Show padlock on private query page, refs #811

2025-12-10 16:51:24 +01:00 · 2020-06-08 11:13:32 -07:00 · 2020-06-08 11:13:32 -07:00 · 9ac27f67fe
commit 9ac27f67fe
parent aa420009c0
3 changed files with 12 additions and 1 deletions
--- a/datasette/templates/query.html
+++ b/datasette/templates/query.html
@ -28,7 +28,7 @@

 {% block content %}

-<h1 style="padding-left: 10px; border-left: 10px solid #{{ database_color(database) }}">{{ metadata.title or database }}</h1>
+<h1 style="padding-left: 10px; border-left: 10px solid #{{ database_color(database) }}">{{ metadata.title or database }}{% if private %} 🔒{% endif %}</h1>

 {% block description_source_license %}{% include "_description_source_license.html" %}{% endblock %}

--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -147,10 +147,14 @@ class QueryView(DataView):
        # Respect canned query permissions
        await self.check_permission(request, "view-instance")
        await self.check_permission(request, "view-database", "database", database)
+        private = False
        if canned_query:
            await self.check_permission(
                request, "view-query", "query", (database, canned_query)
            )
+            private = not await self.ds.permission_allowed(
+                None, "view-query", "query", (database, canned_query), default=True
+            )
        else:
            await self.check_permission(request, "execute-sql", "database", database)
        # Extract any :named parameters
@ -214,6 +218,7 @@ class QueryView(DataView):
                        "truncated": False,
                        "columns": [],
                        "query": {"sql": sql, "params": params},
+                        "private": private,
                    },
                    extra_template,
                    templates,
@ -282,6 +287,7 @@ class QueryView(DataView):
                "truncated": results.truncated,
                "columns": columns,
                "query": {"sql": sql, "params": params},
+                "private": private,
            },
            extra_template,
            templates,
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@ -136,10 +136,15 @@ def test_view_query(allow, expected_anon, expected_auth):
    ) as client:
        anon_response = client.get("/fixtures/q")
        assert expected_anon == anon_response.status
+        if allow and anon_response.status == 200:
+            # Should be no padlock
+            assert ">fixtures 🔒</h1>" not in anon_response.text
        auth_response = client.get(
            "/fixtures/q", cookies={"ds_actor": client.ds.sign({"id": "root"}, "actor")}
        )
        assert expected_auth == auth_response.status
+        if allow and expected_anon == 403 and expected_auth == 200:
+            assert ">fixtures 🔒</h1>" in auth_response.text


 def test_query_list_respects_view_query():