/-/actor.json no longer requires view-instance, closes #1945

2025-12-10 16:51:24 +01:00 · 2022-12-12 20:11:51 -08:00 · 2022-12-12 20:11:51 -08:00 · c6a811237c
commit c6a811237c
parent 3e6a208ba3
3 changed files with 38 additions and 3 deletions
--- a/datasette/app.py
+++ b/datasette/app.py
@ -1262,7 +1262,9 @@ class Datasette:
            r"/-/databases(\.(?P<format>json))?$",
        )
        add_route(
-            JsonDataView.as_view(self, "actor.json", self._actor, needs_request=True),
+            JsonDataView.as_view(
+                self, "actor.json", self._actor, needs_request=True, permission=None
+            ),
            r"/-/actor(\.(?P<format>json))?$",
        )
        add_route(
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@ -10,15 +10,24 @@ import urllib
 class JsonDataView(BaseView):
    name = "json_data"

-    def __init__(self, datasette, filename, data_callback, needs_request=False):
+    def __init__(
+        self,
+        datasette,
+        filename,
+        data_callback,
+        needs_request=False,
+        permission="view-instance",
+    ):
        self.ds = datasette
        self.filename = filename
        self.data_callback = data_callback
        self.needs_request = needs_request
+        self.permission = permission

    async def get(self, request):
        as_format = request.url_vars["format"]
-        await self.ds.ensure_permissions(request.actor, ["view-instance"])
+        if self.permission:
+            await self.ds.ensure_permissions(request.actor, [self.permission])
        if self.needs_request:
            data = self.data_callback(request)
        else:
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@ -8,6 +8,7 @@ from pprint import pprint
 import pytest_asyncio
 import pytest
 import re
+import time
 import urllib


@ -818,3 +819,26 @@ async def test_permissions_in_metadata(
            assert result == expected_result
    finally:
        perms_ds._metadata_local = previous_metadata
+
+
+@pytest.mark.asyncio
+async def test_actor_endpoint_allows_any_token():
+    ds = Datasette()
+    token = ds.sign(
+        {
+            "a": "root",
+            "token": "dstok",
+            "t": int(time.time()),
+            "_r": {"a": ["debug-menu"]},
+        },
+        namespace="token",
+    )
+    response = await ds.client.get(
+        "/-/actor.json", headers={"Authorization": f"Bearer dstok_{token}"}
+    )
+    assert response.status_code == 200
+    assert response.json()["actor"] == {
+        "id": "root",
+        "token": "dstok",
+        "_r": {"a": ["debug-menu"]},
+    }