View list respects view-table permission, refs #811

Also makes a small change to the /fixtures.json JSON: "views": ["view_name"] Is now: "views": [{"name": "view_name", "private": true}]
simonw · Jun 8, 2020 · dcec892 · dcec892
1 parent 9ac27f6
commit dcec892
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 7 deletions.
diff --git a/datasette/templates/database.html b/datasette/templates/database.html
@@ -51,7 +51,7 @@ <h2><a href="{{ database_url(database) }}/{{ table.name|quote_plus }}">{{ table.
     <h2 id="views">Views</h2>
     <ul>
         {% for view in views %}
-            <li><a href="{{ database_url(database) }}/{{ view|urlencode }}">{{ view }}</a></li>
+            <li><a href="{{ database_url(database) }}/{{ view.name|urlencode }}">{{ view.name }}</a>{% if view.private %} 🔒{% endif %}</li>
         {% endfor %}
     </ul>
 {% endif %}

diff --git a/datasette/views/database.py b/datasette/views/database.py
@@ -37,10 +37,19 @@ async def data(self, request, database, hash, default_labels=False, _size=None):
         db = self.ds.databases[database]
 
         table_counts = await db.table_counts(5)
-        views = await db.view_names()
         hidden_table_names = set(await db.hidden_table_names())
         all_foreign_keys = await db.get_all_foreign_keys()
 
+        views = []
+        for view_name in await db.view_names():
+            visible, private = await check_visibility(
+                self.ds, request.actor, "view-table", "table", (database, view_name),
+            )
+            if visible:
+                views.append(
+                    {"name": view_name, "private": private,}
+                )
+
         tables = []
         for table in table_counts:
             visible, private = await check_visibility(

diff --git a/tests/test_permissions.py b/tests/test_permissions.py
@@ -107,19 +107,27 @@ def test_table_list_respects_view_table():
         metadata={
             "databases": {
                 "fixtures": {
-                    "tables": {"compound_three_primary_keys": {"allow": {"id": "root"}}}
+                    "tables": {
+                        "compound_three_primary_keys": {"allow": {"id": "root"}},
+                        # And a SQL view too:
+                        "paginated_view": {"allow": {"id": "root"}},
+                    }
                 }
             }
         }
     ) as client:
-        html_fragment = '<a href="/fixtures/compound_three_primary_keys">compound_three_primary_keys</a> 🔒'
+        html_fragments = [
+            ">compound_three_primary_keys</a> 🔒",
+            ">paginated_view</a> 🔒",
+        ]
         anon_response = client.get("/fixtures")
-        assert html_fragment not in anon_response.text
-        assert '"/fixtures/compound_three_primary_keys"' not in anon_response.text
+        for html_fragment in html_fragments:
+            assert html_fragment not in anon_response.text
         auth_response = client.get(
             "/fixtures", cookies={"ds_actor": client.ds.sign({"id": "root"}, "actor")}
         )
-        assert html_fragment in auth_response.text
+        for html_fragment in html_fragments:
+            assert html_fragment in auth_response.text
 
 
 @pytest.mark.parametrize(