Skip to content

Commit

Permalink
Check permissions on canned query page, refs #800
Browse files Browse the repository at this point in the history
  • Loading branch information
@simonw
simonw committed Jun 6, 2020
1 parent 070838b commit 966eec7
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 1 deletion.
10 changes: 9 additions & 1 deletion datasette/views/database.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
path_with_added_args,
path_with_removed_args,
)
from datasette.utils.asgi import AsgiFileDownload
from datasette.utils.asgi import AsgiFileDownload, Response
from datasette.plugins import pm

from .base import DatasetteError, DataView
Expand Down Expand Up @@ -125,6 +125,14 @@ async def data(
params.pop("sql")
if "_shape" in params:
params.pop("_shape")

# Respect canned query permissions
if canned_query:
if not actor_matches_allow(
request.scope.get("actor", None), metadata.get("allow")
):
return Response("Permission denied", status=403)

# Extract any :named parameters
named_parameters = named_parameters or self.re_named_parameter.findall(sql)
named_parameter_values = {
Expand Down
8 changes: 8 additions & 0 deletions tests/test_canned_write.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,3 +128,11 @@ def test_canned_query_permissions_on_database_page(canned_write_client):
{"name": q["name"], "requires_auth": q["requires_auth"]}
for q in response.json["queries"]
]


def test_canned_query_permissions(canned_write_client):
assert 403 == canned_write_client.get("/data/delete_name").status
assert 200 == canned_write_client.get("/data/update_name").status
cookies = {"ds_actor": canned_write_client.ds.sign({"id": "root"}, "actor")}
assert 200 == canned_write_client.get("/data/delete_name", cookies=cookies).status
assert 200 == canned_write_client.get("/data/update_name", cookies=cookies).status

0 comments on commit 966eec7

Please sign in to comment.