Skip to content

Fix /-/check 500 error on query-scoped actions #2758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
truffle-dev wants to merge 1 commit into
base: main
Choose a base branch
from
+33 −3
Open

Fix /-/check 500 error on query-scoped actions #2758

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions datasette/views/special.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -497,11 +497,13 @@ async def _check_permission_for_actor(ds, action, parent, child, actor):
if action_obj.resource_class is None:
resource_obj = None
elif action_obj.takes_parent and action_obj.takes_child:
# Child-level resource (e.g., TableResource, QueryResource)
resource_obj = action_obj.resource_class(database=parent, table=child)
# Child-level resource (e.g., TableResource, QueryResource). Pass
# positional args so we work with subclasses whose second parameter
# is named `table`, `query`, or anything else.
resource_obj = action_obj.resource_class(parent, child)
elif action_obj.takes_parent:
# Parent-level resource (e.g., DatabaseResource)
resource_obj = action_obj.resource_class(database=parent)
resource_obj = action_obj.resource_class(parent)
else:
# This shouldn't happen given validation in Action.__post_init__
return {"error": f"Invalid action configuration: {action}"}, 500
Expand Down
28 changes: 28 additions & 0 deletions tests/test_permissions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1733,6 +1733,34 @@ async def test_permission_check_view_requires_debug_permission():
assert data["allowed"] is True


@pytest.mark.asyncio
@pytest.mark.parametrize(
"action,child",
[
("view-query", "myquery"),
("update-query", "myquery"),
("delete-query", "myquery"),
],
)
async def test_permission_check_view_query_scoped_action(action, child):
"""Test that /-/check works for query-scoped actions (issue #2756)."""
ds = Datasette()
ds.root_enabled = True
root_token = await ds.create_token("root", handler="signed")
response = await ds.client.get(
f"/-/check.json?action={action}&parent=mydb&child={child}",
headers={"Authorization": f"Bearer {root_token}"},
)
assert response.status_code == 200
data = response.json()
assert data["action"] == action
assert data["resource"] == {
"parent": "mydb",
"child": child,
"path": f"/mydb/{child}",
}


@pytest.mark.asyncio
async def test_root_allow_block_with_table_restricted_actor():
"""
Expand Down