github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

/-/permissions?filter=exclude-yours/only-yours - closes #2460

Browse source
This commit is contained in:
Simon Willison 2025-02-04 11:09:44 -08:00
commit f57977a08f
3 changed files with 71 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
datasette/templates/permissions_debug.html
View file

@ -112,6 +112,12 @@ debugPost.addEventListener('submit', function(ev) {
<h1>Recent permissions checks</h1> <h1>Recent permissions checks</h1>
<p>
{% if filter != "all" %}<a href="?filter=all">All</a>{% else %}<strong>All</strong>{% endif %},
{% if filter != "exclude-yours" %}<a href="?filter=exclude-yours">Exclude yours</a>{% else %}<strong>Exclude yours</strong>{% endif %},
{% if filter != "only-yours" %}<a href="?filter=only-yours">Only yours</a>{% else %}<strong>Only yours</strong>{% endif %}
</p>
{% for check in permission_checks %} {% for check in permission_checks %}
<div class="check"> <div class="check">
<h2> <h2>

17
datasette/views/special.py
View file

@ -121,12 +121,27 @@ class PermissionsDebugView(BaseView):
await self.ds.ensure_permissions(request.actor, ["view-instance"]) await self.ds.ensure_permissions(request.actor, ["view-instance"])
if not await self.ds.permission_allowed(request.actor, "permissions-debug"): if not await self.ds.permission_allowed(request.actor, "permissions-debug"):
raise Forbidden("Permission denied") raise Forbidden("Permission denied")
filter_ = request.args.get("filter") or "all"
permission_checks = list(reversed(self.ds._permission_checks))
if filter_ == "exclude-yours":
permission_checks = [
check
for check in permission_checks
if (check["actor"] or {}).get("id") != request.actor["id"]
]
elif filter_ == "only-yours":
permission_checks = [
check
for check in permission_checks
if (check["actor"] or {}).get("id") == request.actor["id"]
]
return await self.render( return await self.render(
["permissions_debug.html"], ["permissions_debug.html"],
request, request,
# list() avoids error if check is performed during template render: # list() avoids error if check is performed during template render:
{ {
"permission_checks": list(reversed(self.ds._permission_checks)), "permission_checks": permission_checks,
"filter": filter_,
"permissions": [ "permissions": [
{ {
"name": p.name, "name": p.name,

58
tests/test_permissions.py
View file

@ -371,12 +371,15 @@ def test_permissions_checked(app_client, path, permissions):
@pytest.mark.asyncio @pytest.mark.asyncio
async def test_permissions_debug(ds_client): @pytest.mark.parametrize("filter_", ("all", "exclude-yours", "only-yours"))
async def test_permissions_debug(ds_client, filter_):
ds_client.ds._permission_checks.clear() ds_client.ds._permission_checks.clear()
assert (await ds_client.get("/-/permissions")).status_code == 403 assert (await ds_client.get("/-/permissions")).status_code == 403
# With the cookie it should work # With the cookie it should work
cookie = ds_client.actor_cookie({"id": "root"}) cookie = ds_client.actor_cookie({"id": "root"})
response = await ds_client.get("/-/permissions", cookies={"ds_actor": cookie}) response = await ds_client.get(
f"/-/permissions?filter={filter_}", cookies={"ds_actor": cookie}
)
assert response.status_code == 200 assert response.status_code == 200
# Should have a select box listing permissions # Should have a select box listing permissions
for fragment in ( for fragment in (
@ -398,17 +401,54 @@ async def test_permissions_debug(ds_client):
else bool(div.select(".check-result-true")) else bool(div.select(".check-result-true"))
), ),
"used_default": bool(div.select(".check-used-default")), "used_default": bool(div.select(".check-used-default")),
"actor": json.loads(
div.find(
"strong", string=lambda text: text and "Actor" in text
).parent.text.split(": ", 1)[1]
),
} }
for div in check_divs for div in check_divs
] ]
assert checks == [ expected_checks = [
{"action": "permissions-debug", "result": True, "used_default": False}, {
{"action": "view-instance", "result": None, "used_default": True}, "action": "permissions-debug",
{"action": "debug-menu", "result": False, "used_default": True}, "result": True,
{"action": "view-instance", "result": True, "used_default": True}, "used_default": False,
{"action": "permissions-debug", "result": False, "used_default": True}, "actor": {"id": "root"},
{"action": "view-instance", "result": None, "used_default": True}, },
{
"action": "view-instance",
"result": None,
"used_default": True,
"actor": {"id": "root"},
},
{"action": "debug-menu", "result": False, "used_default": True, "actor": None},
{
"action": "view-instance",
"result": True,
"used_default": True,
"actor": None,
},
{
"action": "permissions-debug",
"result": False,
"used_default": True,
"actor": None,
},
{
"action": "view-instance",
"result": None,
"used_default": True,
"actor": None,
},
] ]
if filter_ == "only-yours":
expected_checks = [
check for check in expected_checks if check["actor"] is not None
]
elif filter_ == "exclude-yours":
expected_checks = [check for check in expected_checks if check["actor"] is None]
assert checks == expected_checks
@pytest.mark.asyncio @pytest.mark.asyncio