github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Renamed execute-query permission to execute-sql, refs #811

Browse source
This commit is contained in:
Simon Willison 2020-06-07 13:20:59 -07:00
commit a1e801453a
3 changed files with 6 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

13
datasette/views/database.py
View file

@ -134,21 +134,14 @@ class QueryView(DataView):
params.pop("_shape")
# Respect canned query permissions
await self.check_permission(request, "view-instance")
await self.check_permission(request, "view-database", "database", database)
if canned_query:
await self.check_permission(request, "view-instance")
await self.check_permission(request, "view-database", "database", database)
await self.check_permission(
request, "view-query", "query", (database, canned_query)
)
# TODO: fix this to use that permission check
if not actor_matches_allow(
request.scope.get("actor", None), metadata.get("allow")
):
return Response("Permission denied", status=403)
else:
await self.check_permission(request, "view-instance")
await self.check_permission(request, "view-database", "database", database)
await self.check_permission(request, "execute-query", "database", database)
await self.check_permission(request, "execute-sql", "database", database)
# Extract any :named parameters
named_parameters = named_parameters or self.re_named_parameter.findall(sql)
named_parameter_values = {