Nested permission checks for all views, refs #811

datasette/views/database.py

@@ -19,6 +19,7 @@ class DatabaseView(DataView):
     name = "database"
 
     async def data(self, request, database, hash, default_labels=False, _size=None):
+        await self.check_permission(request, "view-instance")
         await self.check_permission(request, "view-database", "database", database)
         metadata = (self.ds.metadata("databases") or {}).get(database, {})
         self.ds.update_with_inherited_metadata(metadata)
@@ -90,6 +91,8 @@ class DatabaseDownload(DataView):
     name = "database_download"
 
     async def view_get(self, request, database, hash, correct_hash_present, **kwargs):
+        await self.check_permission(request, "view-instance")
+        await self.check_permission(request, "view-database", "database", database)
         await self.check_permission(
             request, "view-database-download", "database", database
         )
@@ -132,6 +135,8 @@ class QueryView(DataView):
 
         # Respect canned query permissions
         if canned_query:
+            await self.check_permission(request, "view-instance")
+            await self.check_permission(request, "view-database", "database", database)
             await self.check_permission(
                 request, "view-query", "query", (database, canned_query)
             )
@@ -140,7 +145,10 @@ class QueryView(DataView):
                 request.scope.get("actor", None), metadata.get("allow")
             ):
                 return Response("Permission denied", status=403)
-
+        else:
+            await self.check_permission(request, "view-instance")
+            await self.check_permission(request, "view-database", "database", database)
+            await self.check_permission(request, "execute-query", "database", database)
         # Extract any :named parameters
         named_parameters = named_parameters or self.re_named_parameter.findall(sql)
         named_parameter_values = {

datasette/views/index.py

@@ -22,7 +22,7 @@ class IndexView(BaseView):
         self.ds = datasette
 
     async def get(self, request, as_format):
-        await self.check_permission(request, "view-index")
+        await self.check_permission(request, "view-instance")
         databases = []
         for name, db in self.ds.databases.items():
             table_names = await db.table_names()

datasette/views/table.py

@@ -267,6 +267,8 @@ class TableView(RowTableShared):
         if not is_view and not table_exists:
             raise NotFound("Table not found: {}".format(table))
 
+        await self.check_permission(request, "view-instance")
+        await self.check_permission(request, "view-database", "database", database)
         await self.check_permission(request, "view-table", "table", (database, table))
 
         pks = await db.primary_keys(table)
@@ -846,6 +848,9 @@ class RowView(RowTableShared):
 
     async def data(self, request, database, hash, table, pk_path, default_labels=False):
         pk_values = urlsafe_components(pk_path)
+        await self.check_permission(request, "view-instance")
+        await self.check_permission(request, "view-database", "database", database)
+        await self.check_permission(request, "view-table", "table", (database, table))
         await self.check_permission(
             request, "view-row", "row", tuple([database, table] + list(pk_values))
         )