Users cannot restrict to auth-tokens-revoke-any, closes #20

simonw · Aug 31, 2023 · bac7e59 · bac7e59
1 parent 1584c01
commit bac7e59
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/datasette_auth_tokens/views.py b/datasette_auth_tokens/views.py
@@ -160,7 +160,11 @@ async def _shared(datasette, request):
         )
     return {
         "actor": request.actor,
-        "all_permissions": datasette.permissions.keys(),
+        "all_permissions": [
+            key
+            for key in datasette.permissions.keys()
+            if key != "auth-tokens-revoke-any"
+        ],
         "database_permissions": [
             key for key, value in datasette.permissions.items() if value.takes_database
         ],

diff --git a/tests/test_managed_tokens.py b/tests/test_managed_tokens.py
@@ -281,3 +281,12 @@ async def test_token_pagination(ds_managed):
             break
     assert len(set(collected)) == num_tokens
     assert pages > 1
+
+
+@pytest.mark.asyncio
+async def test_tokens_cannot_be_restricted_to_auth_tokens_revoke_any(ds_managed):
+    root_cookie = ds_managed.sign({"a": {"id": "root"}}, "actor")
+    create_page = await ds_managed.client.get(
+        "/-/api/tokens/create", cookies={"ds_actor": root_cookie}
+    )
+    assert "auth-tokens-revoke-any" not in create_page.text