datasette-write 0.3.1__tar.gz → 0.4__tar.gz

{datasette-write-0.3.1 → datasette_write-0.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: datasette-write
-Version: 0.3.1
+Version: 0.4
 Summary: Datasette plugin providing a UI for writing to a database
 Home-page: https://github.com/simonw/datasette-write
 Author: Simon Willison
@@ -14,6 +14,7 @@ Provides-Extra: test
 Requires-Dist: pytest; extra == "test"
 Requires-Dist: pytest-asyncio; extra == "test"
 Requires-Dist: httpx; extra == "test"
+Requires-Dist: beautifulsoup4; extra == "test"
 
 # datasette-write
 
@@ -32,13 +33,13 @@ pip install datasette-write
 ```
 ## Usage
 
-Having installed the plugin, visit `/-/write` on your Datasette instance to submit SQL queries that will be executed against a write connection to the specified database.
+Having installed the plugin, visit `/db/-/write` on your Datasette instance to submit SQL queries that will be executed against a write connection to the specified database.
 
 By default only the `root` user can access the page - so you'll need to run Datasette with the `--root` option and click on the link shown in the terminal to sign in and access the page.
 
 The `datasette-write` permission governs access. You can use permission plugins such as [datasette-permissions-sql](https://github.com/simonw/datasette-permissions-sql) to grant additional access to the write interface.
 
-Pass `?sql=...` in the query string to pre-populate the SQL editor with a query. Pass `?database=...` to specify a database to run the query against.
+Pass `?sql=...` in the query string to pre-populate the SQL editor with a query.
 
 ## Parameterized queries
 
@@ -47,10 +48,16 @@ SQL queries can include parameters like this:
 insert into news (title, body)
     values (:title, :body_textarea)
 ```
-These will be converted into form fields on the `/-/write` page.
+These will be converted into form fields on the `/db/-/write` page.
 
 If a parameter name ends with `_textarea` it will be rendered as a multi-line textarea instead of a text input.
 
+If a parameter name ends with `_hidden` it will be rendered as a hidden input.
+
+## Updating rows with SQL
+
+On Datasette 1.0a13 and higher a row actions menu item will be added to the row page linking to a SQL query for updating that row, for users with the `datasette-write` permission.
+
 ## Development
 
 To set up this plugin locally, first checkout the code. Then create a new virtual environment:

{datasette-write-0.3.1 → datasette_write-0.4}/README.md

@@ -15,13 +15,13 @@ pip install datasette-write
 ```
 ## Usage
 
-Having installed the plugin, visit `/-/write` on your Datasette instance to submit SQL queries that will be executed against a write connection to the specified database.
+Having installed the plugin, visit `/db/-/write` on your Datasette instance to submit SQL queries that will be executed against a write connection to the specified database.
 
 By default only the `root` user can access the page - so you'll need to run Datasette with the `--root` option and click on the link shown in the terminal to sign in and access the page.
 
 The `datasette-write` permission governs access. You can use permission plugins such as [datasette-permissions-sql](https://github.com/simonw/datasette-permissions-sql) to grant additional access to the write interface.
 
-Pass `?sql=...` in the query string to pre-populate the SQL editor with a query. Pass `?database=...` to specify a database to run the query against.
+Pass `?sql=...` in the query string to pre-populate the SQL editor with a query.
 
 ## Parameterized queries
 
@@ -30,10 +30,16 @@ SQL queries can include parameters like this:
 insert into news (title, body)
     values (:title, :body_textarea)
 ```
-These will be converted into form fields on the `/-/write` page.
+These will be converted into form fields on the `/db/-/write` page.
 
 If a parameter name ends with `_textarea` it will be rendered as a multi-line textarea instead of a text input.
 
+If a parameter name ends with `_hidden` it will be rendered as a hidden input.
+
+## Updating rows with SQL
+
+On Datasette 1.0a13 and higher a row actions menu item will be added to the row page linking to a SQL query for updating that row, for users with the `datasette-write` permission.
+
 ## Development
 
 To set up this plugin locally, first checkout the code. Then create a new virtual environment:

datasette_write-0.4/datasette_write/__init__.py

@@ -0,0 +1,287 @@
+from datasette import hookimpl, Forbidden, Response
+from datasette.utils import derive_named_parameters
+import itsdangerous
+from urllib.parse import urlencode
+import re
+
+
+async def write(request, datasette):
+    if not await datasette.permission_allowed(
+        request.actor, "datasette-write", default=False
+    ):
+        raise Forbidden("Permission denied for datasette-write")
+    database_name = request.url_vars["database"]
+    if request.method == "GET":
+        database = datasette.get_database(database_name)
+        tables = await database.table_names()
+        views = await database.view_names()
+        sql = request.args.get("sql") or ""
+        parameters = await derive_parameters(database, sql)
+        # Set values based on incoming request query string
+        for parameter in parameters:
+            parameter["value"] = request.args.get(parameter["name"]) or ""
+        custom_title = ""
+        try:
+            custom_title = datasette.unsign(
+                request.args.get("_title", ""), "query_title"
+            )
+        except itsdangerous.BadSignature:
+            pass
+        return Response.html(
+            await datasette.render_template(
+                "datasette_write.html",
+                {
+                    "custom_title": custom_title,
+                    "sql_from_args": sql,
+                    "parameters": parameters,
+                    "database_name": database_name,
+                    "tables": tables,
+                    "views": views,
+                    "redirect_to": request.args.get("_redirect_to"),
+                    "sql_textarea_height": max(10, int(1.4 * len(sql.split("\n")))),
+                },
+                request=request,
+            )
+        )
+    elif request.method == "POST":
+        formdata = await request.post_vars()
+        sql = formdata["sql"]
+        database = datasette.get_database(database_name)
+
+        result = None
+        message = None
+        params = {
+            key[3:]: value for key, value in formdata.items() if key.startswith("qp_")
+        }
+        try:
+            result = await database.execute_write(sql, params, block=True)
+            if result.rowcount == -1:
+                # Maybe it was a create table / create view?
+                name_verb_type = parse_create_alter_drop_sql(sql)
+                if name_verb_type:
+                    name, verb, type = name_verb_type
+                    message = "{verb} {type}: {name}".format(
+                        name=name,
+                        type=type,
+                        verb={
+                            "create": "Created",
+                            "drop": "Dropped",
+                            "alter": "Altered",
+                        }[verb],
+                    )
+                else:
+                    message = "Query executed"
+            else:
+                message = "{} row{} affected".format(
+                    result.rowcount, "" if result.rowcount == 1 else "s"
+                )
+        except Exception as e:
+            message = str(e)
+        datasette.add_message(
+            request,
+            message,
+            type=datasette.INFO if result else datasette.ERROR,
+        )
+        # Default redirect back to this page
+        redirect_to = datasette.urls.path("/-/write?") + urlencode(
+            {
+                "database": database.name,
+                "sql": sql,
+            }
+        )
+        try:
+            # Unless value and valid signature for _redirect_to=
+            redirect_to = datasette.unsign(formdata["_redirect_to"], "redirect_to")
+        except (itsdangerous.BadSignature, KeyError):
+            pass
+        return Response.redirect(redirect_to)
+    else:
+        return Response.html("Bad method", status_code=405)
+
+
+async def write_redirect(request, datasette):
+    if not await datasette.permission_allowed(
+        request.actor, "datasette-write", default=False
+    ):
+        raise Forbidden("Permission denied for datasette-write")
+
+    db = request.args.get("database") or ""
+    if not db:
+        db = datasette.get_database().name
+
+    # Preserve query string, except the database=
+    pairs = [
+        (key, request.args.getlist(key)) for key in request.args if key != "database"
+    ]
+    query_string = ""
+    if pairs:
+        query_string = "?" + urlencode(pairs, doseq=True)
+
+    return Response.redirect(datasette.urls.database(db) + "/-/write" + query_string)
+
+
+async def derive_parameters(db, sql):
+    parameters = await derive_named_parameters(db, sql)
+
+    def _type(parameter):
+        type = "text"
+        if parameter.endswith("_textarea"):
+            type = "textarea"
+        if parameter.endswith("_hidden"):
+            type = "hidden"
+        return type
+
+    def _label(parameter):
+        if parameter.endswith("_textarea"):
+            return parameter[: -len("_textarea")]
+        if parameter.endswith("_hidden"):
+            return parameter[: -len("_hidden")]
+        return parameter
+
+    return [
+        {"name": parameter, "type": _type(parameter), "label": _label(parameter)}
+        for parameter in parameters
+    ]
+
+
+async def write_derive_parameters(datasette, request):
+    if not await datasette.permission_allowed(
+        request.actor, "datasette-write", default=False
+    ):
+        raise Forbidden("Permission denied for datasette-write")
+    try:
+        db = datasette.get_database(request.args.get("database"))
+    except KeyError:
+        db = datasette.get_database()
+    parameters = await derive_parameters(db, request.args.get("sql") or "")
+    return Response.json({"parameters": parameters})
+
+
+@hookimpl
+def register_routes():
+    return [
+        (r"^/(?P<database>[^/]+)/-/write$", write),
+        (r"^/-/write$", write_redirect),
+        (r"^/-/write/derive-parameters$", write_derive_parameters),
+    ]
+
+
+@hookimpl
+def permission_allowed(actor, action):
+    if action == "datasette-write" and actor and actor.get("id") == "root":
+        return True
+
+
+@hookimpl
+def database_actions(datasette, actor, database):
+    async def inner():
+        if database != "_internal" and await datasette.permission_allowed(
+            actor, "datasette-write", default=False
+        ):
+            return [
+                {
+                    "href": datasette.urls.database(database) + "/-/write",
+                    "label": "Execute SQL write",
+                    "description": "Run queries like insert/update/delete against this database",
+                },
+            ]
+
+    return inner
+
+
+@hookimpl
+def row_actions(datasette, actor, database, table, row, request):
+    async def inner():
+        if database != "_internal" and await datasette.permission_allowed(
+            actor, "datasette-write", default=False
+        ):
+            db = datasette.get_database(database)
+            pks = []
+            columns = []
+            for details in await db.table_column_details(table):
+                if details.is_pk:
+                    pks.append(details.name)
+                else:
+                    columns.append(
+                        {
+                            "name": details.name,
+                            "notnull": details.notnull,
+                        }
+                    )
+            row_dict = dict(row)
+            set_clause_bits = []
+            args = {
+                "database": database,
+            }
+            for column in columns:
+                column_name = column["name"]
+                field_name = column_name
+                if column_name in ("sql", "_redirect_to", "_title"):
+                    field_name = "_{}".format(column_name)
+                current_value = str(row_dict.get(column_name) or "")
+                if "\n" in current_value:
+                    field_name = field_name + "_textarea"
+                if column["notnull"]:
+                    fragment = '"{}" = :{}'
+                else:
+                    fragment = "\"{}\" = nullif(:{}, '')"
+                set_clause_bits.append(fragment.format(column["name"], field_name))
+                args[field_name] = current_value
+            set_clauses = ",\n  ".join(set_clause_bits)
+
+            # Add the where clauses, with _hidden to prevent edits
+            where_clauses = " and ".join(
+                '"{}" = :{}_hidden'.format(pk, pk) for pk in pks
+            )
+            args.update([("{}_hidden".format(pk), row_dict[pk]) for pk in pks])
+
+            row_desc = ", ".join(
+                "{}={}".format(k, v) for k, v in row_dict.items() if k in pks
+            )
+
+            sql = 'update "{}" set\n  {}\nwhere {}'.format(
+                table, set_clauses, where_clauses
+            )
+            args["sql"] = sql
+            args["_redirect_to"] = datasette.sign(request.path, "redirect_to")
+            args["_title"] = datasette.sign(
+                "Update {} where {}".format(table, row_desc), "query_title"
+            )
+            return [
+                {
+                    "href": datasette.urls.path("/-/write") + "?" + urlencode(args),
+                    "label": "Update using SQL",
+                    "description": "Compose and execute a SQL query to update this row",
+                },
+            ]
+
+    return inner
+
+
+_name_patterns = (
+    r"\[([^\]]+)\]",  # create table [foo]
+    r'"([^"]+)"',  # create table "foo"
+    r"'([^']+)'",  # create table 'foo'
+    r"([a-zA-Z_][a-zA-Z0-9_]*)",  # create table foo123
+)
+_res = []
+for type in ("table", "view"):
+    for name_pattern in _name_patterns:
+        for verb in ("create", "drop"):
+            pattern = r"\s*{}\s+{}\s+{}.*".format(verb, type, name_pattern)
+            _res.append((type, verb, re.compile(pattern, re.I)))
+        alter_table_pattern = r"\s*alter\s+table\s+{}.*".format(name_pattern)
+        _res.append(("table", "alter", re.compile(alter_table_pattern, re.I)))
+
+
+def parse_create_alter_drop_sql(sql):
+    """
+    Simple regex-based detection of 'create table foo' type queries
+
+    Returns the view or table name, or None if none was identified
+    """
+    for type, verb, _re in _res:
+        match = _re.match(sql)
+        if match is not None:
+            return match.group(1), verb, type
+    return None

{datasette-write-0.3.1 → datasette_write-0.4}/datasette_write/templates/datasette_write.html

@@ -1,6 +1,6 @@
 {% extends "base.html" %}
 
-{% block title %}Write with SQL{% endblock %}
+{% block title %}{% if custom_title %}{{ custom_title }}{% else %}Write to {{ database_name }} with SQL{% endif %}{% endblock %}
 
 {% block extra_head %}
 <style>
@@ -25,7 +25,7 @@
     box-sizing: border-box;
 }
 #query-parameters-area textarea {
-    height: 8em;
+    height: 20em;
 }
 .submit-container {
     padding-top: 1em;
@@ -36,28 +36,34 @@
 </style>
 {% endblock %}
 
+{% block crumbs %}
+{{ crumbs.nav(request=request, database=database_name) }}
+{% endblock %}
+
 {% block content %}
-<h1>Write to the database with SQL</h1>
+<h1>{% if custom_title %}{{ custom_title }}{% else %}Write to {{ database_name }} with SQL{% endif %}</h1>
 
-<form class="write-form" action="{{ base_url }}-/write" method="post" style="margin-bottom: 1em">
+<form class="write-form core" action="{{ request.path }}" method="post" style="margin-bottom: 1em">
     <input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
-    <p class="database-select"><label>Database: <select name="database">{% for database in databases %}
-        <option{% if database.name == selected_database %} selected="selected"{% endif %}>{{ database.name }}</option>
-    {% endfor %}</select></label></p>
-    <p><textarea name="sql" style="box-sizing: border-box; width: 100%; padding-right: 10px; max-width: 600px; height: 10em; padding: 6px;">{{ sql_from_args }}</textarea></p>
+    {% if custom_title %}<details style="margin-bottom: 1em"><summary>SQL query</summary>{% endif %}
+        <p><textarea name="sql" style="box-sizing: border-box; width: 100%; padding-right: 10px; max-width: 600px; height: {{ sql_textarea_height }}em; padding: 6px;">{{ sql_from_args }}</textarea></p>
+    {% if custom_title %}</details>{% endif %}
     <div class="query-parameters">
         <div id="query-parameters-area">
             {% for parameter in parameters %}
                 <label for="qp_{{ parameter.name }}">{{ parameter.label }}</label>
                 {% if parameter.type == "text" %}
-                    <input type="text" id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}" value="">
+                    <input type="text" id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}" value="{{ parameter.value }}">
+                {% elif parameter.type == "hidden" %}
+                    <input type="text" disabled id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}" value="{{ parameter.value }}">
                 {% elif parameter.type == "textarea" %}
-                    <textarea id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}"></textarea>
+                    <textarea id="qp_{{ parameter.name }}" name="qp_{{ parameter.name }}">{{ parameter.value }}</textarea>
                 {% endif %}
             {% endfor %}
         </div>
     </div>
     <div class="submit-container">
+        <input type="hidden" name="_redirect_to" value="{{ redirect_to }}">
         <input type="submit" value="Execute query">
     </div>
 </form>
@@ -65,7 +71,7 @@
 {% if tables %}
     <p><strong>Tables</strong>:
         {% for table in tables %}
-            <a href="{{ urls.table(selected_database, table) }}">{{ table }}</a>{% if not loop.last %}, {% endif %}
+            <a href="{{ urls.table(database_name, table) }}">{{ table }}</a>{% if not loop.last %}, {% endif %}
         {% endfor %}
     </p>
 {% endif %}
@@ -73,7 +79,7 @@
 {% if views %}
     <p><strong>Views</strong>:
         {% for view in views %}
-            <a href="{{ urls.table(selected_database, view) }}">{{ view }}</a>{% if not loop.last %}, {% endif %}
+            <a href="{{ urls.table(database_name, view) }}">{{ view }}</a>{% if not loop.last %}, {% endif %}
         {% endfor %}
     </p>
 {% endif %}
@@ -81,16 +87,42 @@
 <script>
 function buildQueryParametersHtml(parameters) {
     let htmlString = '';
+    var qsParams = new URLSearchParams(location.search);
     parameters.forEach(param => {
+        const value = escapeHtml(qsParams.get(param.name) || '');
         if (param.type === 'text') {
-            htmlString += `<label for="qp_${param.name}">${param.label}</label> <input type="text" id="qp_${param.name}" name="qp_${param.name}" value="">\n`;
+            htmlString += `
+              <label for="qp_${param.name}">${param.label}</label>
+              <input type="text" id="qp_${param.name}" name="qp_${param.name}" value="${value}">
+            `;
         } else if (param.type === 'textarea') {
-            htmlString += `<label for="qp_${param.name}">${param.label}</label> <textarea id="qp_${param.name}" name="qp_${param.name}"></textarea>\n`;
+            htmlString += `
+              <label for="qp_${param.name}">${param.label}</label>
+              <textarea id="qp_${param.name}" name="qp_${param.name}">${value}</textarea>
+            `;
+        } else if (param.type === 'hidden') {
+            htmlString += `
+              <span></span>
+              <input type="hidden" id="qp_${param.name}" name="qp_${param.name}" value="${value}">
+            `;
         }
     });
     return htmlString;
 }
 
+function escapeHtml(str) {
+    return str.replace(/[&<>"']/g, function(match) {
+        switch (match) {
+            case '&': return '&amp;';
+            case '<': return '&lt;';
+            case '>': return '&gt;';
+            case '"': return '&quot;';
+            case "'": return '&#39;';
+            default: return match;
+        }
+    });
+}
+
 const sqlTextArea = document.querySelector('textarea[name="sql"]');
 const queryParametersArea = document.getElementById('query-parameters-area');
 let lastRequestTime = 0;

{datasette-write-0.3.1 → datasette_write-0.4}/datasette_write.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: datasette-write
-Version: 0.3.1
+Version: 0.4
 Summary: Datasette plugin providing a UI for writing to a database
 Home-page: https://github.com/simonw/datasette-write
 Author: Simon Willison
@@ -14,6 +14,7 @@ Provides-Extra: test
 Requires-Dist: pytest; extra == "test"
 Requires-Dist: pytest-asyncio; extra == "test"
 Requires-Dist: httpx; extra == "test"
+Requires-Dist: beautifulsoup4; extra == "test"
 
 # datasette-write
 
@@ -32,13 +33,13 @@ pip install datasette-write
 ```
 ## Usage
 
-Having installed the plugin, visit `/-/write` on your Datasette instance to submit SQL queries that will be executed against a write connection to the specified database.
+Having installed the plugin, visit `/db/-/write` on your Datasette instance to submit SQL queries that will be executed against a write connection to the specified database.
 
 By default only the `root` user can access the page - so you'll need to run Datasette with the `--root` option and click on the link shown in the terminal to sign in and access the page.
 
 The `datasette-write` permission governs access. You can use permission plugins such as [datasette-permissions-sql](https://github.com/simonw/datasette-permissions-sql) to grant additional access to the write interface.
 
-Pass `?sql=...` in the query string to pre-populate the SQL editor with a query. Pass `?database=...` to specify a database to run the query against.
+Pass `?sql=...` in the query string to pre-populate the SQL editor with a query.
 
 ## Parameterized queries
 
@@ -47,10 +48,16 @@ SQL queries can include parameters like this:
 insert into news (title, body)
     values (:title, :body_textarea)
 ```
-These will be converted into form fields on the `/-/write` page.
+These will be converted into form fields on the `/db/-/write` page.
 
 If a parameter name ends with `_textarea` it will be rendered as a multi-line textarea instead of a text input.
 
+If a parameter name ends with `_hidden` it will be rendered as a hidden input.
+
+## Updating rows with SQL
+
+On Datasette 1.0a13 and higher a row actions menu item will be added to the row page linking to a SQL query for updating that row, for users with the `datasette-write` permission.
+
 ## Development
 
 To set up this plugin locally, first checkout the code. Then create a new virtual environment:

{datasette-write-0.3.1 → datasette_write-0.4}/datasette_write.egg-info/requires.txt

@@ -4,3 +4,4 @@ datasette>=0.64.6
 pytest
 pytest-asyncio
 httpx
+beautifulsoup4

{datasette-write-0.3.1 → datasette_write-0.4}/setup.py

@@ -1,7 +1,7 @@
 from setuptools import setup
 import os
 
-VERSION = "0.3.1"
+VERSION = "0.4"
 
 
 def get_long_description():
@@ -34,5 +34,5 @@ setup(
     },
     entry_points={"datasette": ["write = datasette_write"]},
     install_requires=["datasette>=0.64.6"],
-    extras_require={"test": ["pytest", "pytest-asyncio", "httpx"]},
+    extras_require={"test": ["pytest", "pytest-asyncio", "httpx", "beautifulsoup4"]},
 )

datasette_write-0.4/tests/test_write.py

@@ -0,0 +1,315 @@
+from bs4 import BeautifulSoup as Soup
+import datasette
+from datasette.app import Datasette
+from datasette_write import parse_create_alter_drop_sql
+import pytest
+import sqlite3
+import textwrap
+import urllib
+
+
+@pytest.fixture
+def ds(tmp_path_factory):
+    db_directory = tmp_path_factory.mktemp("dbs")
+    db_path = str(db_directory / "test.db")
+    db_path2 = str(db_directory / "test2.db")
+    sqlite3.connect(db_path).executescript(
+        """
+        create table one (id integer primary key, count integer);
+        insert into one (id, count) values (1, 10);
+        insert into one (id, count) values (2, 20);
+    """
+    )
+    sqlite3.connect(db_path2).executescript(
+        """
+        create table simple_pk (id integer primary key, name text);
+        insert into simple_pk (id, name) values (1, 'one');
+        create table simple_pk_multiline (id integer primary key, name text);
+        insert into simple_pk_multiline (id, name) values (1, 'one' || char(10) || 'two');
+        create table compound_pk (id1 integer, id2 integer, name text, primary key (id1, id2));
+        insert into compound_pk (id1, id2, name) values (1, 2, 'one-two');
+        create table has_not_null (id integer primary key, sql text not null);
+        insert into has_not_null (id, sql) values (1, 'one');
+        """
+    )
+    ds = Datasette([db_path, db_path2])
+    return ds
+
+
+@pytest.mark.asyncio
+async def test_permission_denied(ds):
+    response = await ds.client.get("/test/-/write")
+    assert 403 == response.status_code
+
+
+@pytest.mark.asyncio
+async def test_permission_granted_to_root(ds):
+    response = await ds.client.get(
+        "/test/-/write",
+        cookies={"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")},
+    )
+    assert response.status_code == 200
+    assert "<strong>Tables</strong>:" in response.text
+    assert '<a href="/test/one">one</a>' in response.text
+
+    # Should have database action menu option too:
+    anon_response = (await ds.client.get("/test")).text
+    fragment = '<a href="/test/-/write">Execute SQL write'
+    assert fragment not in anon_response
+    root_response = (
+        await ds.client.get(
+            "/test", cookies={"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")}
+        )
+    ).text
+    assert fragment in root_response
+
+
+@pytest.mark.asyncio
+async def test_populate_sql_from_query_string(ds):
+    response = await ds.client.get(
+        "/test/-/write?sql=select+1",
+        cookies={"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")},
+    )
+    assert response.status_code == 200
+    assert '">select 1</textarea>' in response.text
+
+
+@pytest.mark.parametrize(
+    "database,sql,params,expected_message",
+    [
+        (
+            "test",
+            "create table newtable (id integer)",
+            {},
+            "Created table: newtable",
+        ),
+        (
+            "test",
+            "drop table one",
+            {},
+            "Dropped table: one",
+        ),
+        (
+            "test",
+            "alter table one add column bigfile blob",
+            {},
+            "Altered table: one",
+        ),
+        (
+            "test2",
+            "create table newtable (id integer)",
+            {},
+            "Created table: newtable",
+        ),
+        (
+            "test2",
+            "create view blah as select 1 + 1",
+            {},
+            "Created view: blah",
+        ),
+        ("test", "update one set count = 5", {}, "2 rows affected"),
+        ("test", "invalid sql", {}, 'near "invalid": syntax error'),
+        # Parameterized queries
+        ("test", "update one set count = :count", {"qp_count": 4}, "2 rows affected"),
+        # This should error
+        (
+            "test",
+            "update one set count = :count",
+            {},
+            "Incorrect number of bindings supplied. The current statement uses 1, and there are 0 supplied.",
+        ),
+    ],
+)
+@pytest.mark.asyncio
+async def test_execute_write(ds, database, sql, params, expected_message):
+    # Get csrftoken
+    cookies = {"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")}
+    response = await ds.client.get("/{}/-/write".format(database), cookies=cookies)
+    assert 200 == response.status_code
+    csrftoken = response.cookies["ds_csrftoken"]
+    cookies["ds_csrftoken"] = csrftoken
+    data = {
+        "sql": sql,
+        "csrftoken": csrftoken,
+    }
+    data.update(params)
+    # write to database
+    response2 = await ds.client.post(
+        "/{}/-/write".format(database),
+        data=data,
+        cookies=cookies,
+    )
+    messages = [m[0] for m in ds.unsign(response2.cookies["ds_messages"], "messages")]
+    assert messages[0] == expected_message
+    # Should have preserved ?database= in redirect:
+    bits = dict(urllib.parse.parse_qsl(response2.headers["location"].split("?")[-1]))
+    assert bits["database"] == database
+    # Should have preserved ?sql= in redirect:
+    assert bits["sql"] == sql
+
+
+@pytest.mark.parametrize(
+    "sql,expected_name,expected_verb,expected_type",
+    (
+        ("create table hello (...", "hello", "create", "table"),
+        ("  create view hello2 as (...", "hello2", "create", "view"),
+        ("select 1 + 1", None, None, None),
+        # Various styles of quoting
+        ("create table 'hello' (", "hello", "create", "table"),
+        ('  create   \n table "hello" (', "hello", "create", "table"),
+        ("create table [hello] (", "hello", "create", "table"),
+        ("create view 'hello' (", "hello", "create", "view"),
+        ('  create   \n view "hello" (', "hello", "create", "view"),
+        ("create view [hello] (", "hello", "create", "view"),
+        # Alter table
+        ("alter table [hello] ", "hello", "alter", "table"),
+        # But no alter view
+        ("alter view [hello] ", None, None, None),
+    ),
+)
+def test_parse_create_alter_drop_sql(sql, expected_name, expected_verb, expected_type):
+    name_verb_type = parse_create_alter_drop_sql(sql)
+    if expected_name is None:
+        assert name_verb_type is None
+    else:
+        assert name_verb_type == (expected_name, expected_verb, expected_type)
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "path,expected_path",
+    (
+        ("/-/write", "/test/-/write"),
+        ("/-/write?database=test", "/test/-/write"),
+        ("/-/write?database=test2", "/test2/-/write"),
+        ("/-/write?database=test2&a=1&a=2", "/test2/-/write?a=1&a=2"),
+    ),
+)
+async def test_write_redirect(ds, path, expected_path):
+    response = await ds.client.get(
+        path,
+        cookies={"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")},
+    )
+    assert response.status_code == 302
+    assert response.headers["location"] == expected_path
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("valid", (True, False))
+async def test_redirect_to(ds, valid):
+    cookies = {"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")}
+    signed_redirect_to = ds.sign("/", "redirect_to")
+    used_redirect_to = signed_redirect_to + ("" if valid else "invalid")
+    response = await ds.client.get(
+        "/test/-/write",
+        params={"_redirect_to": used_redirect_to},
+        cookies=cookies,
+    )
+    assert response.status_code == 200
+    # Should have redirect_to field
+    input = Soup(response.text, "html.parser").find("input", {"name": "_redirect_to"})
+    assert input.attrs["value"] == used_redirect_to
+    assert '<input type="hidden" name="_redirect_to"' in response.text
+    csrftoken = response.cookies["ds_csrftoken"]
+    cookies["ds_csrftoken"] = csrftoken
+    data = {
+        "sql": "select 1",
+        "csrftoken": csrftoken,
+        "_redirect_to": signed_redirect_to,
+    }
+    # POSTing this should redirect to / if signed_redirect_to is valid
+    response2 = await ds.client.post(
+        "/test/-/write",
+        data=data,
+        cookies=cookies,
+    )
+    assert response2.status_code == 302
+    actual_redirect_to = response2.headers["location"]
+    assert actual_redirect_to == "/" if valid else "/test/-/write"
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize("scenario", ("valid", "invalid", "none"))
+async def test_title(ds, scenario):
+    cookies = {"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")}
+    signed_title = ds.sign("Custom Title", "query_title")
+    params = {}
+    if scenario != "none":
+        params["_title"] = signed_title + ("" if scenario == "valid" else "invalid")
+    response = await ds.client.get(
+        "/test/-/write",
+        params=params,
+        cookies=cookies,
+    )
+    assert response.status_code == 200
+    if scenario == "valid":
+        assert "<title>Custom Title</title>" in response.text
+        # <details><summary only if custom title is set
+        assert "<summary>SQL query</summary>" in response.text
+    else:
+        assert "<title>Write to test with SQL</title>" in response.text
+        assert "<summary>SQL query</summary>" not in response.text
+
+
+@pytest.mark.asyncio
+# Skip if Datasette < ('1', '0a15')
+@pytest.mark.skipif(
+    datasette.__version_info__ < ("1", "0"),
+    reason="Datasette < 1.0 does not support this hook",
+)
+@pytest.mark.parametrize(
+    "path,expected",
+    [
+        (
+            "/test2/simple_pk/1",
+            textwrap.dedent(
+                """
+                    update "simple_pk" set
+                      "name" = nullif(:name, '')
+                    where "id" = :id_hidden
+                """
+            ).strip(),
+        ),
+        (
+            "/test2/simple_pk_multiline/1",
+            textwrap.dedent(
+                """
+                    update "simple_pk_multiline" set
+                      "name" = nullif(:name_textarea, '')
+                    where "id" = :id_hidden
+                """
+            ).strip(),
+        ),
+        (
+            "/test2/compound_pk/1,2",
+            textwrap.dedent(
+                """
+                    update "compound_pk" set
+                      "name" = nullif(:name, '')
+                    where "id1" = :id1_hidden and "id2" = :id2_hidden
+                """
+            ).strip(),
+        ),
+        (
+            "/test2/has_not_null/1",
+            textwrap.dedent(
+                """
+                    update "has_not_null" set
+                      "sql" = :_sql
+                    where "id" = :id_hidden
+                """
+            ).strip(),
+        ),
+    ],
+)
+async def test_row_actions(ds, path, expected):
+    cookies = {"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")}
+    response = await ds.client.get(
+        path,
+        cookies=cookies,
+    )
+    href = Soup(response.text, "html.parser").select(".dropdown-menu a")[0]["href"]
+    qs = href.split("?")[-1]
+    bits = dict(urllib.parse.parse_qsl(qs))
+    actual = bits["sql"]
+    assert actual == expected

datasette-write-0.3.1/datasette_write/__init__.py

@@ -1,203 +0,0 @@
-from datasette import hookimpl, Forbidden, Response
-from datasette.utils import derive_named_parameters
-from urllib.parse import urlencode
-import re
-
-
-async def write(request, datasette):
-    if not await datasette.permission_allowed(
-        request.actor, "datasette-write", default=False
-    ):
-        raise Forbidden("Permission denied for datasette-write")
-    databases = [
-        db
-        for db in datasette.databases.values()
-        if db.is_mutable and db.name != "_internal"
-    ]
-    if request.method == "GET":
-        selected_database = request.args.get("database") or ""
-        if not selected_database or selected_database == "_internal":
-            selected_database = databases[0].name
-        database = datasette.get_database(selected_database)
-        tables = await database.table_names()
-        views = await database.view_names()
-        sql = request.args.get("sql") or ""
-        return Response.html(
-            await datasette.render_template(
-                "datasette_write.html",
-                {
-                    "databases": databases,
-                    "sql_from_args": sql,
-                    "selected_database": selected_database,
-                    "parameters": await derive_parameters(database, sql),
-                    "tables": tables,
-                    "views": views,
-                },
-                request=request,
-            )
-        )
-    elif request.method == "POST":
-        formdata = await request.post_vars()
-        database_name = formdata["database"]
-        sql = formdata["sql"]
-        try:
-            database = [db for db in databases if db.name == database_name][0]
-        except IndexError:
-            return Response.html("Database not found", status_code=404)
-
-        result = None
-        message = None
-        params = {
-            key[3:]: value for key, value in formdata.items() if key.startswith("qp_")
-        }
-        print(params)
-        try:
-            result = await database.execute_write(sql, params, block=True)
-            if result.rowcount == -1:
-                # Maybe it was a create table / create view?
-                name_verb_type = parse_create_alter_drop_sql(sql)
-                if name_verb_type:
-                    name, verb, type = name_verb_type
-                    message = "{verb} {type}: {name}".format(
-                        name=name,
-                        type=type,
-                        verb={
-                            "create": "Created",
-                            "drop": "Dropped",
-                            "alter": "Altered",
-                        }[verb],
-                    )
-                else:
-                    message = "Query executed"
-            else:
-                message = "{} row{} affected".format(
-                    result.rowcount, "" if result.rowcount == 1 else "s"
-                )
-        except Exception as e:
-            message = str(e)
-        datasette.add_message(
-            request,
-            message,
-            type=datasette.INFO if result else datasette.ERROR,
-        )
-        return Response.redirect(
-            datasette.urls.path("/-/write?")
-            + urlencode(
-                {
-                    "database": database.name,
-                    "sql": sql,
-                }
-            )
-        )
-    else:
-        return Response.html("Bad method", status_code=405)
-
-
-async def derive_parameters(db, sql):
-    parameters = await derive_named_parameters(db, sql)
-    return [
-        {
-            "name": parameter,
-            "type": "textarea" if parameter.endswith("textarea") else "text",
-            "label": (
-                parameter.replace("_textarea", "")
-                if parameter.endswith("textarea")
-                else parameter
-            ),
-        }
-        for parameter in parameters
-    ]
-
-
-async def write_derive_parameters(datasette, request):
-    if not await datasette.permission_allowed(
-        request.actor, "datasette-write", default=False
-    ):
-        raise Forbidden("Permission denied for datasette-write")
-    try:
-        db = datasette.get_database(request.args.get("database"))
-    except KeyError:
-        db = datasette.get_database()
-    parameters = await derive_parameters(db, request.args.get("sql") or "")
-    return Response.json({"parameters": parameters})
-
-
-@hookimpl
-def register_routes():
-    return [
-        (r"^/-/write$", write),
-        (r"^/-/write/derive-parameters$", write_derive_parameters),
-    ]
-
-
-@hookimpl
-def permission_allowed(actor, action):
-    if action == "datasette-write" and actor and actor.get("id") == "root":
-        return True
-
-
-@hookimpl
-def menu_links(datasette, actor):
-    async def inner():
-        if await datasette.permission_allowed(actor, "datasette-write", default=False):
-            return [
-                {
-                    "href": datasette.urls.path("/-/write"),
-                    "label": "Execute SQL write",
-                },
-            ]
-
-    return inner
-
-
-@hookimpl
-def database_actions(datasette, actor, database):
-    async def inner():
-        if database != "_internal" and await datasette.permission_allowed(
-            actor, "datasette-write", default=False
-        ):
-            return [
-                {
-                    "href": datasette.urls.path(
-                        "/-/write?"
-                        + urlencode(
-                            {
-                                "database": database,
-                            }
-                        )
-                    ),
-                    "label": "Execute SQL write",
-                    "description": "Run queries like insert/update/delete against this database",
-                },
-            ]
-
-    return inner
-
-
-_name_patterns = (
-    r"\[([^\]]+)\]",  # create table [foo]
-    r'"([^"]+)"',  # create table "foo"
-    r"'([^']+)'",  # create table 'foo'
-    r"([a-zA-Z_][a-zA-Z0-9_]*)",  # create table foo123
-)
-_res = []
-for type in ("table", "view"):
-    for name_pattern in _name_patterns:
-        for verb in ("create", "drop"):
-            pattern = r"\s*{}\s+{}\s+{}.*".format(verb, type, name_pattern)
-            _res.append((type, verb, re.compile(pattern, re.I)))
-        alter_table_pattern = r"\s*alter\s+table\s+{}.*".format(name_pattern)
-        _res.append(("table", "alter", re.compile(alter_table_pattern, re.I)))
-
-
-def parse_create_alter_drop_sql(sql):
-    """
-    Simple regex-based detection of 'create table foo' type queries
-
-    Returns the view or table name, or None if none was identified
-    """
-    for type, verb, _re in _res:
-        match = _re.match(sql)
-        if match is not None:
-            return match.group(1), verb, type
-    return None

datasette-write-0.3.1/tests/test_write.py

@@ -1,173 +0,0 @@
-from datasette.app import Datasette
-from datasette_write import parse_create_alter_drop_sql
-import pytest
-import sqlite3
-import urllib
-
-
-@pytest.fixture
-def ds(tmp_path_factory):
-    db_directory = tmp_path_factory.mktemp("dbs")
-    db_path = str(db_directory / "test.db")
-    db_path2 = str(db_directory / "test2.db")
-    sqlite3.connect(db_path).executescript(
-        """
-        create table one (id integer primary key, count integer);
-        insert into one (id, count) values (1, 10);
-        insert into one (id, count) values (2, 20);
-    """
-    )
-    sqlite3.connect(db_path2).execute("vacuum")
-    ds = Datasette([db_path, db_path2])
-    return ds
-
-
-@pytest.mark.asyncio
-async def test_permission_denied(ds):
-    response = await ds.client.get("/-/write")
-    assert 403 == response.status_code
-
-
-@pytest.mark.asyncio
-async def test_permission_granted_to_root(ds):
-    response = await ds.client.get(
-        "/-/write",
-        cookies={"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")},
-    )
-    assert response.status_code == 200
-    assert "<strong>Tables</strong>:" in response.text
-    assert '<a href="/test/one">one</a>' in response.text
-
-    # Should have database action menu option too:
-    anon_response = (await ds.client.get("/test")).text
-    fragment = ">Execute SQL write<"
-    assert fragment not in anon_response
-    root_response = (
-        await ds.client.get(
-            "/test", cookies={"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")}
-        )
-    ).text
-    assert fragment in root_response
-
-
-@pytest.mark.asyncio
-@pytest.mark.parametrize("database", ["test", "test2"])
-async def test_select_database(ds, database):
-    response = await ds.client.get(
-        "/-/write?database={}".format(database),
-        cookies={"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")},
-    )
-    assert response.status_code == 200
-    assert '<option selected="selected">{}</option>'.format(database) in response.text
-
-
-@pytest.mark.asyncio
-async def test_populate_sql_from_query_string(ds):
-    response = await ds.client.get(
-        "/-/write?sql=select+1",
-        cookies={"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")},
-    )
-    assert response.status_code == 200
-    assert '">select 1</textarea>' in response.text
-
-
-@pytest.mark.parametrize(
-    "database,sql,params,expected_message",
-    [
-        (
-            "test",
-            "create table newtable (id integer)",
-            {},
-            "Created table: newtable",
-        ),
-        (
-            "test",
-            "drop table one",
-            {},
-            "Dropped table: one",
-        ),
-        (
-            "test",
-            "alter table one add column bigfile blob",
-            {},
-            "Altered table: one",
-        ),
-        (
-            "test2",
-            "create table newtable (id integer)",
-            {},
-            "Created table: newtable",
-        ),
-        (
-            "test2",
-            "create view blah as select 1 + 1",
-            {},
-            "Created view: blah",
-        ),
-        ("test", "update one set count = 5", {}, "2 rows affected"),
-        ("test", "invalid sql", {}, 'near "invalid": syntax error'),
-        # Parameterized queries
-        ("test", "update one set count = :count", {"qp_count": 4}, "2 rows affected"),
-        # This should error
-        (
-            "test",
-            "update one set count = :count",
-            {},
-            "Incorrect number of bindings supplied. The current statement uses 1, and there are 0 supplied.",
-        ),
-    ],
-)
-@pytest.mark.asyncio
-async def test_execute_write(ds, database, sql, params, expected_message):
-    # Get csrftoken
-    cookies = {"ds_actor": ds.sign({"a": {"id": "root"}}, "actor")}
-    response = await ds.client.get("/-/write", cookies=cookies)
-    assert 200 == response.status_code
-    csrftoken = response.cookies["ds_csrftoken"]
-    cookies["ds_csrftoken"] = csrftoken
-    data = {
-        "sql": sql,
-        "csrftoken": csrftoken,
-        "database": database,
-    }
-    data.update(params)
-    # write to database
-    response2 = await ds.client.post(
-        "/-/write",
-        data=data,
-        cookies=cookies,
-    )
-    messages = [m[0] for m in ds.unsign(response2.cookies["ds_messages"], "messages")]
-    assert messages[0] == expected_message
-    # Should have preserved ?database= in redirect:
-    bits = dict(urllib.parse.parse_qsl(response2.headers["location"].split("?")[-1]))
-    assert bits["database"] == database
-    # Should have preserved ?sql= in redirect:
-    assert bits["sql"] == sql
-
-
-@pytest.mark.parametrize(
-    "sql,expected_name,expected_verb,expected_type",
-    (
-        ("create table hello (...", "hello", "create", "table"),
-        ("  create view hello2 as (...", "hello2", "create", "view"),
-        ("select 1 + 1", None, None, None),
-        # Various styles of quoting
-        ("create table 'hello' (", "hello", "create", "table"),
-        ('  create   \n table "hello" (', "hello", "create", "table"),
-        ("create table [hello] (", "hello", "create", "table"),
-        ("create view 'hello' (", "hello", "create", "view"),
-        ('  create   \n view "hello" (', "hello", "create", "view"),
-        ("create view [hello] (", "hello", "create", "view"),
-        # Alter table
-        ("alter table [hello] ", "hello", "alter", "table"),
-        # But no alter view
-        ("alter view [hello] ", None, None, None),
-    ),
-)
-def test_parse_create_alter_drop_sql(sql, expected_name, expected_verb, expected_type):
-    name_verb_type = parse_create_alter_drop_sql(sql)
-    if expected_name is None:
-        assert name_verb_type is None
-    else:
-        assert name_verb_type == (expected_name, expected_verb, expected_type)