Cascading permissions for .db download, closes #1058

simonw · Oct 28, 2020 · 7d9fedc · 7d9fedc
1 parent c3aba4a
commit 7d9fedc
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 5 deletions.
diff --git a/datasette/views/database.py b/datasette/views/database.py
@@ -131,9 +131,14 @@ class DatabaseDownload(DataView):
     name = "database_download"
 
     async def view_get(self, request, database, hash, correct_hash_present, **kwargs):
-        await self.check_permission(request, "view-instance")
-        await self.check_permission(request, "view-database", database)
-        await self.check_permission(request, "view-database-download", database)
+        await self.check_permissions(
+            request,
+            [
+                ("view-database-download", database),
+                ("view-database", database),
+                "view-instance",
+            ],
+        )
         if database not in self.ds.databases:
             raise DatasetteError("Invalid database", status=404)
         db = self.ds.databases[database]

diff --git a/tests/plugins/my_plugin.py b/tests/plugins/my_plugin.py
@@ -193,6 +193,8 @@ def permission_allowed(actor, action):
         return True
     elif action == "this_is_denied":
         return False
+    elif action == "view-database-download":
+        return (actor and actor.get("can_download")) or None
 
 
 @hookimpl

diff --git a/tests/test_permissions.py b/tests/test_permissions.py
@@ -394,7 +394,7 @@ def test_view_instance(path, view_instance_client):
 
 @pytest.fixture(scope="session")
 def cascade_app_client():
-    with make_app_client() as client:
+    with make_app_client(is_immutable=True) as client:
         yield client
 
 
@@ -439,6 +439,11 @@ def cascade_app_client():
         ("/fixtures", [], 403),
         ("/fixtures", ["instance"], 403),
         ("/fixtures", ["database"], 200),
+        # Downloading the fixtures.db file
+        ("/fixtures.db", [], 403),
+        ("/fixtures.db", ["instance"], 403),
+        ("/fixtures.db", ["database"], 200),
+        ("/fixtures.db", ["download"], 200),
     ],
 )
 def test_permissions_cascade(cascade_app_client, path, permissions, expected_status):
@@ -447,6 +452,9 @@ def test_permissions_cascade(cascade_app_client, path, permissions, expected_sta
     deny = {}
     previous_metadata = cascade_app_client.ds._metadata
     updated_metadata = copy.deepcopy(previous_metadata)
+    actor = {"id": "test"}
+    if "download" in permissions:
+        actor["can_download"] = 1
     try:
         # Set up the different allow blocks
         updated_metadata["allow"] = allow if "instance" in permissions else deny
@@ -462,7 +470,7 @@ def test_permissions_cascade(cascade_app_client, path, permissions, expected_sta
         cascade_app_client.ds._metadata = updated_metadata
         response = cascade_app_client.get(
             path,
-            cookies={"ds_actor": cascade_app_client.actor_cookie({"id": "test"})},
+            cookies={"ds_actor": cascade_app_client.actor_cookie(actor)},
         )
         assert expected_status == response.status
     finally: