From 4adca0d85077fe504e98cd7487343e76ccf25be5 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Sat, 31 Jul 2021 17:58:11 -0700
Subject: [PATCH] No hidden SQL on canned query pages, closes #1411

---
 datasette/templates/query.html |  2 +-
 tests/test_html.py             | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/datasette/templates/query.html b/datasette/templates/query.html
index b6c74883..543561d8 100644
--- a/datasette/templates/query.html
+++ b/datasette/templates/query.html
@@ -44,7 +44,7 @@
             <pre id="sql-query">{% if query %}{{ query.sql }}{% endif %}</pre>
         {% endif %}
     {% else %}
-        <input type="hidden" name="sql" value="{% if query and query.sql %}{{ query.sql }}{% else %}select * from {{ tables[0].name|escape_sqlite }}{% endif %}">
+    {% if not canned_query %}<input type="hidden" name="sql" value="{% if query and query.sql %}{{ query.sql }}{% else %}select * from {{ tables[0].name|escape_sqlite }}{% endif %}">{% endif %}
         <input type="hidden" name="_hide_sql" value="1">
     {% endif %}
     {% if named_parameter_values %}
diff --git a/tests/test_html.py b/tests/test_html.py
index aee6bce1..9f5b99e3 100644
--- a/tests/test_html.py
+++ b/tests/test_html.py
@@ -1238,6 +1238,17 @@ def test_show_hide_sql_query(app_client):
     ] == [(hidden["name"], hidden["value"]) for hidden in hiddens]
 
 
+def test_canned_query_with_hide_has_no_hidden_sql(app_client):
+    # For a canned query the show/hide should NOT have a hidden SQL field
+    # https://github.com/simonw/datasette/issues/1411
+    response = app_client.get("/fixtures/neighborhood_search?_hide_sql=1")
+    soup = Soup(response.body, "html.parser")
+    hiddens = soup.find("form").select("input[type=hidden]")
+    assert [
+        ("_hide_sql", "1"),
+    ] == [(hidden["name"], hidden["value"]) for hidden in hiddens]
+
+
 def test_extra_where_clauses(app_client):
     response = app_client.get(
         "/fixtures/facetable?_where=neighborhood='Dogpatch'&_where=city_id=1"