search

simonw / datasette-graphql

Datasette plugin providing an automatic GraphQL API for your SQLite databases
https://datasette-graphql-demo.datasette.io/
Apache License 2.0
98 stars 6 forks source link

Menu options should not be displayed without a permission check #98

Open simonw opened 10 months ago

simonw commented 10 months ago

I spotted this:

CleanShot 2023-09-07 at 10 45 04@2x

That's a public table on a private instance - the GraphQL link shows a permission denied error, so that link should not be there (for the database or table or main menu).

This isn't a security bug since actually clicking the link doesn't do anything useful, but it's a usability bug.

simonw commented 10 months ago

Relevant code:

https://github.com/simonw/datasette-graphql/blob/ded886ebc6734def37514c9fdad872a9841b5716/datasette_graphql/__init__.py#L159-L164

https://github.com/simonw/datasette-graphql/blob/ded886ebc6734def37514c9fdad872a9841b5716/datasette_graphql/__init__.py#L229-L236

https://github.com/simonw/datasette-graphql/blob/ded886ebc6734def37514c9fdad872a9841b5716/datasette_graphql/__init__.py#L253-L262

Should use this method to check permissions:

https://github.com/simonw/datasette-graphql/blob/ded886ebc6734def37514c9fdad872a9841b5716/datasette_graphql/__init__.py#L135