allow_sql block to control execute-sql upermission in metadata.json, closes #813

Also removed the --config allow_sql:0 mechanism in favour of the new allow_sql block.
2025-12-10 16:51:24 +01:00 · 2020-06-08 17:05:44 -07:00 · 2020-06-08 17:05:44 -07:00 · 49d6d2f7b0
commit 49d6d2f7b0
parent e0a4664fba
16 changed files with 92 additions and 44 deletions
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@ -34,3 +34,11 @@ def permission_allowed(datasette, actor, action, resource):
        if allow is None:
            return True
        return actor_matches_allow(actor, allow)
+    elif action == "execute-sql":
+        # Use allow_sql block from database block, or from top-level
+        database_allow_sql = datasette.metadata("allow_sql", database=resource)
+        if database_allow_sql is None:
+            database_allow_sql = datasette.metadata("allow_sql")
+        if database_allow_sql is None:
+            return True
+        return actor_matches_allow(actor, database_allow_sql)