Fix actor restrictions to work with new actions system

- Updated restrictions_allow_action() to use datasette.actions instead of datasette.permissions - Changed references from Permission to Action objects - Updated takes_database checks to takes_parent - Added get_action() method to Datasette class for looking up actions by name or abbreviation - Integrated actor restriction checking into allowed() method - Actor restrictions (_r in actor dict) are now properly enforced after SQL permission checks This fixes tests in test_api_write.py where actors with restricted permissions were incorrectly being granted access to actions outside their restrictions. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-10 16:51:24 +01:00 · 2025-10-24 14:35:23 -07:00 · 2025-10-24 14:35:23 -07:00 · e1582c1424
commit e1582c1424
parent dc241e8691
2 changed files with 38 additions and 9 deletions
--- a/datasette/app.py
+++ b/datasette/app.py
@ -547,6 +547,18 @@ class Datasette:
            "No permission found with name or abbreviation {}".format(name_or_abbr)
        )

+    def get_action(self, name_or_abbr: str):
+        """
+        Returns an Action object for the given name or abbreviation. Returns None if not found.
+        """
+        if name_or_abbr in self.actions:
+            return self.actions[name_or_abbr]
+        # Try abbreviation
+        for action in self.actions.values():
+            if action.abbr == name_or_abbr:
+                return action
+        return None
+
    async def refresh_schemas(self):
        if self._refresh_schemas_lock.locked():
            return
@ -1282,6 +1294,23 @@ class Datasette:
            child=resource.child,
        )

+        # Check actor restrictions after SQL permissions
+        # If the SQL check says "yes" but actor has restrictions, verify action is allowed
+        if result and actor and "_r" in actor:
+            from datasette.default_permissions import restrictions_allow_action
+
+            # Convert Resource to old-style format for restrictions check
+            if resource.parent and resource.child:
+                old_style_resource = (resource.parent, resource.child)
+            elif resource.parent:
+                old_style_resource = resource.parent
+            else:
+                old_style_resource = None
+
+            # If restrictions don't allow this action, deny it
+            if not restrictions_allow_action(self, actor["_r"], action, old_style_resource):
+                result = False
+
        # Log the permission check for debugging
        # Convert Resource to old-style format for backward compatibility with debug tools
        if resource.parent and resource.child: