Respect query permissions on database page, refs #800

2025-12-10 16:51:24 +01:00 · 2020-06-06 12:05:22 -07:00 · 2020-06-06 12:05:22 -07:00 · 3f83d4632a
commit 3f83d4632a
parent 14f6b4d200
5 changed files with 47 additions and 3 deletions
--- a/datasette/templates/database.html
+++ b/datasette/templates/database.html
@ -60,7 +60,7 @@
    <h2 id="queries">Queries</h2>
    <ul>
        {% for query in queries %}
-            <li><a href="{{ database_url(database) }}/{{ query.name|urlencode }}{% if query.fragment %}#{{ query.fragment }}{% endif %}" title="{{ query.description or query.sql }}">{{ query.title or query.name }}</a></li>
+            <li><a href="{{ database_url(database) }}/{{ query.name|urlencode }}{% if query.fragment %}#{{ query.fragment }}{% endif %}" title="{{ query.description or query.sql }}">{{ query.title or query.name }}</a> {% if query.requires_auth %} - requires authentication{% endif %}</li>
        {% endfor %}
    </ul>
 {% endif %}
--- a/datasette/utils/init.py
+++ b/datasette/utils/init.py
@ -857,6 +857,7 @@ def call_with_supported_arguments(fn, **kwargs):


 def actor_matches_allow(actor, allow):
+    actor = actor or {}
    if allow is None:
        return True
    for key, values in allow.items():
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -2,6 +2,7 @@ import os
 import jinja2

 from datasette.utils import (
+    actor_matches_allow,
    to_css_class,
    validate_sql_select,
    is_url,
@ -53,6 +54,16 @@ class DatabaseView(DataView):
            )

        tables.sort(key=lambda t: (t["hidden"], t["name"]))
+        canned_queries = [
+            dict(
+                query,
+                requires_auth=not actor_matches_allow(None, query.get("allow", None)),
+            )
+            for query in self.ds.get_canned_queries(database)
+            if actor_matches_allow(
+                request.scope.get("actor", None), query.get("allow", None)
+            )
+        ]
        return (
            {
                "database": database,
@ -60,7 +71,7 @@ class DatabaseView(DataView):
                "tables": tables,
                "hidden_count": len([t for t in tables if t["hidden"]]),
                "views": views,
-                "queries": self.ds.get_canned_queries(database),
+                "queries": canned_queries,
            },
            {
                "show_hidden": request.args.get("_show_hidden"),