github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Cascading permissions for .db download, closes #1058

Browse source
This commit is contained in:
Simon Willison 2020-10-27 20:15:41 -07:00
commit 7d9fedc176
3 changed files with 20 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
datasette/views/database.py
View file

@ -131,9 +131,14 @@ class DatabaseDownload(DataView):
name = "database_download"
async def view_get(self, request, database, hash, correct_hash_present, **kwargs):
await self.check_permission(request, "view-instance")
await self.check_permission(request, "view-database", database)
await self.check_permission(request, "view-database-download", database)
await self.check_permissions(
request,
[
("view-database-download", database),
("view-database", database),
"view-instance",
],
)
if database not in self.ds.databases:
raise DatasetteError("Invalid database", status=404)
db = self.ds.databases[database]