remote/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2026-06-15 05:26:59 +02:00
Code Issues Projects Releases Packages Wiki Activity

Enforce query ownership and remove canned query hook

Browse source 
Refs #2735
This commit is contained in:
Simon Willison 2026-05-24 22:58:50 -07:00
commit 040e42ddca
11 changed files with 182 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

12
datasette/views/database.py
View file

@ -945,6 +945,18 @@ class QueryView(View):
# That should not have happened
raise DatasetteError("Unexpected table found on POST", status=404)
if not await datasette.allowed(
action="view-query",
resource=QueryResource(database=db.name, query=canned_query["name"]),
actor=request.actor,
):
raise Forbidden("You do not have permission to view this query")
if canned_query.get("write") and canned_query.get("source") == "user":
await datasette.ensure_query_write_permissions(
db.name, canned_query["sql"], actor=request.actor
)
# If database is immutable, return an error
if not db.is_mutable:
raise Forbidden("Database is immutable")