html_url,issue_url,id,node_id,user,user_label,created_at,updated_at,author_association,body,reactions,issue,issue_label,performed_via_github_app
https://github.com/simonw/datasette/issues/1939#issuecomment-1347646516,https://api.github.com/repos/simonw/datasette/issues/1939,1347646516,IC_kwDOBm6k_c5QU3Q0,9599,simonw,2022-12-13T02:07:50Z,2022-12-13T02:07:50Z,OWNER,Documentation for the new hook: https://docs.datasette.io/en/latest/plugin_hooks.html#register-permissions-datasette,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1345691103,https://api.github.com/repos/simonw/datasette/issues/1939,1345691103,IC_kwDOBm6k_c5QNZ3f,9599,simonw,2022-12-11T23:37:49Z,2022-12-11T23:37:49Z,OWNER,"Idea: a `/-/permissions` introspection endpoint for listing registered permissions
","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343872168,https://api.github.com/repos/simonw/datasette/issues/1939,1343872168,IC_kwDOBm6k_c5QGdyo,9599,simonw,2022-12-09T05:29:53Z,2022-12-09T05:29:53Z,OWNER,"I'm going to address those ideas for changes to the `permission_allowed()` in a separate issue.

What would it take for the `register_permissions()` hook to be something I'm comfortable landing?

I think it's mainly that the list of permissions it provides should Do More Stuff:

- Participate in unit tests, in particular this one:
   
   https://github.com/simonw/datasette/blob/e539c1c024bc62d88df91d9107cbe37e7f0fe55f/tests/conftest.py#L79-L102

- That new `default` option should be respected - maybe if you omit `default=` from a call to `permission_allowed()` it could fall back on the default from there?
- Log a warning if you attempt to check a permission that wasn't registered

Then I can use the permissions - in particular their metadata - to help implement his:

- #1636","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343858998,https://api.github.com/repos/simonw/datasette/issues/1939,1343858998,IC_kwDOBm6k_c5QGak2,9599,simonw,2022-12-09T05:12:17Z,2022-12-09T05:12:17Z,OWNER,Draft docs for the new plugin hook: https://datasette--1940.org.readthedocs.build/en/1940/plugin_hooks.html#register-permissions-datasette,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343856781,https://api.github.com/repos/simonw/datasette/issues/1939,1343856781,IC_kwDOBm6k_c5QGaCN,9599,simonw,2022-12-09T05:10:00Z,2022-12-09T05:10:00Z,OWNER,Made a draft PR so ReadTheDocs would deploy my new documentation somewhere.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343844555,https://api.github.com/repos/simonw/datasette/issues/1939,1343844555,IC_kwDOBm6k_c5QGXDL,9599,simonw,2022-12-09T04:48:28Z,2022-12-09T04:48:28Z,OWNER,"I'm going to try a spike in a branch with `datasette.action_allowed(...)` and a `register_permissions()` plugin hook, to see what they look like.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343844112,https://api.github.com/repos/simonw/datasette/issues/1939,1343844112,IC_kwDOBm6k_c5QGW8Q,9599,simonw,2022-12-09T04:47:28Z,2022-12-09T04:47:28Z,OWNER,"I think `action_allowed` is my favourite, even though there's a little bit of concept overlap with `table_actions` and `database_actions`.

I never really liked those plugin hook names much to be honest, especially since they are inconsistent with `menu_links`:

https://github.com/simonw/datasette/blob/d67f812b7327c7075732688f3df728807503dc58/datasette/hookspecs.py#L123-L135","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343843352,https://api.github.com/repos/simonw/datasette/issues/1939,1343843352,IC_kwDOBm6k_c5QGWwY,9599,simonw,2022-12-09T04:45:50Z,2022-12-09T04:45:50Z,OWNER,"Another option:

```python
if await datasette.actor_can(actor, ""insert-data""...)
```","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343842362,https://api.github.com/repos/simonw/datasette/issues/1939,1343842362,IC_kwDOBm6k_c5QGWg6,9599,simonw,2022-12-09T04:43:38Z,2022-12-09T04:43:38Z,OWNER,"Asked ChatGPT for some alternative names, I didn't like any of them:

    is_permission_granted
    has_permission
    check_permission
    is_action_allowed
    check_access_permission
    permission_check
    validate_permission
    check_actor_permission
    verify_permission
    check_authorization

","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343753386,https://api.github.com/repos/simonw/datasette/issues/1939,1343753386,IC_kwDOBm6k_c5QGAyq,9599,simonw,2022-12-09T02:20:20Z,2022-12-09T02:21:01Z,OWNER,"It's also referenced in this plugin hook:
```python
@hookspec
def permission_allowed(datasette, actor, action, resource):
    """"""Check if actor is allowed to perform this action - return True, False or None""""""
```
But more importantly, in these ones:
```python
@hookspec
def table_actions(datasette, actor, database, table, request):
    """"""Links for the table actions menu""""""


@hookspec
def database_actions(datasette, actor, database, request):
    """"""Links for the database actions menu""""""
```
So the word ""action"" is already used within Datasette to refer to those things - which are _almost_ but not quite the same as actions-as-permissions: many of the things that show up in those menus relate to permissions the user has, but not necessarily all of them.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343751860,https://api.github.com/repos/simonw/datasette/issues/1939,1343751860,IC_kwDOBm6k_c5QGAa0,9599,simonw,2022-12-09T02:18:11Z,2022-12-09T02:19:23Z,OWNER,"Should I rename ""permission"" to ""action"" elsewhere too? Maybe have a `register_actions(...)` plugin hook instead of adding `register_permissions(...)`? 

What else could the word ""action"" mean?

Currently it's used in the codebase to refer to GitHub Actions, and for code like this:
```python
        if await self.permission_allowed(
            actor=actor, action=""view-instance"", default=True
        ):
```
Which is already revealing the confusion between ""permission"" and ""action"".","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343751261,https://api.github.com/repos/simonw/datasette/issues/1939,1343751261,IC_kwDOBm6k_c5QGARd,9599,simonw,2022-12-09T02:17:14Z,2022-12-09T02:17:14Z,OWNER,"One option:
```python
async def action_allowed(self, actor, action, database=None, resource=None):
```
`action_allowed` fixes the `permission` v.s. `action` thing a bit, and is a new name that doesn't clash with the existing method. I dropped `default` because that's now a property of the permission itself. `table` is now called `resource` and `database` is a separate parameter.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343749617,https://api.github.com/repos/simonw/datasette/issues/1939,1343749617,IC_kwDOBm6k_c5QF_3x,9599,simonw,2022-12-09T02:15:54Z,2022-12-09T02:15:54Z,OWNER,"What if I came up with a new method name for this, which could co-exist with the old one while that old one was deprecated?","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343744338,https://api.github.com/repos/simonw/datasette/issues/1939,1343744338,IC_kwDOBm6k_c5QF-lS,9599,simonw,2022-12-09T02:08:42Z,2022-12-09T02:08:42Z,OWNER,Extracted a TIL: https://til.simonwillison.net/github/github-code-search-api-uses,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343734812,https://api.github.com/repos/simonw/datasette/issues/1939,1343734812,IC_kwDOBm6k_c5QF8Qc,9599,simonw,2022-12-09T01:57:07Z,2022-12-09T01:57:07Z,OWNER,"This search is better:

    datasette permission_allowed -user:simonw -path:datasette/** -path:docs/** -path:tests/** language:python

That returns 11 results: https://cs.github.com/?scopeName=All+repos&scope=&q=datasette+permission_allowed+-user%3Asimonw+-path%3Adatasette%2F**+-path%3Adocs%2F**+-path%3Atests%2F**+language%3Apython

3 are forks of my repos. The rest are all by four users:

- [20after4/ddd](https://github.com/20after4/ddd)
- [emg110/datasette-graphql](https://github.com/emg110/datasette-graphql)
- [next-LI/datasette-csv-importer](https://github.com/next-LI/datasette-csv-importer)
- [next-LI/datasette-demo](https://github.com/next-LI/datasette-demo)
- [next-LI/datasette-live-config](https://github.com/next-LI/datasette-live-config)
- [next-LI/datasette-live-permissions](https://github.com/next-LI/datasette-live-permissions)
- [next-LI/datasette-search-all](https://github.com/next-LI/datasette-search-all)
- [next-LI/datasette-surveys](https://github.com/next-LI/datasette-surveys)
- [next-LI/datasette-write](https://github.com/next-LI/datasette-write)
- [rclement/datasette-dashboards](https://github.com/rclement/datasette-dashboards)

","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343728929,https://api.github.com/repos/simonw/datasette/issues/1939,1343728929,IC_kwDOBm6k_c5QF60h,9599,simonw,2022-12-09T01:48:11Z,2022-12-09T01:52:33Z,OWNER,"This code search shows a bunch of repos I don't know about that would be affected by this change: https://cs.github.com/?scopeName=All+repos&scope=&q=datasette+permission_allowed+-user%3Asimonw#

These (and likely more):

Repositories

- [20after4/ddd](https://github.com/20after4/ddd)
- [next-LI/datasette-csv-importer](https://github.com/next-LI/datasette-csv-importer)
- [digital-land/datasette](https://github.com/digital-land/datasette)
- [mroswell/datasette](https://github.com/mroswell/datasette)
- [next-LI/datasette-live-config](https://github.com/next-LI/datasette-live-config)
- [keladhruv/datasette](https://github.com/keladhruv/datasette)
- [RhetTbull/datasette](https://github.com/RhetTbull/datasette)
- [chriswedgwood/datasette](https://github.com/chriswedgwood/datasette)
- [boan-anbo/datasette](https://github.com/boan-anbo/datasette)
- [MattTriano/datasette](https://github.com/MattTriano/datasette)
- [incadenza/datasette](https://github.com/incadenza/datasette)
- [robdyke/datasette](https://github.com/robdyke/datasette)
- [ctb/datasette](https://github.com/ctb/datasette)
- [eyeseast/datasette](https://github.com/eyeseast/datasette)
- [symbol-management/api-match-audit](https://github.com/symbol-management/api-match-audit)

Actually a lot of those are forks of Datasette itself - so maybe this is manageable?

Would be nice if I could come up with a GitHub search that excluded any repos with ""datasette"" as their exact name.

https://docs.github.com/en/search-github/github-code-search/understanding-github-code-search-syntax#using-qualifiers says:

> **Note:** The new code search beta does not currently support regular expressions or partial matching for repository names, so you will have to type the entire repository name (including the user prefix) for the `repo:` qualifier to work.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343727184,https://api.github.com/repos/simonw/datasette/issues/1939,1343727184,IC_kwDOBm6k_c5QF6ZQ,9599,simonw,2022-12-09T01:45:15Z,2022-12-09T01:45:15Z,OWNER,"Moving the concept of the default for the permission into this registry warrants a redesign of this method anyway:

https://github.com/simonw/datasette/blob/e539c1c024bc62d88df91d9107cbe37e7f0fe55f/datasette/app.py#L706","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343724732,https://api.github.com/repos/simonw/datasette/issues/1939,1343724732,IC_kwDOBm6k_c5QF5y8,9599,simonw,2022-12-09T01:40:44Z,2022-12-09T01:43:25Z,OWNER,"```python
Permission = collections.namedtuple( 
    ""Permission"", (""name"", ""abbr"", ""takes_database"", ""takes_table"", ""default"") 
) 
```
I don`t think that design is quite right.

- Elsewhere in the code the concept is called an ""action"" rather than a ""permission"" - I think I can stick with the `Permission` name here though, it's pretty clear
- `takes_database` - is `takes_` the right verb here?
- `takes_table` can also refer to a SQL view or a canned named query

A question that was raised by the work in #1938 is whether you should be able to grant a permission like `insert-row` at the instance or database level - and if so, what does that look like? I think you should be able to do that, it doesn't make sense to have to grant it explicitly for every single table.

So maybe `takes_table` and `takes_database` are the right names here? But `table` is still bad because it doesn't reflect views and canned queries.

One thought is to use `resource` - but that will require a bunch of breaking changes to the existing APIs which treat resource as a tuple. Now's the best time to do that though before Datasette 1.0.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343722020,https://api.github.com/repos/simonw/datasette/issues/1939,1343722020,IC_kwDOBm6k_c5QF5Ik,9599,simonw,2022-12-09T01:36:05Z,2022-12-09T01:36:16Z,OWNER,"I originally added `permissions.py` for the permission debug tool in https://github.com/simonw/datasette/commit/c51d9246b996a2831c9bd6a1e205f6cb48b9a5f3 - I don't think anything else uses it yet.

- #1881","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,
https://github.com/simonw/datasette/issues/1939#issuecomment-1343721522,https://api.github.com/repos/simonw/datasette/issues/1939,1343721522,IC_kwDOBm6k_c5QF5Ay,9599,simonw,2022-12-09T01:35:15Z,2022-12-09T01:35:15Z,OWNER,"One concern I have about this: there are a bunch of existing plugins that do stuff with permissions that won't currently be using this hook.

Do I break those plugins, forcing new releases of them for compatibility with Datasette 1.0?

Or maybe I keep them working, but until they've upgraded to register their permissions there are things about them that won't work - e.g. you won't be able to configure their permissions in `metadata.yml` until they release something that does this hook.

Best thing is probably for me to get this working in core first and then evaluate the impact it would have on existing plugins once I have some running code.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1485757511,register_permissions(datasette) plugin hook,