github
html_url | issue_url | id | node_id | user | created_at | updated_at | author_association | body | reactions | issue | performed_via_github_app |
---|---|---|---|---|---|---|---|---|---|---|---|
https://github.com/simonw/datasette/issues/811#issuecomment-640287967 | https://api.github.com/repos/simonw/datasette/issues/811 | 640287967 | MDEyOklzc3VlQ29tbWVudDY0MDI4Nzk2Nw== | 9599 | 2020-06-07T22:16:10Z | 2020-06-07T22:16:10Z | OWNER | The tests in test_permissions.py could check the .json variants and assert that permission checks were carried out too. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640274171 | https://api.github.com/repos/simonw/datasette/issues/811 | 640274171 | MDEyOklzc3VlQ29tbWVudDY0MDI3NDE3MQ== | 9599 | 2020-06-07T20:21:14Z | 2020-06-07T20:21:14Z | OWNER | Next step: fix this ``` - # TODO: fix this to use that permission check - if not actor_matches_allow( - request.scope.get("actor", None), metadata.get("allow") - ): - return Response("Permission denied", status=403) ``` | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640273945 | https://api.github.com/repos/simonw/datasette/issues/811 | 640273945 | MDEyOklzc3VlQ29tbWVudDY0MDI3Mzk0NQ== | 9599 | 2020-06-07T20:19:15Z | 2020-06-07T20:19:15Z | OWNER | I'm going to add a `test_permissions.py` module that checks for 403 errors against different patterns of the `actors` block at different levels in `metadata.json`. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640270178 | https://api.github.com/repos/simonw/datasette/issues/811 | 640270178 | MDEyOklzc3VlQ29tbWVudDY0MDI3MDE3OA== | 9599 | 2020-06-07T19:48:39Z | 2020-06-07T19:48:39Z | OWNER | Testing pattern: ```python def test_canned_query_with_custom_metadata(app_client): response = app_client.get("/fixtures/neighborhood_search?text=town") assert_permissions_checked( app_client.ds, [ "view-instance", ("view-database", "database", "fixtures"), ("view-query", "query", ("fixtures", "neighborhood_search")), ], ) ``` | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640248972 | https://api.github.com/repos/simonw/datasette/issues/811 | 640248972 | MDEyOklzc3VlQ29tbWVudDY0MDI0ODk3Mg== | 9599 | 2020-06-07T17:04:22Z | 2020-06-07T17:04:22Z | OWNER | I'll need a neat testing pattern for this. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640248669 | https://api.github.com/repos/simonw/datasette/issues/811 | 640248669 | MDEyOklzc3VlQ29tbWVudDY0MDI0ODY2OQ== | 9599 | 2020-06-07T17:01:44Z | 2020-06-07T17:01:44Z | OWNER | If the allow block at the database level forbids access this needs to cascade down to the table, query and row levels as well. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 |