default_allow_sql setting, closes #1409

Refs #1410
2025-12-10 16:51:24 +01:00 · 2023-01-04 16:51:11 -08:00 · 2023-01-04 16:51:11 -08:00 · c41278b46f
commit c41278b46f
parent adfcec51d6
8 changed files with 61 additions and 4 deletions
--- a/datasette/app.py
+++ b/datasette/app.py
@ -141,6 +141,11 @@ SETTINGS = (
        True,
        "Allow users to create and use signed API tokens",
    ),
+    Setting(
+        "default_allow_sql",
+        True,
+        "Allow anyone to run arbitrary SQL queries",
+    ),
    Setting(
        "max_signed_tokens_ttl",
        0,
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@ -69,9 +69,15 @@ def permission_allowed_default(datasette, actor, action, resource):
                return result

        # Check custom permissions: blocks
-        return await _resolve_metadata_permissions_blocks(
+        result = await _resolve_metadata_permissions_blocks(
            datasette, actor, action, resource
        )
+        if result is not None:
+            return result
+
+        # --setting default_allow_sql
+        if action == "execute-sql" and not datasette.setting("default_allow_sql"):
+            return False

    return inner