-/metadata",
"/-/versions",
"/-/plugins",
"/-/config",
"/-/threads",
"/-/databases",
"/-/actor",
"/-/permissions",
"/-/messages",
"/-/patterns",
],
)
def test_view_instance(path, view_instance_client):
assert 403 == view_instance_client.get(path).status
if path not in ("/-/permissions", "/-/messages", "/-/patterns"):
assert 403 == view_instance_client.get(path + ".json").status