Currently is allowed with just insert-row permission,

Just confirmed this through manual testing. <div class="highlight highlight-source

POST to /-/insert with "replace": true should require update-row about datasette HOT 5 CLOSED

simonw commented on July 24, 2024

POST to /-/insert with "replace": true should require update-row

from datasette.

Comments (5)

simonw commented on July 24, 2024

Relevant code:

datasette/datasette/views/table.py

Lines 481 to 498 in 81629db

    
           ignore = extras.get("ignore") 
        
           replace = extras.get("replace") 
        
           alter = extras.get("alter") 
        
           if upsert and (ignore or replace): 
        
               return _error(["Upsert does not support ignore or replace"], 400) 
        
           initial_schema = None 
        
           if alter: 
        
               # Must have alter-table permission 
        
               if not await self.ds.permission_allowed( 
        
                   request.actor, "alter-table", resource=(database_name, table_name) 
        
               ): 
        
                   return _error(["Permission denied for alter-table"], 403) 
        
               # Track initial schema to check if it changed later 
        
               initial_schema = await db.execute_fn( 
        
                   lambda conn: sqlite_utils.Database(conn)[table_name].schema 
        
               )

from datasette.

simonw commented on July 24, 2024

Just confirmed this through manual testing.

httpx.post(url, json={
    "row": {
        "rowid": 263,
        "session_id": 123,
        "session_title": "hello"
    },
    "replace": True,
}, headers={"Authorization": f"Bearer {token}"}
).json()

from datasette.

simonw commented on July 24, 2024

Looks like I did implement this for the replace option on create table:

datasette/tests/test_api_write.py

Lines 1328 to 1346 in 81629db

    
                   # If you use replace: true you need update-row too: 
        
                   ( 
        
                       ["create-table", "insert-row"], 
        
                       {"table": "t", "rows": [{"id": 1}], "pk": "id", "replace": True}, 
        
                       403, 
        
                       ["Permission denied - need update-row"], 
        
                   ), 
        
               ), 
        
           ) 
        
           async def test_create_table_permissions( 
        
               ds_write, permissions, body, expected_status, expected_errors 
        
           ): 
        
               token = ds_write.create_token("root", restrict_all=["view-instance"] + permissions) 
        
               response = await ds_write.client.post( 
        
                   "/data/-/create", 
        
                   json=body, 
        
                   headers=_headers(token), 
        
               ) 
        
               assert response.status_code == expected_status

from datasette.

simonw commented on July 24, 2024

Just noticed that I use "Permission denied:" and "Permission denied -" inconsistently.

from datasette.

simonw commented on July 24, 2024

Tested this manually as well.

from datasette.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.

Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

TensorFlow

An Open Source Machine Learning Framework for Everyone

Django

The Web framework for perfectionists with deadlines.

Laravel

A PHP framework for web artisans

D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

web

Some thing interesting about web. New door for the world.

server

A server is a program made to process requests and deliver data to clients.

Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

Visualization

Some thing interesting about visualization, use data art

Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.

Microsoft

Open source projects and samples from Microsoft.

Google

Google ❤️ Open Source for everyone.

Alibaba

Alibaba Open Source for everyone

D3

Data-Driven Documents codes.

Tencent

China tencent open source team.

	ignore = extras.get("ignore")
	replace = extras.get("replace")
	alter = extras.get("alter")

	if upsert and (ignore or replace):
	return _error(["Upsert does not support ignore or replace"], 400)

	initial_schema = None
	if alter:
	# Must have alter-table permission
	if not await self.ds.permission_allowed(
	request.actor, "alter-table", resource=(database_name, table_name)
	):
	return _error(["Permission denied for alter-table"], 403)
	# Track initial schema to check if it changed later
	initial_schema = await db.execute_fn(
	lambda conn: sqlite_utils.Database(conn)[table_name].schema
	)

	# If you use replace: true you need update-row too:
	(
	["create-table", "insert-row"],
	{"table": "t", "rows": [{"id": 1}], "pk": "id", "replace": True},
	403,
	["Permission denied - need update-row"],
	),
	),
	)
	async def test_create_table_permissions(
	ds_write, permissions, body, expected_status, expected_errors
	):
	token = ds_write.create_token("root", restrict_all=["view-instance"] + permissions)
	response = await ds_write.client.post(
	"/data/-/create",
	json=body,
	headers=_headers(token),
	)
	assert response.status_code == expected_status

Comments (5)

Related Issues (20)

Recommend Projects

Recommend Topics

Recommend Org