Require permissions-debug permission for /-/check endpoint

The /-/check endpoint now requires the permissions-debug permission to access. This prevents unauthorized users from probing the permission system. Administrators can grant this permission to specific users or anonymous users if they want to allow open access. Added test to verify anonymous and regular users are denied access, while root user (who has all permissions) can access the endpoint. Closes #2546
2025-12-10 16:51:24 +01:00 · 2025-10-26 11:12:11 -07:00 · 2025-10-26 11:12:11 -07:00 · 2c8e92acf2
commit 2c8e92acf2
parent e7ed948238
2 changed files with 31 additions and 7 deletions
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@ -503,16 +503,10 @@ class PermissionCheckView(BaseView):
    has_json_alternate = False

    async def get(self, request):
-        # Check if user has permissions-debug (to show sensitive fields)
-        has_debug_permission = await self.ds.allowed(
-            action="permissions-debug", actor=request.actor
-        )
-
-        # Check if this is a request for JSON (has .json extension)
+        await self.ds.ensure_permission(action="permissions-debug", actor=request.actor)
        as_format = request.url_vars.get("format")

        if not as_format:
-            # Render the HTML form (even if query parameters are present)
            return await self.render(
                ["debug_check.html"],
                request,