Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/-/metadata and so on should respect view-instance permission #833

Closed
simonw opened this issue Jun 11, 2020 · 4 comments
Closed

/-/metadata and so on should respect view-instance permission #833

simonw opened this issue Jun 11, 2020 · 4 comments
Labels
authentication-and-permissions security small
Milestone
Datasette 0.44

Comments

@simonw
Copy link
Owner

simonw commented Jun 11, 2020

The only URLs that should be available without authentication at all times are the /-/static/ prefix, to allow for HTTP caching.
@simonw simonw added this to the Datasette 0.44 milestone Jun 11, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 11, 2020

A live demo running the datasette-auth-github plugin will help demonstrate this.

@simonw
Copy link
Owner Author

simonw commented Jun 11, 2020

I'm tempted to add a view-instance check before routing any URLs, but that wouldn't be compatible with the idea in #832 that having view-table should be enough to view a table even if you don't pass view-instance.

@simonw
Copy link
Owner Author

simonw commented Jun 11, 2020

I'll add a new test in test_permissions.py which locks down an instance and then loops through paths as the anonymous user making sure they aren't accessible.

@simonw simonw modified the milestones: Datasette 0.44, Datasette 0.45 Jun 11, 2020
@simonw simonw closed this as completed in 29c5ff4 Jun 11, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 11, 2020

datasette/tests/test_permissions.py

Lines 327 to 348 in 29c5ff4

@pytest.mark.parametrize(
"path",
[
"/",
"/fixtures",
"/fixtures/facetable",
"/-/metadata",
"/-/versions",
"/-/plugins",
"/-/config",
"/-/threads",
"/-/databases",
"/-/actor",
"/-/permissions",
"/-/messages",
"/-/patterns",
],
)
def test_view_instance(path, view_instance_client):
assert 403 == view_instance_client.get(path).status
if path not in ("/-/permissions", "/-/messages", "/-/patterns"):
assert 403 == view_instance_client.get(path + ".json").status

simonw added a commit that referenced this issue Jun 12, 2020
@simonw
Release Datasette 0.44
b906030 
Refs #395, #519, #576, #699, #706, #774, #777, #781, #784, #788, #790, #797,
#798, #800, #802, #804, #819, #822, #825, #826, #827, #828, #829, #830,
#833, #836, #837, #839

Closes #806.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authentication-and-permissions security small
Projects
None yet
Milestone
Datasette 0.44
Development

No branches or pull requests
1 participant
@simonw