Should respect view-instance and other permissions

simonw / datasette-graphql

Datasette plugin providing an automatic GraphQL API for your SQLite databases

https://datasette-graphql-demo.datasette.io/

Apache License 2.0

98 stars 6 forks source link

Should respect view-instance and other permissions #65

Closed simonw closed 3 years ago

simonw commented 3 years ago

This plugin currently ignores permissions when constructing the schema. This doesn't lead to any information leakage, since the actual calls to resolve GraphQL queries dispatch to TableView which respects permissions - but it does mean that the GraphQL endpoint can "leak" the schema structure of a database even when that database should not be visible according to view-instance or view-database permissions.

simonw commented 3 years ago

I'm going to fix this in the view_graphql and view_graphql_schema view functions:

https://github.com/simonw/datasette-graphql/blob/71b546af34385362b0d571a1ff766711fb1e074e/datasette_graphql/__init__.py#L45-L69

https://github.com/simonw/datasette-graphql/blob/71b546af34385362b0d571a1ff766711fb1e074e/datasette_graphql/__init__.py#L27-L34

simonw commented 3 years ago

First check view-database - if that says False then disallow access, if it says True then allow access. If it says None check view-instance.