github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

PluginSQL renamed to PermissionSQL, closes #2524

Browse source
This commit is contained in:
Simon Willison 2025-10-23 09:34:19 -07:00
commit 5ed57607e5
11 changed files with 84 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

14
tests/test_actions_sql.py
View file

@ -12,7 +12,7 @@ import pytest
import pytest_asyncio
from datasette.app import Datasette
from datasette.plugins import pm
from datasette.utils.permissions import PluginSQL
from datasette.permissions import PermissionSQL
from datasette.resources import TableResource
from datasette import hookimpl
@ -63,7 +63,7 @@ async def test_allowed_resources_global_allow(test_ds):
def rules_callback(datasette, actor, action):
if actor and actor.get("id") == "alice":
sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'global: alice has access' AS reason"
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -101,7 +101,7 @@ async def test_allowed_specific_resource(test_ds):
UNION ALL
SELECT 'analytics' AS parent, NULL AS child, 1 AS allow, 'analyst access' AS reason
"""
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -145,7 +145,7 @@ async def test_allowed_resources_with_reasons(test_ds):
SELECT 'analytics' AS parent, 'sensitive' AS child, 0 AS allow,
'child: sensitive data denied' AS reason
"""
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -185,7 +185,7 @@ async def test_child_deny_overrides_parent_allow(test_ds):
SELECT 'analytics' AS parent, 'sensitive' AS child, 0 AS allow,
'child: deny sensitive' AS reason
"""
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -233,7 +233,7 @@ async def test_child_allow_overrides_parent_deny(test_ds):
SELECT 'production' AS parent, 'orders' AS child, 1 AS allow,
'child: carol can see orders' AS reason
"""
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -304,7 +304,7 @@ async def test_sql_does_filtering_not_python(test_ds):
SELECT 'analytics' AS parent, 'users' AS child, 1 AS allow,
'specific allow' AS reason
"""
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
plugin = PermissionRulesPlugin(rules_callback)
pm.register(plugin, name="test_plugin")

4
tests/test_plugins.py
View file

@ -12,7 +12,7 @@ from datasette.app import Datasette
from datasette import cli, hookimpl, Permission
from datasette.filters import FilterArguments
from datasette.plugins import get_plugins, DEFAULT_PLUGINS, pm
from datasette.utils.permissions import PluginSQL
from datasette.permissions import PermissionSQL
from datasette.utils.sqlite import sqlite3
from datasette.utils import StartupError, await_me_maybe
from jinja2 import ChoiceLoader, FileSystemLoader
@ -722,7 +722,7 @@ async def test_hook_permission_resources_sql():
collected.append(block)
assert collected
assert all(isinstance(item, PluginSQL) for item in collected)
assert all(isinstance(item, PermissionSQL) for item in collected)
@pytest.mark.asyncio

14
tests/test_tables_endpoint.py
View file

@ -8,7 +8,7 @@ import pytest
import pytest_asyncio
from datasette.app import Datasette
from datasette.plugins import pm
from datasette.utils.permissions import PluginSQL
from datasette.permissions import PermissionSQL
from datasette import hookimpl
@ -57,7 +57,7 @@ async def test_tables_endpoint_global_access(test_ds):
def rules_callback(datasette, actor, action):
if actor and actor.get("id") == "alice":
sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'global: alice has access' AS reason"
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -97,7 +97,7 @@ async def test_tables_endpoint_database_restriction(test_ds):
if actor and actor.get("role") == "analyst":
# Allow only analytics database
sql = "SELECT 'analytics' AS parent, NULL AS child, 1 AS allow, 'analyst access' AS reason"
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -144,7 +144,7 @@ async def test_tables_endpoint_table_exception(test_ds):
UNION ALL
SELECT 'analytics' AS parent, 'users' AS child, 1 AS allow, 'carol exception' AS reason
"""
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -186,7 +186,7 @@ async def test_tables_endpoint_deny_overrides_allow(test_ds):
UNION ALL
SELECT 'analytics' AS parent, 'sensitive' AS child, 0 AS allow, 'deny sensitive' AS reason
"""
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -252,7 +252,7 @@ async def test_tables_endpoint_specific_table_only(test_ds):
UNION ALL
SELECT 'production' AS parent, 'orders' AS child, 1 AS allow, 'specific table 2' AS reason
"""
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)
@ -290,7 +290,7 @@ async def test_tables_endpoint_empty_result(test_ds):
if actor and actor.get("id") == "blocked":
# Global deny
sql = "SELECT NULL AS parent, NULL AS child, 0 AS allow, 'global deny' AS reason"
return PluginSQL(source="test", sql=sql, params={})
return PermissionSQL(source="test", sql=sql, params={})
return None
plugin = PermissionRulesPlugin(rules_callback)

40
tests/test_utils_permissions.py
View file

@ -1,7 +1,7 @@
import pytest
from datasette.app import Datasette
from datasette.permissions import PermissionSQL
from datasette.utils.permissions import (
PluginSQL,
PluginProvider,
resolve_permissions_from_catalog,
)
@ -26,8 +26,8 @@ NO_RULES_SQL = (
def plugin_allow_all_for_user(user: str) -> PluginProvider:
def provider(action: str) -> PluginSQL:
return PluginSQL(
def provider(action: str) -> PermissionSQL:
return PermissionSQL(
"allow_all",
"""
SELECT NULL AS parent, NULL AS child, 1 AS allow,
@ -41,8 +41,8 @@ def plugin_allow_all_for_user(user: str) -> PluginProvider:
def plugin_deny_specific_table(user: str, parent: str, child: str) -> PluginProvider:
def provider(action: str) -> PluginSQL:
return PluginSQL(
def provider(action: str) -> PermissionSQL:
return PermissionSQL(
"deny_specific_table",
"""
SELECT :parent AS parent, :child AS child, 0 AS allow,
@ -56,8 +56,8 @@ def plugin_deny_specific_table(user: str, parent: str, child: str) -> PluginProv
def plugin_org_policy_deny_parent(parent: str) -> PluginProvider:
def provider(action: str) -> PluginSQL:
return PluginSQL(
def provider(action: str) -> PermissionSQL:
return PermissionSQL(
"org_policy_parent_deny",
"""
SELECT :parent AS parent, NULL AS child, 0 AS allow,
@ -70,8 +70,8 @@ def plugin_org_policy_deny_parent(parent: str) -> PluginProvider:
def plugin_allow_parent_for_user(user: str, parent: str) -> PluginProvider:
def provider(action: str) -> PluginSQL:
return PluginSQL(
def provider(action: str) -> PermissionSQL:
return PermissionSQL(
"allow_parent",
"""
SELECT :parent AS parent, NULL AS child, 1 AS allow,
@ -85,8 +85,8 @@ def plugin_allow_parent_for_user(user: str, parent: str) -> PluginProvider:
def plugin_child_allow_for_user(user: str, parent: str, child: str) -> PluginProvider:
def provider(action: str) -> PluginSQL:
return PluginSQL(
def provider(action: str) -> PermissionSQL:
return PermissionSQL(
"allow_child",
"""
SELECT :parent AS parent, :child AS child, 1 AS allow,
@ -100,8 +100,8 @@ def plugin_child_allow_for_user(user: str, parent: str, child: str) -> PluginPro
def plugin_root_deny_for_all() -> PluginProvider:
def provider(action: str) -> PluginSQL:
return PluginSQL(
def provider(action: str) -> PermissionSQL:
return PermissionSQL(
"root_deny",
"""
SELECT NULL AS parent, NULL AS child, 0 AS allow, 'root deny for all on ' || :action AS reason
@ -115,8 +115,8 @@ def plugin_root_deny_for_all() -> PluginProvider:
def plugin_conflicting_same_child_rules(
user: str, parent: str, child: str
) -> List[PluginProvider]:
def allow_provider(action: str) -> PluginSQL:
return PluginSQL(
def allow_provider(action: str) -> PermissionSQL:
return PermissionSQL(
"conflict_child_allow",
"""
SELECT :parent AS parent, :child AS child, 1 AS allow,
@ -126,8 +126,8 @@ def plugin_conflicting_same_child_rules(
{"parent": parent, "child": child, "user": user, "action": action},
)
def deny_provider(action: str) -> PluginSQL:
return PluginSQL(
def deny_provider(action: str) -> PermissionSQL:
return PermissionSQL(
"conflict_child_deny",
"""
SELECT :parent AS parent, :child AS child, 0 AS allow,
@ -141,14 +141,14 @@ def plugin_conflicting_same_child_rules(
def plugin_allow_all_for_action(user: str, allowed_action: str) -> PluginProvider:
def provider(action: str) -> PluginSQL:
def provider(action: str) -> PermissionSQL:
if action != allowed_action:
return PluginSQL(
return PermissionSQL(
f"allow_all_{allowed_action}_noop",
NO_RULES_SQL,
{},
)
return PluginSQL(
return PermissionSQL(
f"allow_all_{allowed_action}",
"""
SELECT NULL AS parent, NULL AS child, 1 AS allow,