allow_sql config option to disable custom SQL, closes #284

2025-12-10 16:51:24 +01:00 · 2018-05-24 22:50:50 -07:00 · 2018-05-24 22:50:50 -07:00 · f722b0a730
commit f722b0a730
parent 50920cfe3d
7 changed files with 53 additions and 7 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -367,6 +367,16 @@ def test_invalid_custom_sql(app_client):
    assert 'Statement must be a SELECT' == response.json['error']


+def test_allow_sql_off():
+    for client in app_client(config={
+        'allow_sql': False,
+    }):
+        assert 400 == client.get(
+            "/test_tables.json?sql=select+sleep(0.01)",
+            gather_request=False
+        ).status
+
+
 def test_table_json(app_client):
    response = app_client.get('/test_tables/simple_primary_key.json?_shape=objects', gather_request=False)
    assert response.status == 200
@ -916,7 +926,8 @@ def test_config_json(app_client):
        "sql_time_limit_ms": 200,
        "allow_download": True,
        "allow_facet": True,
-        "suggest_facets": True
+        "suggest_facets": True,
+        "allow_sql": True,
    } == response.json


--- a/tests/test_html.py
+++ b/tests/test_html.py
@ -495,6 +495,27 @@ def test_allow_download_off():
        assert 403 == response.status


+def test_allow_sql_on(app_client):
+    response = app_client.get(
+        "/test_tables",
+        gather_request=False
+    )
+    soup = Soup(response.body, 'html.parser')
+    assert len(soup.findAll('textarea', {'name': 'sql'}))
+
+
+def test_allow_sql_off():
+    for client in app_client(config={
+        'allow_sql': False,
+    }):
+        response = client.get(
+            "/test_tables",
+            gather_request=False
+        )
+        soup = Soup(response.body, 'html.parser')
+        assert not len(soup.findAll('textarea', {'name': 'sql'}))
+
+
 def assert_querystring_equal(expected, actual):
    assert sorted(expected.split('&')) == sorted(actual.split('&'))