issue_comments: 1288327467

This data as json

html_url issue_url id node_id user created_at updated_at author_association body reactions issue performed_via_github_app
https://github.com/simonw/datasette/issues/1848#issuecomment-1288327467 https://api.github.com/repos/simonw/datasette/issues/1848 1288327467 IC_kwDOBm6k_c5MylEr 9599 2022-10-24T02:30:48Z 2022-10-24T02:31:04Z OWNER

Here's the code at fault: https://github.com/simonw/datasette/blob/78dad236df730212aa7172f885fd8ec575f0d3ad/datasette/views/database.py#L67-L116

Those checks aren't doing the new cascading permissions thing added in #1829 which means they can't tell that an anonymous user would not be able to se those tbles and queries and views.

Should do something like this instead:

python view_visible, view_private = await self.ds.check_visibility( request.actor, permissions=[ ("view-table", (database, view_name)), ("view-database", database), "view-instance", ], )

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 1420090659