From de21a4209c7a08848edd034e6f2c45fa0045f2a9 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Sat, 25 Oct 2025 13:53:45 -0700 Subject: [PATCH] Apply database-level allow blocks to view-query action, refs #2510 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a database has an "allow" block in the configuration, it should apply to all queries in that database, not just tables and the database itself. This fix ensures that queries respect database-level access controls. This fixes the test_padlocks_on_database_page test which expects plugin-defined queries (from_async_hook, from_hook) to show padlock indicators when the database has restricted access. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- datasette/default_permissions.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py index e03f8e87..5f753231 100644 --- a/datasette/default_permissions.py +++ b/datasette/default_permissions.py @@ -181,6 +181,13 @@ async def _config_permission_rules(datasette, actor, action) -> list[PermissionS db_name, None, db_allow, f"allow for {action} on {db_name}" ) + if action == "view-query": + # Database-level allow block affects all queries in that database + db_allow = db_config.get("allow") + add_row_allow_block( + db_name, None, db_allow, f"allow for {action} on {db_name}" + ) + # Root-level allow block applies to all view-* actions if action == "view-instance": allow_block = config.get("allow")