Require permissions-debug permission for /-/check endpoint

The /-/check endpoint now requires the permissions-debug permission to access. This prevents unauthorized users from probing the permission system. Administrators can grant this permission to specific users or anonymous users if they want to allow open access. Added test to verify anonymous and regular users are denied access, while root user (who has all permissions) can access the endpoint. Closes #2546
2025-12-10 16:51:24 +01:00 · 2025-10-26 11:12:11 -07:00 · 2025-10-26 11:12:11 -07:00 · 2c8e92acf2
commit 2c8e92acf2
parent e7ed948238
2 changed files with 31 additions and 7 deletions
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@ -1576,3 +1576,33 @@ async def test_actor_restrictions_parent_deny_blocks_config_child_allow(perms_ds

    # Clean up
    perms_ds._config = None
+
+
+@pytest.mark.asyncio
+async def test_permission_check_view_requires_debug_permission():
+    """Test that /-/check requires permissions-debug permission"""
+    # Anonymous user should be denied
+    ds = Datasette()
+    response = await ds.client.get("/-/check.json?action=view-instance")
+    assert response.status_code == 403
+    assert "permissions-debug" in response.text
+
+    # User without permissions-debug should be denied
+    response = await ds.client.get(
+        "/-/check.json?action=view-instance",
+        cookies={"ds_actor": ds.sign({"id": "user"}, "actor")},
+    )
+    assert response.status_code == 403
+
+    # Root user should have access (root has all permissions)
+    ds_with_root = Datasette()
+    ds_with_root.root_enabled = True
+    root_token = ds_with_root.create_token("root")
+    response = await ds_with_root.client.get(
+        "/-/check.json?action=view-instance",
+        headers={"Authorization": f"Bearer {root_token}"},
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert data["action"] == "view-instance"
+    assert data["allowed"] is True