Renamed execute-query permission to execute-sql, refs #811

simonw · Jun 7, 2020 · a1e8014 · a1e8014
1 parent 4340845
commit a1e8014
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 13 deletions.
diff --git a/datasette/views/database.py b/datasette/views/database.py
@@ -134,21 +134,14 @@ async def data(
             params.pop("_shape")
 
         # Respect canned query permissions
+        await self.check_permission(request, "view-instance")
+        await self.check_permission(request, "view-database", "database", database)
         if canned_query:
-            await self.check_permission(request, "view-instance")
-            await self.check_permission(request, "view-database", "database", database)
             await self.check_permission(
                 request, "view-query", "query", (database, canned_query)
             )
-            # TODO: fix this to use that permission check
-            if not actor_matches_allow(
-                request.scope.get("actor", None), metadata.get("allow")
-            ):
-                return Response("Permission denied", status=403)
         else:
-            await self.check_permission(request, "view-instance")
-            await self.check_permission(request, "view-database", "database", database)
-            await self.check_permission(request, "execute-query", "database", database)
+            await self.check_permission(request, "execute-sql", "database", database)
         # Extract any :named parameters
         named_parameters = named_parameters or self.re_named_parameter.findall(sql)
         named_parameter_values = {

diff --git a/docs/authentication.rst b/docs/authentication.rst
@@ -234,8 +234,8 @@ Actor is allowed to view a :ref:`canned query <canned_queries>` page, e.g. https
 
 .. _permissions_execute_query:
 
-execute-query
--------------
+execute-sql
+-----------
 
 Actor is allowed to run arbitrary SQL queries against a specific database, e.g. https://latest.datasette.io/fixtures?sql=select+100
 

diff --git a/tests/test_html.py b/tests/test_html.py
@@ -893,7 +893,7 @@ def test_database_query_permission_checks(app_client):
         [
             "view-instance",
             ("view-database", "database", "fixtures"),
-            ("execute-query", "database", "fixtures"),
+            ("execute-sql", "database", "fixtures"),
         ],
     )