github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Cascading permissions for .db download, closes #1058

Browse source
This commit is contained in:
Simon Willison 2020-10-27 20:15:41 -07:00
commit 7d9fedc176
3 changed files with 20 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
datasette/views/database.py
View file

@ -131,9 +131,14 @@ class DatabaseDownload(DataView):
name = "database_download" name = "database_download"
async def view_get(self, request, database, hash, correct_hash_present, **kwargs): async def view_get(self, request, database, hash, correct_hash_present, **kwargs):
await self.check_permission(request, "view-instance") await self.check_permissions(
await self.check_permission(request, "view-database", database) request,
await self.check_permission(request, "view-database-download", database) [
("view-database-download", database),
("view-database", database),
"view-instance",
],
)
if database not in self.ds.databases: if database not in self.ds.databases:
raise DatasetteError("Invalid database", status=404) raise DatasetteError("Invalid database", status=404)
db = self.ds.databases[database] db = self.ds.databases[database]

2
tests/plugins/my_plugin.py
View file

@ -193,6 +193,8 @@ def permission_allowed(actor, action):
return True return True
elif action == "this_is_denied": elif action == "this_is_denied":
return False return False
elif action == "view-database-download":
return (actor and actor.get("can_download")) or None
@hookimpl @hookimpl

12
tests/test_permissions.py
View file

@ -394,7 +394,7 @@ def test_view_instance(path, view_instance_client):
@pytest.fixture(scope="session") @pytest.fixture(scope="session")
def cascade_app_client(): def cascade_app_client():
with make_app_client() as client: with make_app_client(is_immutable=True) as client:
yield client yield client
@ -439,6 +439,11 @@ def cascade_app_client():
("/fixtures", [], 403), ("/fixtures", [], 403),
("/fixtures", ["instance"], 403), ("/fixtures", ["instance"], 403),
("/fixtures", ["database"], 200), ("/fixtures", ["database"], 200),
# Downloading the fixtures.db file
("/fixtures.db", [], 403),
("/fixtures.db", ["instance"], 403),
("/fixtures.db", ["database"], 200),
("/fixtures.db", ["download"], 200),
], ],
) )
def test_permissions_cascade(cascade_app_client, path, permissions, expected_status): def test_permissions_cascade(cascade_app_client, path, permissions, expected_status):
@ -447,6 +452,9 @@ def test_permissions_cascade(cascade_app_client, path, permissions, expected_sta
deny = {} deny = {}
previous_metadata = cascade_app_client.ds._metadata previous_metadata = cascade_app_client.ds._metadata
updated_metadata = copy.deepcopy(previous_metadata) updated_metadata = copy.deepcopy(previous_metadata)
actor = {"id": "test"}
if "download" in permissions:
actor["can_download"] = 1
try: try:
# Set up the different allow blocks # Set up the different allow blocks
updated_metadata["allow"] = allow if "instance" in permissions else deny updated_metadata["allow"] = allow if "instance" in permissions else deny
@ -462,7 +470,7 @@ def test_permissions_cascade(cascade_app_client, path, permissions, expected_sta
cascade_app_client.ds._metadata = updated_metadata cascade_app_client.ds._metadata = updated_metadata
response = cascade_app_client.get( response = cascade_app_client.get(
path, path,
cookies={"ds_actor": cascade_app_client.actor_cookie({"id": "test"})}, cookies={"ds_actor": cascade_app_client.actor_cookie(actor)},
) )
assert expected_status == response.status assert expected_status == response.status
finally: finally: