allow_sql block to control execute-sql upermission in metadata.json, closes #813

Also removed the --config allow_sql:0 mechanism in favour of the new allow_sql block.
2025-12-10 16:51:24 +01:00 · 2020-06-08 17:05:44 -07:00 · 2020-06-08 17:05:44 -07:00 · 49d6d2f7b0
commit 49d6d2f7b0
parent e0a4664fba
16 changed files with 92 additions and 44 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -634,13 +634,6 @@ def test_invalid_custom_sql(app_client):
    assert "Statement must be a SELECT" == response.json["error"]


-def test_allow_sql_off():
-    with make_app_client(config={"allow_sql": False}) as client:
-        response = client.get("/fixtures.json?sql=select+sleep(0.01)")
-        assert 400 == response.status
-        assert "sql= is not allowed" == response.json["error"]
-
-
 def test_table_json(app_client):
    response = app_client.get("/fixtures/simple_primary_key.json?_shape=objects")
    assert response.status == 200
@ -1137,9 +1130,9 @@ def test_table_filter_extra_where_invalid(app_client):


 def test_table_filter_extra_where_disabled_if_no_sql_allowed():
-    with make_app_client(config={"allow_sql": False}) as client:
+    with make_app_client(metadata={"allow_sql": {}}) as client:
        response = client.get("/fixtures/facetable.json?_where=neighborhood='Dogpatch'")
-        assert 400 == response.status
+        assert 403 == response.status
        assert "_where= is not allowed" == response.json["error"]


@ -1325,7 +1318,6 @@ def test_config_json(app_client):
        "allow_download": True,
        "allow_facet": True,
        "suggest_facets": True,
-        "allow_sql": True,
        "default_cache_ttl": 5,
        "default_cache_ttl_hashed": 365 * 24 * 60 * 60,
        "num_sql_threads": 3,
--- a/tests/test_config_dir.py
+++ b/tests/test_config_dir.py
@ -10,7 +10,6 @@ from datasette import hookimpl

@hookimpl
 def extra_template_vars():
-    print("this is template vars")
    return {
        "from_plugin": "hooray"
    }
@ -18,7 +17,6 @@ def extra_template_vars():
 METADATA = {"title": "This is from metadata"}
 CONFIG = {
    "default_cache_ttl": 60,
-    "allow_sql": False,
 }
 CSS = """
 body { margin-top: 3em}
@ -91,7 +89,6 @@ def test_config(config_dir_client):
    response = config_dir_client.get("/-/config.json")
    assert 200 == response.status
    assert 60 == response.json["default_cache_ttl"]
-    assert not response.json["allow_sql"]


 def test_plugins(config_dir_client):
--- a/tests/test_html.py
+++ b/tests/test_html.py
@ -924,16 +924,8 @@ def test_allow_download_off():
        assert 403 == response.status


-def test_allow_sql_on(app_client):
-    response = app_client.get("/fixtures")
-    soup = Soup(response.body, "html.parser")
-    assert len(soup.findAll("textarea", {"name": "sql"}))
-    response = app_client.get("/fixtures/sortable")
-    assert b"View and edit SQL" in response.body
-
-
 def test_allow_sql_off():
-    with make_app_client(config={"allow_sql": False}) as client:
+    with make_app_client(metadata={"allow_sql": {}}) as client:
        response = client.get("/fixtures")
        soup = Soup(response.body, "html.parser")
        assert not len(soup.findAll("textarea", {"name": "sql"}))
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@ -186,6 +186,35 @@ def test_view_query(allow, expected_anon, expected_auth):
            assert ">fixtures 🔒</h1>" in auth_response.text


+@pytest.mark.parametrize(
+    "metadata",
+    [
+        {"allow_sql": {"id": "root"}},
+        {"databases": {"fixtures": {"allow_sql": {"id": "root"}}}},
+    ],
+)
+def test_execute_sql(metadata):
+    with make_app_client(metadata=metadata) as client:
+        form_fragment = '<form class="sql" action="/fixtures"'
+
+        # Anonymous users - should not display the form:
+        assert form_fragment not in client.get("/fixtures").text
+        # This should 403:
+        assert 403 == client.get("/fixtures?sql=select+1").status
+        # ?_where= not allowed on tables:
+        assert 403 == client.get("/fixtures/facet_cities?_where=id=3").status
+
+        # But for logged in user all of these should work:
+        cookies = {"ds_actor": client.ds.sign({"id": "root"}, "actor")}
+        response_text = client.get("/fixtures", cookies=cookies).text
+        assert form_fragment in response_text
+        assert 200 == client.get("/fixtures?sql=select+1", cookies=cookies).status
+        assert (
+            200
+            == client.get("/fixtures/facet_cities?_where=id=3", cookies=cookies).status
+        )
+
+
 def test_query_list_respects_view_query():
    with make_app_client(
        metadata={