Cascading view permissions, closes #832

- If you have table permission but not database permission you can now view the table page - New BaseView.check_permissions() method
2025-12-10 16:51:24 +01:00 · 2020-06-30 16:40:50 -07:00 · 2020-06-30 16:40:50 -07:00 · d6e03b0430
commit d6e03b0430
parent ab76eddf31
5 changed files with 108 additions and 12 deletions
--- a/datasette/views/base.py
+++ b/datasette/views/base.py
@ -69,6 +69,29 @@ class BaseView:
        if not ok:
            raise Forbidden(action)

+    async def check_permissions(self, request, permissions):
+        "permissions is a list of (action, resource) tuples or 'action' strings"
+        for permission in permissions:
+            if isinstance(permission, str):
+                action = permission
+                resource = None
+            elif isinstance(permission, (tuple, list)) and len(permission) == 2:
+                action, resource = permission
+            else:
+                assert (
+                    False
+                ), "permission should be string or tuple of two items: {}".format(
+                    repr(permission)
+                )
+            ok = await self.ds.permission_allowed(
+                request.actor, action, resource=resource, default=None,
+            )
+            if ok is not None:
+                if ok:
+                    return
+                else:
+                    raise Forbidden(action)
+
    def database_url(self, database):
        db = self.ds.databases[database]
        base_url = self.ds.config("base_url")