Renamed execute-query permission to execute-sql, refs #811

2025-12-10 16:51:24 +01:00 · 2020-06-07 13:20:59 -07:00 · 2020-06-07 13:20:59 -07:00 · a1e801453a
commit a1e801453a
parent 4340845754
3 changed files with 6 additions and 13 deletions
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -134,21 +134,14 @@ class QueryView(DataView):
            params.pop("_shape")

        # Respect canned query permissions
+        await self.check_permission(request, "view-instance")
+        await self.check_permission(request, "view-database", "database", database)
        if canned_query:
-            await self.check_permission(request, "view-instance")
-            await self.check_permission(request, "view-database", "database", database)
            await self.check_permission(
                request, "view-query", "query", (database, canned_query)
            )
-            # TODO: fix this to use that permission check
-            if not actor_matches_allow(
-                request.scope.get("actor", None), metadata.get("allow")
-            ):
-                return Response("Permission denied", status=403)
        else:
-            await self.check_permission(request, "view-instance")
-            await self.check_permission(request, "view-database", "database", database)
-            await self.check_permission(request, "execute-query", "database", database)
+            await self.check_permission(request, "execute-sql", "database", database)
        # Extract any :named parameters
        named_parameters = named_parameters or self.re_named_parameter.findall(sql)
        named_parameter_values = {
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@ -234,8 +234,8 @@ Actor is allowed to view a :ref:`canned query <canned_queries>` page, e.g. https

 .. _permissions_execute_query:

-execute-query
-------------
+execute-sql
+-----------

 Actor is allowed to run arbitrary SQL queries against a specific database, e.g. https://latest.datasette.io/fixtures?sql=select+100

--- a/tests/test_html.py
+++ b/tests/test_html.py
@ -893,7 +893,7 @@ def test_database_query_permission_checks(app_client):
        [
            "view-instance",
            ("view-database", "database", "fixtures"),
-            ("execute-query", "database", "fixtures"),
+            ("execute-sql", "database", "fixtures"),
        ],
    )