Apply database-level allow blocks to view-query action, refs #2510

When a database has an "allow" block in the configuration, it should apply to all queries in that database, not just tables and the database itself. This fix ensures that queries respect database-level access controls. This fixes the test_padlocks_on_database_page test which expects plugin-defined queries (from_async_hook, from_hook) to show padlock indicators when the database has restricted access. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-10 16:51:24 +01:00 · 2025-10-25 13:53:45 -07:00 · 2025-10-25 13:53:45 -07:00 · de21a4209c
commit de21a4209c
parent d300200ba5
1 changed files with 7 additions and 0 deletions
--- a/datasette/default_permissions.py
+++ b/datasette/default_permissions.py
@ -181,6 +181,13 @@ async def _config_permission_rules(datasette, actor, action) -> list[PermissionS
                db_name, None, db_allow, f"allow for {action} on {db_name}"
            )

+        if action == "view-query":
+            # Database-level allow block affects all queries in that database
+            db_allow = db_config.get("allow")
+            add_row_allow_block(
+                db_name, None, db_allow, f"allow for {action} on {db_name}"
+            )
+
    # Root-level allow block applies to all view-* actions
    if action == "view-instance":
        allow_block = config.get("allow")