github
html_url | issue_url | id | node_id | user | created_at | updated_at | author_association | body | reactions | issue | performed_via_github_app |
---|---|---|---|---|---|---|---|---|---|---|---|
https://github.com/simonw/datasette/issues/1848#issuecomment-1288340476 | https://api.github.com/repos/simonw/datasette/issues/1848 | 1288340476 | IC_kwDOBm6k_c5MyoP8 | 9599 | 2022-10-24T02:50:29Z | 2022-10-24T02:50:29Z | OWNER | https://latest.datasette.io/_internal now looks like this: <img width="771" alt="image" src="https://user-images.githubusercontent.com/9599/197439086-25d02a4f-3831-42bc-8097-c487290d7c32.png"> | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
1420090659 | |
https://github.com/simonw/datasette/issues/1848#issuecomment-1288330238 | https://api.github.com/repos/simonw/datasette/issues/1848 | 1288330238 | IC_kwDOBm6k_c5Mylv- | 9599 | 2022-10-24T02:34:41Z | 2022-10-24T02:34:41Z | OWNER | Tested my fix with this `metadata.yml`: ```yaml databases: fixtures: allow: id: root tables: 123_starts_with_digits: allow: true ``` Signed in as root I saw this - showing that the `123_starts_with_digits` table is public: <img width="730" alt="image" src="https://user-images.githubusercontent.com/9599/197437398-7397ce64-c4f5-41b9-93ec-f7e3623e39ad.png"> | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
1420090659 | |
https://github.com/simonw/datasette/issues/1848#issuecomment-1288327467 | https://api.github.com/repos/simonw/datasette/issues/1848 | 1288327467 | IC_kwDOBm6k_c5MylEr | 9599 | 2022-10-24T02:30:48Z | 2022-10-24T02:31:04Z | OWNER | Here's the code at fault: https://github.com/simonw/datasette/blob/78dad236df730212aa7172f885fd8ec575f0d3ad/datasette/views/database.py#L67-L116 Those checks aren't doing the new cascading permissions thing added in #1829 which means they can't tell that an anonymous user would not be able to se those tbles and queries and views. Should do something like this instead: ```python view_visible, view_private = await self.ds.check_visibility( request.actor, permissions=[ ("view-table", (database, view_name)), ("view-database", database), "view-instance", ], ) ``` | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
1420090659 |