mirror of
https://github.com/simonw/datasette.git
synced 2025-12-10 16:51:24 +01:00
Simon Willison
parent
adfcec51d6
commit
c41278b46f
8 changed files with 61 additions and 4 deletions
|
|
@ -313,7 +313,13 @@ To limit access to the ``add_name`` canned query in your ``dogs.db`` database to
|
|||
Controlling the ability to execute arbitrary SQL
|
||||
------------------------------------------------
|
||||
|
||||
The ``"allow_sql"`` block can be used to control who is allowed to execute arbitrary SQL queries, both using the form on the database page e.g. https://latest.datasette.io/fixtures or by appending a ``?_where=`` parameter to the table page as seen on https://latest.datasette.io/fixtures/facetable?_where=city_id=1.
|
||||
Datasette defaults to allowing any site visitor to execute their own custom SQL queries, for example using the form on `the database page <https://latest.datasette.io/fixtures>`__ or by appending a ``?_where=`` parameter to the table page `like this <https://latest.datasette.io/fixtures/facetable?_where=_city_id=1>`__.
|
||||
|
||||
Access to this ability is controlled by the :ref:`permissions_execute_sql` permission.
|
||||
|
||||
The easiest way to disable arbitrary SQL queries is using the :ref:`default_allow_sql setting <setting_default_allow_sql>` when you first start Datasette running.
|
||||
|
||||
You can alternatively use the ``"allow_sql"`` to control who is allowed to execute arbitrary SQL queries.
|
||||
|
||||
To enable just the :ref:`root user<authentication_root>` to execute SQL for all databases in your instance, use the following:
|
||||
|
||||
|
|
@ -770,7 +776,7 @@ Actor is allowed to run arbitrary SQL queries against a specific database, e.g.
|
|||
``resource`` - string
|
||||
The name of the database
|
||||
|
||||
Default *allow*.
|
||||
Default *allow*. See also :ref:`the default_allow_sql setting <setting_default_allow_sql>`.
|
||||
|
||||
.. _permissions_permissions_debug:
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue