Implemented view-table, refs #811

2025-12-10 16:51:24 +01:00 · 2020-06-07 21:47:22 -07:00 · 2020-06-07 21:47:22 -07:00 · 9397d71834
commit 9397d71834
parent b26292a458
4 changed files with 108 additions and 41 deletions
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@ -17,6 +17,14 @@ def permission_allowed(datasette, actor, action, resource_type, resource_identif
        if database_allow is None:
            return True
        return actor_matches_allow(actor, database_allow)
+    elif action == "view-table":
+        assert resource_type == "table"
+        database, table = resource_identifier
+        tables = datasette.metadata("tables", database=database) or {}
+        table_allow = (tables.get(table) or {}).get("allow")
+        if table_allow is None:
+            return True
+        return actor_matches_allow(actor, table_allow)
    elif action == "view-query":
        # Check if this query has a "allow" block in metadata
        assert resource_type == "query"
--- a/datasette/templates/database.html
+++ b/datasette/templates/database.html
@ -36,7 +36,7 @@
 {% for table in tables %}
 {% if show_hidden or not table.hidden %}
 <div class="db-table">
-    <h2><a href="{{ database_url(database) }}/{{ table.name|quote_plus }}">{{ table.name }}</a>{% if table.hidden %}<em> (hidden)</em>{% endif %}</h2>
+    <h2><a href="{{ database_url(database) }}/{{ table.name|quote_plus }}">{{ table.name }}</a>{% if table.private %} 🔒{% endif %}{% if table.hidden %}<em> (hidden)</em>{% endif %}</h2>
    <p><em>{% for column in table.columns[:9] %}{{ column }}{% if not loop.last %}, {% endif %}{% endfor %}{% if table.columns|length > 9 %}...{% endif %}</em></p>
    <p>{% if table.count is none %}Many rows{% else %}{{ "{:,}".format(table.count) }} row{% if table.count == 1 %}{% else %}s{% endif %}{% endif %}</p>
 </div>
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -42,6 +42,21 @@ class DatabaseView(DataView):

        tables = []
        for table in table_counts:
+            allowed = await self.ds.permission_allowed(
+                request.scope.get("actor"),
+                "view-table",
+                resource_type="table",
+                resource_identifier=(database, table),
+                default=True,
+            )
+            if not allowed:
+                continue
+            private = not await self.ds.permission_allowed(
+                None,
+                "view-table",
+                resource_type="table",
+                resource_identifier=(database, table),
+            )
            table_columns = await db.table_columns(table)
            tables.append(
                {
@ -52,6 +67,7 @@ class DatabaseView(DataView):
                    "hidden": table in hidden_table_names,
                    "fts_table": await db.fts_table(table),
                    "foreign_keys": all_foreign_keys[table],
+                    "private": private,
                }
            )