-
-
Notifications
You must be signed in to change notification settings - Fork 672
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private database page should show padlock on every table #1848
Comments
Here's the code at fault: datasette/datasette/views/database.py Lines 67 to 116 in 78dad23
Those checks aren't doing the new cascading permissions thing added in #1829 which means they can't tell that an anonymous user would not be able to se those tbles and queries and views. Should do something like this instead: view_visible, view_private = await self.ds.check_visibility(
request.actor,
permissions=[
("view-table", (database, view_name)),
("view-database", database),
"view-instance",
],
) |
https://latest.datasette.io/_internal now looks like this: |
Following:
https://latest.datasette.io/_internal looks like this:
But those queries and tables are private too, and should also show the padlock icon.
The text was updated successfully, but these errors were encountered: