Extra permission rules for /-/create, closes #1937

datasette/views/database.py

@@ -613,6 +613,13 @@ class TableCreateView(BaseView):
         ignore = data.get("ignore")
         replace = data.get("replace")
 
+        if replace:
+            # Must have update-row permission
+            if not await self.ds.permission_allowed(
+                request.actor, "update-row", resource=database_name
+            ):
+                return _error(["Permission denied - need update-row"], 403)
+
         table_name = data.get("table")
         if not table_name:
             return _error(["Table is required"])
@@ -630,6 +637,13 @@ class TableCreateView(BaseView):
         if rows and row:
             return _error(["Cannot specify both rows and row"])
 
+        if rows or row:
+            # Must have insert-row permission
+            if not await self.ds.permission_allowed(
+                request.actor, "insert-row", resource=database_name
+            ):
+                return _error(["Permission denied - need insert-row"], 403)
+
         if columns:
             if rows or row:
                 return _error(["Cannot specify columns with rows or row"])