-
-
Notifications
You must be signed in to change notification settings - Fork 701
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Magic parameters for canned queries #842
Comments
Two potential designs:
I fee the first would be easier to implement. |
It would be nice if Datasette didn't have to do any additional work to find e.g. Could I do this with a custom class that implements |
Yes that can work - and using import sqlite3
conn = sqlite3.connect(":memory:")
class Magic(dict):
def __missing__(self, key):
return key.upper()
conn.execute("select :name", Magic()).fetchall() Outputs:
|
The |
If every magic parameter has a prefix and suffix, like But does it make sense for every magic parameter to be of form |
Brainstorming more potential magic parameters:
|
But then what kind of magic parameters might plugins want to add? Here's a crazy idea: |
I'd be OK with the first version of this not including a plugin hook. |
Another magic parameter that would be useful would be Maybe This would be the first example of a magic parameter where part of the parameter name is used to configure the resulting value. Maybe neater to separate that with a different character? Unfortunately Actually this is already supported by the proposed design - |
I'm building this documentation-first - here's the documentation so far: https://github.com/simonw/datasette/blob/6fc8bd9c473f4a25e0a076f24c7e5a9b2f353bb8/docs/sql_queries.rst#magic-parameters |
It probably should - but that means it now needs a bunch of extra configuration to tell it which of those headers can be trusted in the current environment. As such I think I'll leave that for a plugin. |
Maybe I should ship a default
I'm going to have |
Security thought: make sure it's not possible to accidentally open up a security hole where an attacker can send a GET request that causes the magic parameter |
This is an open security hole in 94c1315 - it's useful for testing, but I need to remove it before I land that branch. datasette/datasette/views/database.py Lines 231 to 237 in 94c1315
|
I'm going to rename |
Also added test coverage of GET on magic params in addition to POST
I'm going to add some canned queries to the |
Now that writable canned queries (#698) have landed, it would be neat if they supported "magic" parameters - parameters that are automatically populated with:
And maybe other things potentially added by plugins.
The text was updated successfully, but these errors were encountered: