github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

allow_sql block to control execute-sql upermission in metadata.json, closes #813

Browse source 
Also removed the --config allow_sql:0 mechanism in favour of the new allow_sql block.
This commit is contained in:
Simon Willison 2020-06-08 17:05:44 -07:00
commit 49d6d2f7b0
16 changed files with 92 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

8
datasette/views/database.py
View file

@ -26,8 +26,6 @@ class DatabaseView(DataView):
self.ds.update_with_inherited_metadata(metadata)
if request.args.get("sql"):
if not self.ds.config("allow_sql"):
raise DatasetteError("sql= is not allowed", status=400)
sql = request.args.get("sql")
validate_sql_select(sql)
return await QueryView(self.ds).data(
@ -90,6 +88,9 @@ class DatabaseView(DataView):
"private": not await self.ds.permission_allowed(
None, "view-database", database
),
"allow_execute_sql": await self.ds.permission_allowed(
request.actor, "execute-sql", database, default=True
),
},
{
"show_hidden": request.args.get("_show_hidden"),
@ -289,6 +290,9 @@ class QueryView(DataView):
"columns": columns,
"query": {"sql": sql, "params": params},
"private": private,
"allow_execute_sql": await self.ds.permission_allowed(
request.actor, "execute-sql", database, default=True
),
},
extra_template,
templates,