github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Added permission check to every view, closes #808

Browse source
This commit is contained in:
Simon Willison 2020-06-06 22:30:36 -07:00
commit 86dec9e8ff
13 changed files with 220 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
datasette/views/database.py
View file

@ -19,6 +19,7 @@ class DatabaseView(DataView):
name = "database"
async def data(self, request, database, hash, default_labels=False, _size=None):
await self.check_permission(request, "view-database", "database", database)
metadata = (self.ds.metadata("databases") or {}).get(database, {})
self.ds.update_with_inherited_metadata(metadata)
@ -89,6 +90,9 @@ class DatabaseDownload(DataView):
name = "database_download"
async def view_get(self, request, database, hash, correct_hash_present, **kwargs):
await self.check_permission(
request, "view-database-download", "database", database
)
if database not in self.ds.databases:
raise DatasetteError("Invalid database", status=404)
db = self.ds.databases[database]
@ -128,6 +132,10 @@ class QueryView(DataView):
# Respect canned query permissions
if canned_query:
await self.check_permission(
request, "view-query", "query", (database, canned_query)
)
# TODO: fix this to use that permission check
if not actor_matches_allow(
request.scope.get("actor", None), metadata.get("allow")
):