From 575a29c424893b82b1b3c7472e1b8e4622c05c95 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Sun, 13 Nov 2022 22:01:56 -0800 Subject: [PATCH] API explorer: respect immutability, closes #1888 --- datasette/views/special.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/datasette/views/special.py b/datasette/views/special.py index 1d9e557e..7f80a1d0 100644 --- a/datasette/views/special.py +++ b/datasette/views/special.py @@ -281,8 +281,6 @@ class ApiExplorerView(BaseView): for name, db in self.ds.databases.items(): if name == "_internal": continue - if not db.is_mutable: - continue database_visible, _ = await self.ds.check_visibility( request.actor, "view-database", @@ -301,6 +299,7 @@ class ApiExplorerView(BaseView): if not visible: continue table_links = [] + tables.append({"name": table, "links": table_links}) table_links.append( { "label": "Get rows for {}".format(table), @@ -309,6 +308,10 @@ class ApiExplorerView(BaseView): + "?_shape=objects".format(name, table), } ) + # If not mutable don't show any write APIs + if not db.is_mutable: + continue + if await self.ds.permission_allowed( request.actor, "insert-row", (name, table) ): @@ -340,9 +343,11 @@ class ApiExplorerView(BaseView): "method": "POST", } ) - tables.append({"name": table, "links": table_links}) database_links = [] - if await self.ds.permission_allowed(request.actor, "create-table", name): + if ( + await self.ds.permission_allowed(request.actor, "create-table", name) + and db.is_mutable + ): database_links.append( { "path": self.ds.urls.database(name) + "/-/create",