Don't allow canned write queries on immutable DBs, closes #1728

2025-12-10 16:51:24 +01:00 · 2022-08-14 09:34:31 -07:00 · 2022-08-14 09:34:31 -07:00 · c1396bf860
commit c1396bf860
parent 1563c22a8c
3 changed files with 49 additions and 1 deletions
--- a/datasette/templates/query.html
+++ b/datasette/templates/query.html
@ -28,6 +28,10 @@

 {% block content %}

+{% if canned_write and db_is_immutable %}
+    <p class="message-error">This query cannot be executed because the database is immutable.</p>
+{% endif %}
+
 <h1 style="padding-left: 10px; border-left: 10px solid #{{ database_color(database) }}">{{ metadata.title or database }}{% if canned_query and not metadata.title %}: {{ canned_query }}{% endif %}{% if private %} 🔒{% endif %}</h1>

 {% block description_source_license %}{% include "_description_source_license.html" %}{% endblock %}
@ -61,7 +65,7 @@
    <p>
        {% if not hide_sql %}<button id="sql-format" type="button" hidden>Format SQL</button>{% endif %}
        {% if canned_write %}<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">{% endif %}
-        <input type="submit" value="Run SQL">
+        <input type="submit" value="Run SQL"{% if canned_write and db_is_immutable %} disabled{% endif %}>
        {{ show_hide_hidden }}
        {% if canned_query and edit_sql_url %}<a href="{{ edit_sql_url }}" class="canned-query-edit-sql">Edit SQL</a>{% endif %}
    </p>
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -273,6 +273,9 @@ class QueryView(DataView):
        # Execute query - as write or as read
        if write:
            if request.method == "POST":
+                # If database is immutable, return an error
+                if not db.is_mutable:
+                    raise Forbidden("Database is immutable")
                body = await request.post_body()
                body = body.decode("utf-8").strip()
                if body.startswith("{") and body.endswith("}"):
@ -326,6 +329,7 @@ class QueryView(DataView):
                async def extra_template():
                    return {
                        "request": request,
+                        "db_is_immutable": not db.is_mutable,
                        "path_with_added_args": path_with_added_args,
                        "path_with_removed_args": path_with_removed_args,
                        "named_parameter_values": named_parameter_values,