From fe5b6ea95a973534fe8a44907c0ea2449aae7602 Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Sun, 5 Aug 2018 20:17:17 -0700
Subject: [PATCH] Hide 'view and edit SQL' if config.allow_sql turned off

---
 datasette/templates/table.html | 2 +-
 tests/test_html.py             | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/datasette/templates/table.html b/datasette/templates/table.html
index 27cc1467..a768a9fc 100644
--- a/datasette/templates/table.html
+++ b/datasette/templates/table.html
@@ -88,7 +88,7 @@
     </div>
 </form>
 
-{% if query.sql %}
+{% if query.sql and config.allow_sql %}
     <p><a class="not-underlined" title="{{ query.sql }}" href="/{{ database }}-{{ database_hash }}?{{ {'sql': query.sql}|urlencode|safe }}{% if query.params %}&amp;{{ query.params|urlencode|safe }}{% endif %}">&#x270e; <span class="underlined">View and edit SQL</span></a></p>
 {% endif %}
 
diff --git a/tests/test_html.py b/tests/test_html.py
index c3cf78b6..4a792b62 100644
--- a/tests/test_html.py
+++ b/tests/test_html.py
@@ -713,6 +713,10 @@ def test_allow_sql_on(app_client):
     )
     soup = Soup(response.body, 'html.parser')
     assert len(soup.findAll('textarea', {'name': 'sql'}))
+    response = app_client.get(
+        "/fixtures/sortable"
+    )
+    assert b"View and edit SQL" in response.body
 
 
 def test_allow_sql_off():
@@ -724,6 +728,11 @@ def test_allow_sql_off():
         )
         soup = Soup(response.body, 'html.parser')
         assert not len(soup.findAll('textarea', {'name': 'sql'}))
+        # The table page should no longer show "View and edit SQL"
+        response = client.get(
+            "/fixtures/sortable"
+        )
+        assert b"View and edit SQL" not in response.body
 
 
 def assert_querystring_equal(expected, actual):