Menu options should not be displayed without a permission check

[simonw]

I spotted this:

That's a public table on a private instance - the GraphQL link shows a permission denied error, so that link should not be there (for the database or table or main menu).

This isn't a security bug since actually clicking the link doesn't do anything useful, but it's a usability bug.

[simonw]

Relevant code:

datasette-graphql/datasette_graphql/__init__.py

Lines 159 to 164 in ded886e

	@hookimpl
	def menu_links(datasette, actor):
	graphql_path = _graphql_path(datasette)
	return [
	{"href": datasette.urls.path(graphql_path), "label": "GraphQL API"},
	]

datasette-graphql/datasette_graphql/__init__.py

Lines 229 to 236 in ded886e

	@hookimpl
	def table_actions(datasette, actor, database, table):
	async def inner():
	graphql_path = datasette.urls.path(
	"{}/{}".format(_graphql_path(datasette), database)
	)
	db_schema = await schema_for_database_via_cache(datasette, database=database)
	try:

datasette-graphql/datasette_graphql/__init__.py

Lines 253 to 262 in ded886e

	@hookimpl
	def database_actions(datasette, actor, database):
	graphql_path = _graphql_path(datasette)
	if len(datasette.databases) > 1:
	return [
	{
	"href": datasette.urls.path("{}/{}".format(graphql_path, database)),
	"label": "GraphQL API for {}".format(database),
	}
	]

Should use this method to check permissions:

datasette-graphql/datasette_graphql/__init__.py

Line 135 in ded886e

async def check_permissions(request, datasette, database):