Test that view-query is respected by query list, refs #811

datasette/templates/database.html

@@ -60,7 +60,7 @@
     <h2 id="queries">Queries</h2>
     <ul>
         {% for query in queries %}
-            <li><a href="{{ database_url(database) }}/{{ query.name|urlencode }}{% if query.fragment %}#{{ query.fragment }}{% endif %}" title="{{ query.description or query.sql }}">{{ query.title or query.name }}</a> {% if query.private %} 🔒{% endif %}</li>
+            <li><a href="{{ database_url(database) }}/{{ query.name|urlencode }}{% if query.fragment %}#{{ query.fragment }}{% endif %}" title="{{ query.description or query.sql }}">{{ query.title or query.name }}</a>{% if query.private %} 🔒{% endif %}</li>
         {% endfor %}
     </ul>
 {% endif %}

tests/test_permissions.py

@@ -22,6 +22,26 @@ def test_view_query(allow, expected_anon, expected_auth):
         assert expected_auth == auth_response.status
 
 
+def test_query_list_respects_view_query():
+    with make_app_client(
+        metadata={
+            "databases": {
+                "fixtures": {
+                    "queries": {"q": {"sql": "select 1 + 1", "allow": {"id": "root"}}}
+                }
+            }
+        }
+    ) as client:
+        html_fragment = '<li><a href="/fixtures/q" title="select 1 + 1">q</a> 🔒</li>'
+        anon_response = client.get("/fixtures")
+        assert html_fragment not in anon_response.text
+        assert '"/fixtures/q"' not in anon_response.text
+        auth_response = client.get(
+            "/fixtures", cookies={"ds_actor": client.ds.sign({"id": "root"}, "actor")}
+        )
+        assert html_fragment in auth_response.text
+
+
 @pytest.mark.parametrize(
     "allow,expected_anon,expected_auth",
     [(None, 200, 200), ({}, 403, 403), ({"id": "root"}, 403, 200),],