datasette-write 0.3.1__py3-none-any.whl → 0.5a0__py3-none-any.whl

datasette_write/__init__.py

@@ -1,56 +1,72 @@
 from datasette import hookimpl, Forbidden, Response
+from datasette.permissions import Action
+from datasette.resources import DatabaseResource
 from datasette.utils import derive_named_parameters
+import itsdangerous
 from urllib.parse import urlencode
 import re
 
+WRITE_ACTION = "datasette-write"
+
+
+async def _allowed_for_database(datasette, actor, database_name):
+    return await datasette.allowed(
+        action=WRITE_ACTION,
+        actor=actor,
+        resource=DatabaseResource(database_name),
+    )
+
+
+async def _require_write_permission(datasette, actor, database_name):
+    if not await _allowed_for_database(datasette, actor, database_name):
+        raise Forbidden(f"Permission denied for {WRITE_ACTION}")
+
 
 async def write(request, datasette):
-    if not await datasette.permission_allowed(
-        request.actor, "datasette-write", default=False
-    ):
-        raise Forbidden("Permission denied for datasette-write")
-    databases = [
-        db
-        for db in datasette.databases.values()
-        if db.is_mutable and db.name != "_internal"
-    ]
+    database_name = request.url_vars["database"]
+    await _require_write_permission(datasette, request.actor, database_name)
     if request.method == "GET":
-        selected_database = request.args.get("database") or ""
-        if not selected_database or selected_database == "_internal":
-            selected_database = databases[0].name
-        database = datasette.get_database(selected_database)
+        database = datasette.get_database(database_name)
         tables = await database.table_names()
         views = await database.view_names()
         sql = request.args.get("sql") or ""
+        parameters = await derive_parameters(database, sql)
+        # Set values based on incoming request query string
+        for parameter in parameters:
+            parameter["value"] = request.args.get(parameter["name"]) or ""
+        custom_title = ""
+        try:
+            custom_title = datasette.unsign(
+                request.args.get("_title", ""), "query_title"
+            )
+        except itsdangerous.BadSignature:
+            pass
         return Response.html(
             await datasette.render_template(
                 "datasette_write.html",
                 {
-                    "databases": databases,
+                    "custom_title": custom_title,
                     "sql_from_args": sql,
-                    "selected_database": selected_database,
-                    "parameters": await derive_parameters(database, sql),
+                    "parameters": parameters,
+                    "database_name": database_name,
                     "tables": tables,
                     "views": views,
+                    "redirect_to": request.args.get("_redirect_to"),
+                    "sql_textarea_height": max(10, int(1.4 * len(sql.split("\n")))),
                 },
                 request=request,
             )
         )
     elif request.method == "POST":
         formdata = await request.post_vars()
-        database_name = formdata["database"]
         sql = formdata["sql"]
-        try:
-            database = [db for db in databases if db.name == database_name][0]
-        except IndexError:
-            return Response.html("Database not found", status_code=404)
+        database = datasette.get_database(database_name)
 
         result = None
         message = None
         params = {
             key[3:]: value for key, value in formdata.items() if key.startswith("qp_")
         }
-        print(params)
         try:
             result = await database.execute_write(sql, params, block=True)
             if result.rowcount == -1:
@@ -80,44 +96,70 @@ async def write(request, datasette):
             message,
             type=datasette.INFO if result else datasette.ERROR,
         )
-        return Response.redirect(
-            datasette.urls.path("/-/write?")
-            + urlencode(
-                {
-                    "database": database.name,
-                    "sql": sql,
-                }
-            )
+        # Default redirect back to this page
+        redirect_to = datasette.urls.path("/-/write?") + urlencode(
+            {
+                "database": database.name,
+                "sql": sql,
+            }
         )
+        try:
+            # Unless value and valid signature for _redirect_to=
+            redirect_to = datasette.unsign(formdata["_redirect_to"], "redirect_to")
+        except (itsdangerous.BadSignature, KeyError):
+            pass
+        return Response.redirect(redirect_to)
     else:
         return Response.html("Bad method", status_code=405)
 
 
+async def write_redirect(request, datasette):
+    db = request.args.get("database") or ""
+    if not db:
+        db = datasette.get_database().name
+    await _require_write_permission(datasette, request.actor, db)
+
+    # Preserve query string, except the database=
+    pairs = [
+        (key, request.args.getlist(key)) for key in request.args if key != "database"
+    ]
+    query_string = ""
+    if pairs:
+        query_string = "?" + urlencode(pairs, doseq=True)
+
+    return Response.redirect(datasette.urls.database(db) + "/-/write" + query_string)
+
+
 async def derive_parameters(db, sql):
     parameters = await derive_named_parameters(db, sql)
+
+    def _type(parameter):
+        type = "text"
+        if parameter.endswith("_textarea"):
+            type = "textarea"
+        if parameter.endswith("_hidden"):
+            type = "hidden"
+        return type
+
+    def _label(parameter):
+        if parameter.endswith("_textarea"):
+            return parameter[: -len("_textarea")]
+        if parameter.endswith("_hidden"):
+            return parameter[: -len("_hidden")]
+        return parameter
+
     return [
-        {
-            "name": parameter,
-            "type": "textarea" if parameter.endswith("textarea") else "text",
-            "label": (
-                parameter.replace("_textarea", "")
-                if parameter.endswith("textarea")
-                else parameter
-            ),
-        }
+        {"name": parameter, "type": _type(parameter), "label": _label(parameter)}
         for parameter in parameters
     ]
 
 
 async def write_derive_parameters(datasette, request):
-    if not await datasette.permission_allowed(
-        request.actor, "datasette-write", default=False
-    ):
-        raise Forbidden("Permission denied for datasette-write")
     try:
         db = datasette.get_database(request.args.get("database"))
     except KeyError:
         db = datasette.get_database()
+    await _require_write_permission(datasette, request.actor, db.name)
     parameters = await derive_parameters(db, request.args.get("sql") or "")
     return Response.json({"parameters": parameters})
 
@@ -125,25 +167,21 @@ async def write_derive_parameters(datasette, request):
 @hookimpl
 def register_routes():
     return [
-        (r"^/-/write$", write),
+        (r"^/(?P<database>[^/]+)/-/write$", write),
+        (r"^/-/write$", write_redirect),
         (r"^/-/write/derive-parameters$", write_derive_parameters),
     ]
 
 
 @hookimpl
-def permission_allowed(actor, action):
-    if action == "datasette-write" and actor and actor.get("id") == "root":
-        return True
-
-
-@hookimpl
-def menu_links(datasette, actor):
+def database_actions(datasette, actor, database):
     async def inner():
-        if await datasette.permission_allowed(actor, "datasette-write", default=False):
+        if await _allowed_for_database(datasette, actor, database):
             return [
                 {
-                    "href": datasette.urls.path("/-/write"),
+                    "href": datasette.urls.database(database) + "/-/write",
                     "label": "Execute SQL write",
+                    "description": "Run queries like insert/update/delete against this database",
                 },
             ]
 
@@ -151,29 +189,83 @@ def menu_links(datasette, actor):
 
 
 @hookimpl
-def database_actions(datasette, actor, database):
+def row_actions(datasette, actor, database, table, row, request):
     async def inner():
-        if database != "_internal" and await datasette.permission_allowed(
-            actor, "datasette-write", default=False
-        ):
+        if await _allowed_for_database(datasette, actor, database):
+            db = datasette.get_database(database)
+            pks = []
+            columns = []
+            for details in await db.table_column_details(table):
+                if details.is_pk:
+                    pks.append(details.name)
+                else:
+                    columns.append(
+                        {
+                            "name": details.name,
+                            "notnull": details.notnull,
+                        }
+                    )
+            row_dict = dict(row)
+            set_clause_bits = []
+            args = {
+                "database": database,
+            }
+            for column in columns:
+                column_name = column["name"]
+                field_name = column_name
+                if column_name in ("sql", "_redirect_to", "_title"):
+                    field_name = "_{}".format(column_name)
+                current_value = str(row_dict.get(column_name) or "")
+                if "\n" in current_value:
+                    field_name = field_name + "_textarea"
+                if column["notnull"]:
+                    fragment = '"{}" = :{}'
+                else:
+                    fragment = "\"{}\" = nullif(:{}, '')"
+                set_clause_bits.append(fragment.format(column["name"], field_name))
+                args[field_name] = current_value
+            set_clauses = ",\n  ".join(set_clause_bits)
+
+            # Add the where clauses, with _hidden to prevent edits
+            where_clauses = " and ".join(
+                '"{}" = :{}_hidden'.format(pk, pk) for pk in pks
+            )
+            args.update([("{}_hidden".format(pk), row_dict[pk]) for pk in pks])
+
+            row_desc = ", ".join(
+                "{}={}".format(k, v) for k, v in row_dict.items() if k in pks
+            )
+
+            sql = 'update "{}" set\n  {}\nwhere {}'.format(
+                table, set_clauses, where_clauses
+            )
+            args["sql"] = sql
+            args["_redirect_to"] = datasette.sign(request.path, "redirect_to")
+            args["_title"] = datasette.sign(
+                "Update {} where {}".format(table, row_desc), "query_title"
+            )
             return [
                 {
-                    "href": datasette.urls.path(
-                        "/-/write?"
-                        + urlencode(
-                            {
-                                "database": database,
-                            }
-                        )
-                    ),
-                    "label": "Execute SQL write",
-                    "description": "Run queries like insert/update/delete against this database",
+                    "href": datasette.urls.path("/-/write") + "?" + urlencode(args),
+                    "label": "Update using SQL",
+                    "description": "Compose and execute a SQL query to update this row",
                 },
             ]
 
     return inner
 
 
+@hookimpl
+def register_actions(datasette):
+    return [
+        Action(
+            name=WRITE_ACTION,
+            description="Execute SQL write queries against a database",
+            resource_class=DatabaseResource,
+        ),
+    ]
+
+
 _name_patterns = (
     r"\[([^\]]+)\]",  # create table [foo]
     r'"([^"]+)"',  # create table "foo"

datasette_write/templates/datasette_write.html

@@ -1,6 +1,6 @@
 {% extends "base.html" %}
 
-{% block title %}Write with SQL{% endblock %}
+{% block title %}{% if custom_title %}{{ custom_title }}{% else %}Write to {{ database_name }} with SQL{% endif %}{% endblock %}
 
 {% block extra_head %}
 <style>
@@ -25,7 +25,7 @@
     box-sizing: border-box;
 }
 #query-parameters-area textarea {
-    height: 8em;
+    height: 20em;
 }
 .submit-container {
     padding-top: 1em;
@@ -36,28 +36,34 @@
 </style>
 {% endblock %}
 
+{% block crumbs %}
+{{ crumbs.nav(request=request, database=database_name) }}
+{% endblock %}
+
 {% block content %}
-<h1>Write to the database with SQL</h1>
+<h1>{% if custom_title %}{{ custom_title }}{% else %}Write to {{ database_name }} with SQL{% endif %}</h1>
 
-<form class="write-form" action="{{ base_url }}-/write" method="post" style="margin-bottom: 1em">
+<form class="write-form core" action="{{ request.path }}" method="post" style="margin-bottom: 1em">
     <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
-    <p class="database-select"><label>Database: <select name="database">{% for database in databases %}
-        <option{% if database.name == selected_database %} selected="selected"{% endif %}>{{ database.name }}</option>
-    {% endfor %}</select></label></p>
-    <p><textarea name="sql" style="box-sizing: border-box; width: 100%; padding-right: 10px; max-width: 600px; height: 10em; padding: 6px;">{{ sql_from_args }}</textarea></p>
+    {% if custom_title %}<details style="margin-bottom: 1em"><summary>SQL query</summary>{% endif %}
+        <p><textarea name="sql" style="box-sizing: border-box; width: 100%; padding-right: 10px; max-width: 600px; height: {{ sql_textarea_height }}em; padding: 6px;">{{ sql_from_args }}</textarea></p>
+    {% if custom_title %}</details>{% endif %}
     <div class="query-parameters">
         <div id="query-parameters-area">
             {% for parameter in parameters %}
                 <label for="qp_{{ parameter.name }}">{{ parameter.label }}</label>
                 {% if parameter.type == "text" %}
-                    <input type="text" id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}" value="">
+                    <input type="text" id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}" value="{{ parameter.value }}">
+                {% elif parameter.type == "hidden" %}
+                    <input type="text" disabled id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}" value="{{ parameter.value }}">
                 {% elif parameter.type == "textarea" %}
-                    <textarea id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}"></textarea>
+                    <textarea id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}">{{ parameter.value }}</textarea>
                 {% endif %}
             {% endfor %}
         </div>
     </div>
     <div class="submit-container">
+        <input type="hidden" name="_redirect_to" value="{{ redirect_to }}">
         <input type="submit" value="Execute query">
     </div>
 </form>
@@ -65,7 +71,7 @@
 {% if tables %}
     <p><strong>Tables</strong>:
         {% for table in tables %}
-            <a href="{{ urls.table(selected_database, table) }}">{{ table }}</a>{% if not loop.last %}, {% endif %}
+            <a href="{{ urls.table(database_name, table) }}">{{ table }}</a>{% if not loop.last %}, {% endif %}
         {% endfor %}
     </p>
 {% endif %}
@@ -73,7 +79,7 @@
 {% if views %}
     <p><strong>Views</strong>:
         {% for view in views %}
-            <a href="{{ urls.table(selected_database, view) }}">{{ view }}</a>{% if not loop.last %}, {% endif %}
+            <a href="{{ urls.table(database_name, view) }}">{{ view }}</a>{% if not loop.last %}, {% endif %}
         {% endfor %}
     </p>
 {% endif %}
@@ -81,16 +87,42 @@
 <script>
 function buildQueryParametersHtml(parameters) {
     let htmlString = '';
+    var qsParams = new URLSearchParams(location.search);
     parameters.forEach(param => {
+        const value = escapeHtml(qsParams.get(param.name) || '');
         if (param.type === 'text') {
-            htmlString += `<label for="qp_${param.name}">${param.label}</label> <input type="text" id="qp_${param.name}" name="qp_${param.name}" value="">\n`;
+            htmlString += `
+              <label for="qp_${param.name}">${param.label}</label>
+              <input type="text" id="qp_${param.name}" name="qp_${param.name}" value="${value}">
+            `;
         } else if (param.type === 'textarea') {
-            htmlString += `<label for="qp_${param.name}">${param.label}</label> <textarea id="qp_${param.name}" name="qp_${param.name}"></textarea>\n`;
+            htmlString += `
+              <label for="qp_${param.name}">${param.label}</label>
+              <textarea id="qp_${param.name}" name="qp_${param.name}">${value}</textarea>
+            `;
+        } else if (param.type === 'hidden') {
+            htmlString += `
+              <span></span>
+              <input type="hidden" id="qp_${param.name}" name="qp_${param.name}" value="${value}">
+            `;
         }
     });
     return htmlString;
 }
 
+function escapeHtml(str) {
+    return str.replace(/[&<>"']/g, function(match) {
+        switch (match) {
+            case '&': return '&amp;';
+            case '<': return '&lt;';
+            case '>': return '&gt;';
+            case '"': return '&quot;';
+            case "'": return '&#39;';
+            default: return match;
+        }
+    });
+}
+
 const sqlTextArea = document.querySelector('textarea[name="sql"]');
 const queryParametersArea = document.getElementById('query-parameters-area');
 let lastRequestTime = 0;

{datasette_write-0.3.1.dist-info → datasette_write-0.5a0.dist-info}/METADATA

@@ -1,6 +1,6 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: datasette-write
-Version: 0.3.1
+Version: 0.5a0
 Summary: Datasette plugin providing a UI for writing to a database
 Home-page: https://github.com/simonw/datasette-write
 Author: Simon Willison
@@ -8,12 +8,24 @@ License: Apache License, Version 2.0
 Project-URL: Issues, https://github.com/simonw/datasette-write/issues
 Project-URL: CI, https://github.com/simonw/datasette-write/actions
 Project-URL: Changelog, https://github.com/simonw/datasette-write/releases
+Requires-Python: >=3.10
 Description-Content-Type: text/markdown
-Requires-Dist: datasette >=0.64.6
+Requires-Dist: datasette>=1.0a21
 Provides-Extra: test
-Requires-Dist: pytest ; extra == 'test'
-Requires-Dist: pytest-asyncio ; extra == 'test'
-Requires-Dist: httpx ; extra == 'test'
+Requires-Dist: pytest; extra == "test"
+Requires-Dist: pytest-asyncio; extra == "test"
+Requires-Dist: httpx; extra == "test"
+Requires-Dist: beautifulsoup4; extra == "test"
+Dynamic: author
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: license
+Dynamic: project-url
+Dynamic: provides-extra
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
 
 # datasette-write
 
@@ -32,13 +44,13 @@ pip install datasette-write
 ```
 ## Usage
 
-Having installed the plugin, visit `/-/write` on your Datasette instance to submit SQL queries that will be executed against a write connection to the specified database.
+Having installed the plugin, visit `/db/-/write` on your Datasette instance to submit SQL queries that will be executed against a write connection to the specified database.
 
 By default only the `root` user can access the page - so you'll need to run Datasette with the `--root` option and click on the link shown in the terminal to sign in and access the page.
 
 The `datasette-write` permission governs access. You can use permission plugins such as [datasette-permissions-sql](https://github.com/simonw/datasette-permissions-sql) to grant additional access to the write interface.
 
-Pass `?sql=...` in the query string to pre-populate the SQL editor with a query. Pass `?database=...` to specify a database to run the query against.
+Pass `?sql=...` in the query string to pre-populate the SQL editor with a query.
 
 ## Parameterized queries
 
@@ -47,10 +59,16 @@ SQL queries can include parameters like this:
 insert into news (title, body)
     values (:title, :body_textarea)
 ```
-These will be converted into form fields on the `/-/write` page.
+These will be converted into form fields on the `/db/-/write` page.
 
 If a parameter name ends with `_textarea` it will be rendered as a multi-line textarea instead of a text input.
 
+If a parameter name ends with `_hidden` it will be rendered as a hidden input.
+
+## Updating rows with SQL
+
+On Datasette 1.0a13 and higher a row actions menu item will be added to the row page linking to a SQL query for updating that row, for users with the `datasette-write` permission.
+
 ## Development
 
 To set up this plugin locally, first checkout the code. Then create a new virtual environment:

datasette_write-0.5a0.dist-info/RECORD

@@ -0,0 +1,7 @@
+datasette_write/__init__.py,sha256=X9M-RQSVHAKbdtsZm_p0Zo5a_HfmQNPW7qQQnClvt4Y,10374
+datasette_write/templates/datasette_write.html,sha256=SMcaO3eSw7h2nbMYu55pEq8yvvKtg6eOfGlvH4OeLic,6159
+datasette_write-0.5a0.dist-info/METADATA,sha256=2EKcEV7I71E9w-CL7TEfMr_c3f_uCEpwIrn90yK1fro,3343
+datasette_write-0.5a0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+datasette_write-0.5a0.dist-info/entry_points.txt,sha256=q6Nsr_AVBF5D0y_ojz62qBHP8NQmxcpTzaD5O8ndsJ0,36
+datasette_write-0.5a0.dist-info/top_level.txt,sha256=TqV9H_tIZKzfVqbxQQWAxuu9NrbmOOdziZgsBYuYods,16
+datasette_write-0.5a0.dist-info/RECORD,,

{datasette_write-0.3.1.dist-info → datasette_write-0.5a0.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.43.0)
+Generator: setuptools (80.9.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

datasette_write-0.3.1.dist-info/RECORD

@@ -1,7 +0,0 @@
-datasette_write/__init__.py,sha256=rLD8QENtvprI3ER2aCKGtNmQ7qjAcWbmLd507kySVvU,6715
-datasette_write/templates/datasette_write.html,sha256=-7zwcfznocsei5aIZnRcgEsdCib6-H7Fa1TuxasetDM,4911
-datasette_write-0.3.1.dist-info/METADATA,sha256=rJvJt-Z2oXaT_7fvcjUxI35wl4lPMg3wqpGelgm7iDo,2834
-datasette_write-0.3.1.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-datasette_write-0.3.1.dist-info/entry_points.txt,sha256=q6Nsr_AVBF5D0y_ojz62qBHP8NQmxcpTzaD5O8ndsJ0,36
-datasette_write-0.3.1.dist-info/top_level.txt,sha256=TqV9H_tIZKzfVqbxQQWAxuu9NrbmOOdziZgsBYuYods,16
-datasette_write-0.3.1.dist-info/RECORD,,