From 57e22c9ff5eb121c40cc78dc72b8fad46d0fac41 Mon Sep 17 00:00:00 2001
From: Lance Edgar <lance@edbob.org>
Date: Fri, 18 Feb 2022 15:39:12 -0600
Subject: [PATCH] Only show DB picker for permissioned users

---
 tailbone/views/common.py |  6 ++++--
 tailbone/views/master.py | 25 ++++++++++++++-----------
 2 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/tailbone/views/common.py b/tailbone/views/common.py
index 37b2c4a4..c3e40547 100644
--- a/tailbone/views/common.py
+++ b/tailbone/views/common.py
@@ -2,7 +2,7 @@
 ################################################################################
 #
 #  Rattail -- Retail Software Framework
-#  Copyright © 2010-2021 Lance Edgar
+#  Copyright © 2010-2022 Lance Edgar
 #
 #  This file is part of Rattail.
 #
@@ -222,7 +222,9 @@ class CommonView(View):
         config.add_tailbone_permission('common', 'common.change_db_engine',
                                        "Change which Database Engine is active (for user)")
         config.add_route('change_db_engine', '/change-db-engine', request_method='POST')
-        config.add_view(cls, attr='change_db_engine', route_name='change_db_engine')
+        config.add_view(cls, attr='change_db_engine',
+                        route_name='change_db_engine',
+                        permission='common.change_db_engine')
 
         # change theme
         config.add_tailbone_permission('common', 'common.change_app_theme',
diff --git a/tailbone/views/master.py b/tailbone/views/master.py
index 89def384..6c174f06 100644
--- a/tailbone/views/master.py
+++ b/tailbone/views/master.py
@@ -2276,18 +2276,21 @@ class MasterView(View):
         kwargs['expose_db_picker'] = False
         if self.supports_multiple_engines:
 
-            # view declares support for multiple engines, but we only want to
-            # show the picker if we have more than one engine configured
-            engines = self.get_db_engines()
-            if len(engines) > 1:
+            # DB picker is only shown for permissioned users
+            if self.request.has_perm('common.change_db_engine'):
 
-                # user session determines "current" db engine *of this type*
-                # (note that many master views may declare the same type, and
-                # would therefore share the "current" engine)
-                selected = self.get_current_engine_dbkey()
-                kwargs['expose_db_picker'] = True
-                kwargs['db_picker_options'] = [tags.Option(k) for k in engines]
-                kwargs['db_picker_selected'] = selected
+                # view declares support for multiple engines, but we only want to
+                # show the picker if we have more than one engine configured
+                engines = self.get_db_engines()
+                if len(engines) > 1:
+
+                    # user session determines "current" db engine *of this type*
+                    # (note that many master views may declare the same type, and
+                    # would therefore share the "current" engine)
+                    selected = self.get_current_engine_dbkey()
+                    kwargs['expose_db_picker'] = True
+                    kwargs['db_picker_options'] = [tags.Option(k) for k in engines]
+                    kwargs['db_picker_selected'] = selected
 
         # add info for downloadable input file templates, if any
         if self.has_input_file_templates: