Fix _extra=private for arbitrary SQL query pages

QueryView hardcoded private=False unless the request was for a stored query, so /db/-/query.json?_extra=private reported false even when execute-sql was restricted to the authenticated actor. Use check_visibility() like the table and row views do. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 19:46:58 +02:00 · 2026-06-10 22:45:13 -07:00 · 2026-06-10 22:45:13 -07:00 · ab62ec96d1
commit ab62ec96d1
parent df8a61450b
2 changed files with 27 additions and 2 deletions
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -612,11 +612,13 @@ class QueryView(View):
                )

        else:
-            await datasette.ensure_permission(
+            visible, private = await datasette.check_visibility(
+                request.actor,
                action="execute-sql",
                resource=DatabaseResource(database=database),
-                actor=request.actor,
            )
+            if not visible:
+                raise Forbidden("execute-sql")

        # Flattened because of ?sql=&name1=value1&name2=value2 feature
        params = {key: request.args.get(key) for key in request.args}
--- a/tests/test_table_api.py
+++ b/tests/test_table_api.py
@ -117,6 +117,29 @@ async def test_query_extras_for_stored_query(ds_client):
    }


+def test_query_extra_private_for_arbitrary_sql():
+    with make_app_client(config={"allow_sql": {"id": "root"}}) as client:
+        cookies = {"ds_actor": client.actor_cookie({"id": "root"})}
+        response = client.get(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=private",
+            cookies=cookies,
+        )
+        assert response.status == 200
+        assert response.json["private"] is True
+        # Anonymous users cannot execute SQL at all here
+        anon = client.get("/fixtures/-/query.json?sql=select+1+as+one")
+        assert anon.status == 403
+
+
+def test_query_extra_private_false_when_sql_is_public():
+    with make_app_client() as client:
+        response = client.get(
+            "/fixtures/-/query.json?sql=select+1+as+one&_extra=private"
+        )
+        assert response.status == 200
+        assert response.json["private"] is False
+
+
@pytest.mark.asyncio
 async def test_table_shape_objects(ds_client):
    response = await ds_client.get("/fixtures/simple_primary_key.json?_shape=objects")