issue_comments

Table actions

3 rows where issue = 1420090659 sorted by updated_at descending

View and edit SQL

This data as json, CSV (advanced)

Suggested facets: created_at (date), updated_at (date)

user 1

issue 1

  • Private database page should show padlock on every table · 3

author_association 1

id html_url issue_url node_id user created_at updated_at ▲ author_association body reactions issue performed_via_github_app
1288340476 https://github.com/simonw/datasette/issues/1848#issuecomment-1288340476 https://api.github.com/repos/simonw/datasette/issues/1848 IC_kwDOBm6k_c5MyoP8 simonw 9599 2022-10-24T02:50:29Z 2022-10-24T02:50:29Z OWNER 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Private database page should show padlock on every table 1420090659  
1288330238 https://github.com/simonw/datasette/issues/1848#issuecomment-1288330238 https://api.github.com/repos/simonw/datasette/issues/1848 IC_kwDOBm6k_c5Mylv- simonw 9599 2022-10-24T02:34:41Z 2022-10-24T02:34:41Z OWNER

Tested my fix with this metadata.yml: yaml databases: fixtures: allow: id: root tables: 123_starts_with_digits: allow: true Signed in as root I saw this - showing that the 123_starts_with_digits table is public:

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Private database page should show padlock on every table 1420090659  
1288327467 https://github.com/simonw/datasette/issues/1848#issuecomment-1288327467 https://api.github.com/repos/simonw/datasette/issues/1848 IC_kwDOBm6k_c5MylEr simonw 9599 2022-10-24T02:30:48Z 2022-10-24T02:31:04Z OWNER

Here's the code at fault: https://github.com/simonw/datasette/blob/78dad236df730212aa7172f885fd8ec575f0d3ad/datasette/views/database.py#L67-L116

Those checks aren't doing the new cascading permissions thing added in #1829 which means they can't tell that an anonymous user would not be able to se those tbles and queries and views.

Should do something like this instead:

python view_visible, view_private = await self.ds.check_visibility( request.actor, permissions=[ ("view-table", (database, view_name)), ("view-database", database), "view-instance", ], )

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Private database page should show padlock on every table 1420090659  

Advanced export

JSON shape: default, array, newline-delimited, object

CSV options: 

CREATE TABLE [issue_comments] (
   [html_url] TEXT,
   [issue_url] TEXT,
   [id] INTEGER PRIMARY KEY,
   [node_id] TEXT,
   [user] INTEGER REFERENCES [users]([id]),
   [created_at] TEXT,
   [updated_at] TEXT,
   [author_association] TEXT,
   [body] TEXT,
   [reactions] TEXT,
   [issue] INTEGER REFERENCES [issues]([id])
, [performed_via_github_app] TEXT);
CREATE INDEX [idx_issue_comments_issue]
                ON [issue_comments] ([issue]);
CREATE INDEX [idx_issue_comments_user]
                ON [issue_comments] ([user]);