github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

/-/actor.json no longer requires view-instance, closes #1945

Browse source
This commit is contained in:
Simon Willison 2022-12-12 20:11:51 -08:00
commit c6a811237c
3 changed files with 38 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
datasette/app.py
View file

@ -1262,7 +1262,9 @@ class Datasette:
r"/-/databases(\.(?P<format>json))?$", r"/-/databases(\.(?P<format>json))?$",
) )
add_route( add_route(
JsonDataView.as_view(self, "actor.json", self._actor, needs_request=True), JsonDataView.as_view(
self, "actor.json", self._actor, needs_request=True, permission=None
),
r"/-/actor(\.(?P<format>json))?$", r"/-/actor(\.(?P<format>json))?$",
) )
add_route( add_route(

13
datasette/views/special.py
View file

@ -10,15 +10,24 @@ import urllib
class JsonDataView(BaseView): class JsonDataView(BaseView):
name = "json_data" name = "json_data"
def __init__(self, datasette, filename, data_callback, needs_request=False): def __init__(
self,
datasette,
filename,
data_callback,
needs_request=False,
permission="view-instance",
):
self.ds = datasette self.ds = datasette
self.filename = filename self.filename = filename
self.data_callback = data_callback self.data_callback = data_callback
self.needs_request = needs_request self.needs_request = needs_request
self.permission = permission
async def get(self, request): async def get(self, request):
as_format = request.url_vars["format"] as_format = request.url_vars["format"]
await self.ds.ensure_permissions(request.actor, ["view-instance"]) if self.permission:
await self.ds.ensure_permissions(request.actor, [self.permission])
if self.needs_request: if self.needs_request:
data = self.data_callback(request) data = self.data_callback(request)
else: else:

24
tests/test_permissions.py
View file

@ -8,6 +8,7 @@ from pprint import pprint
import pytest_asyncio import pytest_asyncio
import pytest import pytest
import re import re
import time
import urllib import urllib
@ -818,3 +819,26 @@ async def test_permissions_in_metadata(
assert result == expected_result assert result == expected_result
finally: finally:
perms_ds._metadata_local = previous_metadata perms_ds._metadata_local = previous_metadata
@pytest.mark.asyncio
async def test_actor_endpoint_allows_any_token():
ds = Datasette()
token = ds.sign(
{
"a": "root",
"token": "dstok",
"t": int(time.time()),
"_r": {"a": ["debug-menu"]},
},
namespace="token",
)
response = await ds.client.get(
"/-/actor.json", headers={"Authorization": f"Bearer dstok_{token}"}
)
assert response.status_code == 200
assert response.json()["actor"] == {
"id": "root",
"token": "dstok",
"_r": {"a": ["debug-menu"]},
}