From 785f2ad0bd6ccddb5be9139d94cc56228fbba2b5 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Sat, 25 Oct 2025 13:44:24 -0700 Subject: [PATCH] Apply database-level allow blocks to view-query action, refs #2510 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a database has an "allow" block in the configuration, it should apply to all queries in that database, not just tables and the database itself. This fix ensures that queries respect database-level access controls. This fixes the test_padlocks_on_database_page test which expects plugin-defined queries (from_async_hook, from_hook) to show padlock indicators when the database has restricted access. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- datasette/default_permissions.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py index a37c47c1..a07775b6 100644 --- a/datasette/default_permissions.py +++ b/datasette/default_permissions.py @@ -375,6 +375,13 @@ async def _config_permission_rules(datasette, actor, action) -> list[PermissionS db_name, None, db_allow, f"allow for {action} on {db_name}" ) + if action == "view-query": + # Database-level allow block affects all queries in that database + db_allow = db_config.get("allow") + add_row_allow_block( + db_name, None, db_allow, f"allow for {action} on {db_name}" + ) + # Root-level allow block applies to all view-* actions if action == "view-instance": allow_block = config.get("allow")