github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Check permissions on canned query page, refs #800

Browse source
This commit is contained in:
Simon Willison 2020-06-06 12:27:00 -07:00
commit 966eec7f75
2 changed files with 17 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
datasette/views/database.py
View file

@ -9,7 +9,7 @@ from datasette.utils import (
path_with_added_args,
path_with_removed_args,
)
from datasette.utils.asgi import AsgiFileDownload
from datasette.utils.asgi import AsgiFileDownload, Response
from datasette.plugins import pm
from .base import DatasetteError, DataView
@ -125,6 +125,14 @@ class QueryView(DataView):
params.pop("sql")
if "_shape" in params:
params.pop("_shape")
# Respect canned query permissions
if canned_query:
if not actor_matches_allow(
request.scope.get("actor", None), metadata.get("allow")
):
return Response("Permission denied", status=403)
# Extract any :named parameters
named_parameters = named_parameters or self.re_named_parameter.findall(sql)
named_parameter_values = {