Refactor default_permissions.py to help with implementation of #1636

2025-12-10 16:51:24 +01:00 · 2022-12-08 14:44:27 -08:00 · 2022-12-08 14:44:27 -08:00 · 94be9953c5
commit 94be9953c5
parent 5140f4e815
2 changed files with 109 additions and 35 deletions
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@ -9,6 +9,7 @@ import time
@hookimpl(tryfirst=True, specname="permission_allowed")
 def permission_allowed_default(datasette, actor, action, resource):
    async def inner():
+        # id=root gets some special permissions:
        if action in (
            "permissions-debug",
            "debug-menu",
@ -20,7 +21,36 @@ def permission_allowed_default(datasette, actor, action, resource):
        ):
            if actor and actor.get("id") == "root":
                return True
-        elif action == "view-instance":
+
+        # Resolve metadata view permissions
+        if action in (
+            "view-instance",
+            "view-database",
+            "view-table",
+            "view-query",
+            "execute-sql",
+        ):
+            result = await _resolve_metadata_view_permissions(
+                datasette, actor, action, resource
+            )
+            if result is not None:
+                return result
+
+        # Check custom permissions: blocks
+        return await _resolve_metadata_permissions_blocks(
+            datasette, actor, action, resource
+        )
+
+    return inner
+
+
+async def _resolve_metadata_permissions_blocks(datasette, actor, action, resource):
+    # Check custom permissions: blocks - not yet implemented
+    return None
+
+
+async def _resolve_metadata_view_permissions(datasette, actor, action, resource):
+    if action == "view-instance":
        allow = datasette.metadata("allow")
        if allow is not None:
            return actor_matches_allow(actor, allow)
@ -56,8 +86,6 @@ def permission_allowed_default(datasette, actor, action, resource):
            return None
        return actor_matches_allow(actor, database_allow_sql)

-    return inner
-

@hookimpl(specname="permission_allowed")
 def permission_allowed_actor_restrictions(actor, action, resource):
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@ -1,3 +1,4 @@
+import collections
 from datasette.app import Datasette
 from .fixtures import app_client, assert_permissions_checked, make_app_client
 from bs4 import BeautifulSoup as Soup
@ -640,3 +641,48 @@ async def test_actor_restricted_permissions(
        "result": expected_result,
    }
    assert response.json() == expected
+
+
+PermMetadataTestCase = collections.namedtuple(
+    "PermMetadataTestCase",
+    "metadata,actor,action,resource,default,expected_result",
+)
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "metadata,actor,action,resource,default,expected_result",
+    (
+        # Simple view-instance default=True example
+        PermMetadataTestCase(
+            metadata={},
+            actor=None,
+            action="view-instance",
+            resource=None,
+            default=True,
+            expected_result=True,
+        ),
+        # debug-menu on root
+        PermMetadataTestCase(
+            metadata={"permissions": {"debug-menu": {"id": "user"}}},
+            actor={"id": "user"},
+            action="debug-menu",
+            resource=None,
+            default=False,
+            expected_result=True,
+        ),
+    ),
+)
+async def test_permissions_in_metadata(
+    perms_ds, metadata, actor, action, resource, default, expected_result
+):
+    previous_metadata = perms_ds.metadata()
+    updated_metadata = copy.deepcopy(previous_metadata)
+    updated_metadata.update(metadata)
+    try:
+        result = await perms_ds.permission_allowed(
+            actor, action, resource, default=default
+        )
+        assert result == expected_result
+    finally:
+        perms_ds._metadata_local = previous_metadata