html_url,issue_url,id,node_id,user,created_at,updated_at,author_association,body,reactions,issue,performed_via_github_app https://github.com/simonw/datasette/issues/1939#issuecomment-1347646516,https://api.github.com/repos/simonw/datasette/issues/1939,1347646516,IC_kwDOBm6k_c5QU3Q0,9599,2022-12-13T02:07:50Z,2022-12-13T02:07:50Z,OWNER,Documentation for the new hook: https://docs.datasette.io/en/latest/plugin_hooks.html#register-permissions-datasette,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1345691103,https://api.github.com/repos/simonw/datasette/issues/1939,1345691103,IC_kwDOBm6k_c5QNZ3f,9599,2022-12-11T23:37:49Z,2022-12-11T23:37:49Z,OWNER,"Idea: a `/-/permissions` introspection endpoint for listing registered permissions ","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343872168,https://api.github.com/repos/simonw/datasette/issues/1939,1343872168,IC_kwDOBm6k_c5QGdyo,9599,2022-12-09T05:29:53Z,2022-12-09T05:29:53Z,OWNER,"I'm going to address those ideas for changes to the `permission_allowed()` in a separate issue. What would it take for the `register_permissions()` hook to be something I'm comfortable landing? I think it's mainly that the list of permissions it provides should Do More Stuff: - Participate in unit tests, in particular this one: https://github.com/simonw/datasette/blob/e539c1c024bc62d88df91d9107cbe37e7f0fe55f/tests/conftest.py#L79-L102 - That new `default` option should be respected - maybe if you omit `default=` from a call to `permission_allowed()` it could fall back on the default from there? - Log a warning if you attempt to check a permission that wasn't registered Then I can use the permissions - in particular their metadata - to help implement his: - #1636","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343858998,https://api.github.com/repos/simonw/datasette/issues/1939,1343858998,IC_kwDOBm6k_c5QGak2,9599,2022-12-09T05:12:17Z,2022-12-09T05:12:17Z,OWNER,Draft docs for the new plugin hook: https://datasette--1940.org.readthedocs.build/en/1940/plugin_hooks.html#register-permissions-datasette,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343856781,https://api.github.com/repos/simonw/datasette/issues/1939,1343856781,IC_kwDOBm6k_c5QGaCN,9599,2022-12-09T05:10:00Z,2022-12-09T05:10:00Z,OWNER,Made a draft PR so ReadTheDocs would deploy my new documentation somewhere.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343844555,https://api.github.com/repos/simonw/datasette/issues/1939,1343844555,IC_kwDOBm6k_c5QGXDL,9599,2022-12-09T04:48:28Z,2022-12-09T04:48:28Z,OWNER,"I'm going to try a spike in a branch with `datasette.action_allowed(...)` and a `register_permissions()` plugin hook, to see what they look like.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343844112,https://api.github.com/repos/simonw/datasette/issues/1939,1343844112,IC_kwDOBm6k_c5QGW8Q,9599,2022-12-09T04:47:28Z,2022-12-09T04:47:28Z,OWNER,"I think `action_allowed` is my favourite, even though there's a little bit of concept overlap with `table_actions` and `database_actions`. I never really liked those plugin hook names much to be honest, especially since they are inconsistent with `menu_links`: https://github.com/simonw/datasette/blob/d67f812b7327c7075732688f3df728807503dc58/datasette/hookspecs.py#L123-L135","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343843352,https://api.github.com/repos/simonw/datasette/issues/1939,1343843352,IC_kwDOBm6k_c5QGWwY,9599,2022-12-09T04:45:50Z,2022-12-09T04:45:50Z,OWNER,"Another option: ```python if await datasette.actor_can(actor, ""insert-data""...) ```","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343842362,https://api.github.com/repos/simonw/datasette/issues/1939,1343842362,IC_kwDOBm6k_c5QGWg6,9599,2022-12-09T04:43:38Z,2022-12-09T04:43:38Z,OWNER,"Asked ChatGPT for some alternative names, I didn't like any of them: is_permission_granted has_permission check_permission is_action_allowed check_access_permission permission_check validate_permission check_actor_permission verify_permission check_authorization ","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343753386,https://api.github.com/repos/simonw/datasette/issues/1939,1343753386,IC_kwDOBm6k_c5QGAyq,9599,2022-12-09T02:20:20Z,2022-12-09T02:21:01Z,OWNER,"It's also referenced in this plugin hook: ```python @hookspec def permission_allowed(datasette, actor, action, resource): """"""Check if actor is allowed to perform this action - return True, False or None"""""" ``` But more importantly, in these ones: ```python @hookspec def table_actions(datasette, actor, database, table, request): """"""Links for the table actions menu"""""" @hookspec def database_actions(datasette, actor, database, request): """"""Links for the database actions menu"""""" ``` So the word ""action"" is already used within Datasette to refer to those things - which are _almost_ but not quite the same as actions-as-permissions: many of the things that show up in those menus relate to permissions the user has, but not necessarily all of them.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343751860,https://api.github.com/repos/simonw/datasette/issues/1939,1343751860,IC_kwDOBm6k_c5QGAa0,9599,2022-12-09T02:18:11Z,2022-12-09T02:19:23Z,OWNER,"Should I rename ""permission"" to ""action"" elsewhere too? Maybe have a `register_actions(...)` plugin hook instead of adding `register_permissions(...)`? What else could the word ""action"" mean? Currently it's used in the codebase to refer to GitHub Actions, and for code like this: ```python if await self.permission_allowed( actor=actor, action=""view-instance"", default=True ): ``` Which is already revealing the confusion between ""permission"" and ""action"".","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343751261,https://api.github.com/repos/simonw/datasette/issues/1939,1343751261,IC_kwDOBm6k_c5QGARd,9599,2022-12-09T02:17:14Z,2022-12-09T02:17:14Z,OWNER,"One option: ```python async def action_allowed(self, actor, action, database=None, resource=None): ``` `action_allowed` fixes the `permission` v.s. `action` thing a bit, and is a new name that doesn't clash with the existing method. I dropped `default` because that's now a property of the permission itself. `table` is now called `resource` and `database` is a separate parameter.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343749617,https://api.github.com/repos/simonw/datasette/issues/1939,1343749617,IC_kwDOBm6k_c5QF_3x,9599,2022-12-09T02:15:54Z,2022-12-09T02:15:54Z,OWNER,"What if I came up with a new method name for this, which could co-exist with the old one while that old one was deprecated?","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343744338,https://api.github.com/repos/simonw/datasette/issues/1939,1343744338,IC_kwDOBm6k_c5QF-lS,9599,2022-12-09T02:08:42Z,2022-12-09T02:08:42Z,OWNER,Extracted a TIL: https://til.simonwillison.net/github/github-code-search-api-uses,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343734812,https://api.github.com/repos/simonw/datasette/issues/1939,1343734812,IC_kwDOBm6k_c5QF8Qc,9599,2022-12-09T01:57:07Z,2022-12-09T01:57:07Z,OWNER,"This search is better: datasette permission_allowed -user:simonw -path:datasette/** -path:docs/** -path:tests/** language:python That returns 11 results: https://cs.github.com/?scopeName=All+repos&scope=&q=datasette+permission_allowed+-user%3Asimonw+-path%3Adatasette%2F**+-path%3Adocs%2F**+-path%3Atests%2F**+language%3Apython 3 are forks of my repos. The rest are all by four users: - [20after4/ddd](https://github.com/20after4/ddd) - [emg110/datasette-graphql](https://github.com/emg110/datasette-graphql) - [next-LI/datasette-csv-importer](https://github.com/next-LI/datasette-csv-importer) - [next-LI/datasette-demo](https://github.com/next-LI/datasette-demo) - [next-LI/datasette-live-config](https://github.com/next-LI/datasette-live-config) - [next-LI/datasette-live-permissions](https://github.com/next-LI/datasette-live-permissions) - [next-LI/datasette-search-all](https://github.com/next-LI/datasette-search-all) - [next-LI/datasette-surveys](https://github.com/next-LI/datasette-surveys) - [next-LI/datasette-write](https://github.com/next-LI/datasette-write) - [rclement/datasette-dashboards](https://github.com/rclement/datasette-dashboards) ","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343728929,https://api.github.com/repos/simonw/datasette/issues/1939,1343728929,IC_kwDOBm6k_c5QF60h,9599,2022-12-09T01:48:11Z,2022-12-09T01:52:33Z,OWNER,"This code search shows a bunch of repos I don't know about that would be affected by this change: https://cs.github.com/?scopeName=All+repos&scope=&q=datasette+permission_allowed+-user%3Asimonw# These (and likely more): Repositories - [20after4/ddd](https://github.com/20after4/ddd) - [next-LI/datasette-csv-importer](https://github.com/next-LI/datasette-csv-importer) - [digital-land/datasette](https://github.com/digital-land/datasette) - [mroswell/datasette](https://github.com/mroswell/datasette) - [next-LI/datasette-live-config](https://github.com/next-LI/datasette-live-config) - [keladhruv/datasette](https://github.com/keladhruv/datasette) - [RhetTbull/datasette](https://github.com/RhetTbull/datasette) - [chriswedgwood/datasette](https://github.com/chriswedgwood/datasette) - [boan-anbo/datasette](https://github.com/boan-anbo/datasette) - [MattTriano/datasette](https://github.com/MattTriano/datasette) - [incadenza/datasette](https://github.com/incadenza/datasette) - [robdyke/datasette](https://github.com/robdyke/datasette) - [ctb/datasette](https://github.com/ctb/datasette) - [eyeseast/datasette](https://github.com/eyeseast/datasette) - [symbol-management/api-match-audit](https://github.com/symbol-management/api-match-audit) Actually a lot of those are forks of Datasette itself - so maybe this is manageable? Would be nice if I could come up with a GitHub search that excluded any repos with ""datasette"" as their exact name. https://docs.github.com/en/search-github/github-code-search/understanding-github-code-search-syntax#using-qualifiers says: > **Note:** The new code search beta does not currently support regular expressions or partial matching for repository names, so you will have to type the entire repository name (including the user prefix) for the `repo:` qualifier to work.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343727184,https://api.github.com/repos/simonw/datasette/issues/1939,1343727184,IC_kwDOBm6k_c5QF6ZQ,9599,2022-12-09T01:45:15Z,2022-12-09T01:45:15Z,OWNER,"Moving the concept of the default for the permission into this registry warrants a redesign of this method anyway: https://github.com/simonw/datasette/blob/e539c1c024bc62d88df91d9107cbe37e7f0fe55f/datasette/app.py#L706","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343724732,https://api.github.com/repos/simonw/datasette/issues/1939,1343724732,IC_kwDOBm6k_c5QF5y8,9599,2022-12-09T01:40:44Z,2022-12-09T01:43:25Z,OWNER,"```python Permission = collections.namedtuple( ""Permission"", (""name"", ""abbr"", ""takes_database"", ""takes_table"", ""default"") ) ``` I don`t think that design is quite right. - Elsewhere in the code the concept is called an ""action"" rather than a ""permission"" - I think I can stick with the `Permission` name here though, it's pretty clear - `takes_database` - is `takes_` the right verb here? - `takes_table` can also refer to a SQL view or a canned named query A question that was raised by the work in #1938 is whether you should be able to grant a permission like `insert-row` at the instance or database level - and if so, what does that look like? I think you should be able to do that, it doesn't make sense to have to grant it explicitly for every single table. So maybe `takes_table` and `takes_database` are the right names here? But `table` is still bad because it doesn't reflect views and canned queries. One thought is to use `resource` - but that will require a bunch of breaking changes to the existing APIs which treat resource as a tuple. Now's the best time to do that though before Datasette 1.0.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343722020,https://api.github.com/repos/simonw/datasette/issues/1939,1343722020,IC_kwDOBm6k_c5QF5Ik,9599,2022-12-09T01:36:05Z,2022-12-09T01:36:16Z,OWNER,"I originally added `permissions.py` for the permission debug tool in https://github.com/simonw/datasette/commit/c51d9246b996a2831c9bd6a1e205f6cb48b9a5f3 - I don't think anything else uses it yet. - #1881","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511, https://github.com/simonw/datasette/issues/1939#issuecomment-1343721522,https://api.github.com/repos/simonw/datasette/issues/1939,1343721522,IC_kwDOBm6k_c5QF5Ay,9599,2022-12-09T01:35:15Z,2022-12-09T01:35:15Z,OWNER,"One concern I have about this: there are a bunch of existing plugins that do stuff with permissions that won't currently be using this hook. Do I break those plugins, forcing new releases of them for compatibility with Datasette 1.0? Or maybe I keep them working, but until they've upgraded to register their permissions there are things about them that won't work - e.g. you won't be able to configure their permissions in `metadata.yml` until they release something that does this hook. Best thing is probably for me to get this working in core first and then evaluate the impact it would have on existing plugins once I have some running code.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,