Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private database page should show padlock on every table #1848

Closed
simonw opened this issue Oct 24, 2022 · 3 comments
Closed

Private database page should show padlock on every table #1848

simonw opened this issue Oct 24, 2022 · 3 comments
Labels
authentication-and-permissions

Comments

@simonw
Copy link
Owner

simonw commented Oct 24, 2022

Following:

https://latest.datasette.io/_internal looks like this:

image

But those queries and tables are private too, and should also show the padlock icon.
@simonw
Copy link
Owner Author

simonw commented Oct 24, 2022
edited
Loading

Here's the code at fault:

datasette/datasette/views/database.py

Lines 67 to 116 in 78dad23

views = []
for view_name in await db.view_names():
view_visible, view_private = await self.ds.check_visibility(
request.actor,
"view-table",
(database, view_name),
)
if view_visible:
views.append(
{
"name": view_name,
"private": view_private,
}
)
tables = []
for table in table_counts:
table_visible, table_private = await self.ds.check_visibility(
request.actor,
"view-table",
(database, table),
)
if not table_visible:
continue
table_columns = await db.table_columns(table)
tables.append(
{
"name": table,
"columns": table_columns,
"primary_keys": await db.primary_keys(table),
"count": table_counts[table],
"hidden": table in hidden_table_names,
"fts_table": await db.fts_table(table),
"foreign_keys": all_foreign_keys[table],
"private": table_private,
}
)
tables.sort(key=lambda t: (t["hidden"], t["name"]))
canned_queries = []
for query in (
await self.ds.get_canned_queries(database, request.actor)
).values():
query_visible, query_private = await self.ds.check_visibility(
request.actor,
"view-query",
(database, query["name"]),
)
if query_visible:
canned_queries.append(dict(query, private=query_private))

Those checks aren't doing the new cascading permissions thing added in #1829 which means they can't tell that an anonymous user would not be able to se those tbles and queries and views.

Should do something like this instead:

view_visible, view_private = await self.ds.check_visibility(
    request.actor,
    permissions=[
        ("view-table", (database, view_name)),
        ("view-database", database),
        "view-instance",
    ],
)

@simonw
Copy link
Owner Author

simonw commented Oct 24, 2022

Tested my fix with this metadata.yml:

databases:
  fixtures:
   allow:
     id: root
   tables:
     123_starts_with_digits:
       allow: true

Signed in as root I saw this - showing that the 123_starts_with_digits table is public:

image

@simonw simonw closed this as completed in 5be86d4 Oct 24, 2022
@simonw
Copy link
Owner Author

simonw commented Oct 24, 2022

https://latest.datasette.io/_internal now looks like this:

image

simonw added a commit that referenced this issue Oct 24, 2022
@simonw
Release 0.63a1
602c088 
Refs #1646, #1819, #1825, #1829, #1831, #1832, #1834, #1844, #1848
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authentication-and-permissions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw