html_url,issue_url,id,node_id,user,user_label,created_at,updated_at,author_association,body,reactions,issue,issue_label,performed_via_github_app
https://github.com/simonw/datasette/issues/698#issuecomment-640108942,https://api.github.com/repos/simonw/datasette/issues/698,640108942,MDEyOklzc3VlQ29tbWVudDY0MDEwODk0Mg==,9599,simonw,2020-06-06T19:43:48Z,2020-06-06T19:43:48Z,OWNER,"Landed - documentation is here: https://datasette.readthedocs.io/en/latest/sql_queries.html#writable-canned-queries

See also https://datasette.readthedocs.io/en/latest/authentication.html#permissions-for-canned-queries","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-639788562,https://api.github.com/repos/simonw/datasette/issues/698,639788562,MDEyOklzc3VlQ29tbWVudDYzOTc4ODU2Mg==,9599,simonw,2020-06-05T20:27:49Z,2020-06-05T20:27:49Z,OWNER,"There can be a detailed section explaining these different mechanisms on the authentication documentation page.

I imagine they will end up applying to more than just canned queries.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-639787304,https://api.github.com/repos/simonw/datasette/issues/698,639787304,MDEyOklzc3VlQ29tbWVudDYzOTc4NzMwNA==,9599,simonw,2020-06-05T20:26:57Z,2020-06-05T20:26:57Z,OWNER,"Idea: an `""allow_sql""` key with a SQL query that gets passed the actor JSON as `:actor` and can extract the relevant keys from it and return 1 or 0.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-639785878,https://api.github.com/repos/simonw/datasette/issues/698,639785878,MDEyOklzc3VlQ29tbWVudDYzOTc4NTg3OA==,9599,simonw,2020-06-05T20:25:55Z,2020-06-05T20:25:55Z,OWNER,"I'd really like to support SQL query defined permissions too, mainly to set an example for how plugins could do something similar.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-639784651,https://api.github.com/repos/simonw/datasette/issues/698,639784651,MDEyOklzc3VlQ29tbWVudDYzOTc4NDY1MQ==,9599,simonw,2020-06-05T20:25:02Z,2020-06-05T20:25:02Z,OWNER,"Idea: default is anyone can execute a query.

Or you can specify the following:

```json

{
    ""databases"": {
       ""my-database"": {
           ""queries"": {
               ""add_twitter_handle"": {
                   ""sql"": ""insert into twitter_handles (username) values (:username)"",
                   ""write"": true,
                   ""allow"": {
                       ""id"": [""simon""],
                       ""role"": [""staff""]
                   }
               }
           }
       }
    }
}
```
These get matched against the actor JSON. If any of the fields in any of the keys of `""allow""` match a key on the actor, the query is allowed.

`""id"": ""*""` matches any actor with an `id` key.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-639779403,https://api.github.com/repos/simonw/datasette/issues/698,639779403,MDEyOklzc3VlQ29tbWVudDYzOTc3OTQwMw==,9599,simonw,2020-06-05T20:20:12Z,2020-06-05T20:20:12Z,OWNER,CSRF is done. Last step: figure out a smart way to integrate this with permissions and authentication.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-638266171,https://api.github.com/repos/simonw/datasette/issues/698,638266171,MDEyOklzc3VlQ29tbWVudDYzODI2NjE3MQ==,9599,simonw,2020-06-03T15:18:49Z,2020-06-03T15:18:49Z,OWNER,Landed the work so far from #796! Here's the documentation: https://datasette.readthedocs.io/en/latest/sql_queries.html#writable-canned-queries,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-638183337,https://api.github.com/repos/simonw/datasette/issues/698,638183337,MDEyOklzc3VlQ29tbWVudDYzODE4MzMzNw==,9599,simonw,2020-06-03T13:05:03Z,2020-06-03T13:05:03Z,OWNER,"One challenge with this feature is that it confuses the messaging about what Datasette does somewhat.

Prior to shipping this, Datasette's core value proposition is as a way to publish read-only data.

That changed a little [in 0.37 in February](https://datasette.readthedocs.io/en/stable/changelog.html#v0-37) when plugins gained the supported ability to execute writes, but there was no way of doing that without a plugin.

With this feature, Datasette becomes a read-write database solution.

I should update the documentation to help explain this. Essentially the message is that Datasette can be used in one of two ""modes"" - it can be used just for sharing/publishing data, or you can use it to collect and manage data, most likely still in collaboration with plugins for things like authentication.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-637934813,https://api.github.com/repos/simonw/datasette/issues/698,637934813,MDEyOklzc3VlQ29tbWVudDYzNzkzNDgxMw==,9599,simonw,2020-06-03T03:45:07Z,2020-06-03T03:45:07Z,OWNER,"Some extra thoughts now that this is mostly working:

- ""Edit this row"" is such an obvious use-case. Could I automatically support row editing where every column except the primary key can be updated?
- It would be useful to be able to link to a query in a way that pre-populates various form fields. The ""edit"" interface could then be a link that pre-populates the form with all of the existing values.
- Can the redirect URL be configured to include values from the form submission? So you could e.g. add a blog post with a unique slug and then redirect to that URL?","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-637879242,https://api.github.com/repos/simonw/datasette/issues/698,637879242,MDEyOklzc3VlQ29tbWVudDYzNzg3OTI0Mg==,9599,simonw,2020-06-03T00:10:30Z,2020-06-03T00:10:30Z,OWNER,Started a fresh pull request for this in #796 - the one in #703 got a bit untidy.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-636617140,https://api.github.com/repos/simonw/datasette/issues/698,636617140,MDEyOklzc3VlQ29tbWVudDYzNjYxNzE0MA==,9599,simonw,2020-06-01T05:14:39Z,2020-06-01T05:14:39Z,OWNER,Here's the new `default_permissions.py` file I can add this permission check to: https://github.com/simonw/datasette/blob/dfdbdf378aba9afb66666f66b78df2f2069d2595/datasette/default_permissions.py#L1-L7,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-636569917,https://api.github.com/repos/simonw/datasette/issues/698,636569917,MDEyOklzc3VlQ29tbWVudDYzNjU2OTkxNw==,9599,simonw,2020-06-01T01:39:44Z,2020-06-01T01:39:44Z,OWNER,"Idea for the authentication piece: I'll have the canned query code execute the following:

```python
if await datasette.permission_allowed(
    request.scope.get(""actor""),  ""execute_query"", ""canned_query"", query_name, default=True
):
```
Then I'll add a default plugin to Datasette which implements that plugin hook, looks at the Datasette metadata for that query, and says ""No"" if the following (and `request.scope[""actor""]` is empty):

```json
{
    ""databases"": {
       ""my-database"": {
           ""queries"": {
               ""add_twitter_handle"": {
                   ""sql"": ""insert into twitter_handles (username) values (:username)"",
                   ""write"": true,
                   ""requires_actor"": true
               }
           }
       }
    }
}
```
I think I'll support this too:

```json
                   ""allowed_actors"": [""root""]
```
So you can configure queries to only be available to specific `{""id"": xxx}` actors.

This will be the first time the new `permission_allowed` mechanism from #699 will be exercised in Datasette core.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-621041812,https://api.github.com/repos/simonw/datasette/issues/698,621041812,MDEyOklzc3VlQ29tbWVudDYyMTA0MTgxMg==,9599,simonw,2020-04-29T07:42:48Z,2020-04-29T07:42:48Z,OWNER,Need to figure out what the `.json` mode for this looks like - and if there's a `.csv` mode (I think not).,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-621037724,https://api.github.com/repos/simonw/datasette/issues/698,621037724,MDEyOklzc3VlQ29tbWVudDYyMTAzNzcyNA==,9599,simonw,2020-04-29T07:34:02Z,2020-04-29T07:34:02Z,OWNER,"Concept for displaying a success message:

<img width=""662"" alt=""fixtures__compound_three_primary_keys__1_001_rows"" src=""https://user-images.githubusercontent.com/9599/80571201-0a1b4f00-89b1-11ea-8688-2e3e4304e475.png"">
CSS:

```css
.success {
    padding: 1em;
    border: 1px solid green;
    background-color: #c7fbc7;
}","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-621036032,https://api.github.com/repos/simonw/datasette/issues/698,621036032,MDEyOklzc3VlQ29tbWVudDYyMTAzNjAzMg==,9599,simonw,2020-04-29T07:29:52Z,2020-04-29T07:29:52Z,OWNER,"What should happen when a query has been successfully executed?

That depends on the query. Some queries may wish to redirect to another page. Other queries might want to show a custom message.

There should at least be a default message saying the query has been executed.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-608125928,https://api.github.com/repos/simonw/datasette/issues/698,608125928,MDEyOklzc3VlQ29tbWVudDYwODEyNTkyOA==,9599,simonw,2020-04-02T22:32:41Z,2020-04-02T22:33:10Z,OWNER,"I really want the option to use a `<textarea>` for a specific value.

Idea: metadata syntax like this:

```json
{
    ""databases"": {
       ""my-database"": {
           ""queries"": {
               ""add_twitter_handle"": {
                   ""sql"": ""insert into twitter_handles (username) values (:username)"",
                   ""write"": true,
                   ""params"": {
                       ""username"": {
                            ""widget"": ""textarea""
                       }
                   }
               }
           }
       }
    }
}
```
I can ship with some default widgets and provide a plugin hook for registering extra widgets.

This opens up some really exciting possibilities for things like map widgets that let you draw polygons.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-608087223,https://api.github.com/repos/simonw/datasette/issues/698,608087223,MDEyOklzc3VlQ29tbWVudDYwODA4NzIyMw==,9599,simonw,2020-04-02T21:02:25Z,2020-04-02T21:02:25Z,OWNER,YAML for metadata is relevant to this: #713,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-602140071,https://api.github.com/repos/simonw/datasette/issues/698,602140071,MDEyOklzc3VlQ29tbWVudDYwMjE0MDA3MQ==,9599,simonw,2020-03-22T02:53:48Z,2020-03-22T02:53:48Z,OWNER,"This feature should include the ability to set a custom redirect URL for after the query has been executed - that way it can be used to build things like ""delete this row"" which redirect back to the correct table.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-599856081,https://api.github.com/repos/simonw/datasette/issues/698,599856081,MDEyOklzc3VlQ29tbWVudDU5OTg1NjA4MQ==,9599,simonw,2020-03-17T03:14:20Z,2020-03-17T03:14:20Z,OWNER,"This is going to require a pretty full rewrite of the existing canned query logic, which currently shares a codepath with the code that lets you submit a SQL query:

https://github.com/simonw/datasette/blob/298a899e792ebd0cd82a5f01b613c31f19082e51/datasette/views/base.py#L464-L563","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-599704264,https://api.github.com/repos/simonw/datasette/issues/698,599704264,MDEyOklzc3VlQ29tbWVudDU5OTcwNDI2NA==,9599,simonw,2020-03-16T18:51:27Z,2020-03-17T02:44:44Z,OWNER,This is also going to need me to handle POST form submissions which means I need to be able to parse the form body. I guess that will go in [datasette/utils/asgi.py](https://github.com/simonw/datasette/blob/master/datasette/utils/asgi.py).,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-599706260,https://api.github.com/repos/simonw/datasette/issues/698,599706260,MDEyOklzc3VlQ29tbWVudDU5OTcwNjI2MA==,9599,simonw,2020-03-16T18:56:00Z,2020-03-16T18:56:00Z,OWNER,"It would be useful if this feature supported different types of input - at the most basic level `<input type=""text"">` v.s. `<textarea>`, but numbers, `<select>` etc would be useful too. This can be added later as additional `metadata.json` settings.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-599704655,https://api.github.com/repos/simonw/datasette/issues/698,599704655,MDEyOklzc3VlQ29tbWVudDU5OTcwNDY1NQ==,9599,simonw,2020-03-16T18:52:23Z,2020-03-16T18:52:23Z,OWNER,I have code for form parsing in `asgi-csrf`: https://github.com/simonw/asgi-csrf/blob/3fc164a9258ebfa616d4e724fcb102b117277c6e/asgi_csrf.py#L91-L109,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-599703452,https://api.github.com/repos/simonw/datasette/issues/698,599703452,MDEyOklzc3VlQ29tbWVudDU5OTcwMzQ1Mg==,9599,simonw,2020-03-16T18:49:31Z,2020-03-16T18:49:31Z,OWNER,Also relevant: this will benefit from an authentication/permissions layer: #699,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-599701145,https://api.github.com/repos/simonw/datasette/issues/698,599701145,MDEyOklzc3VlQ29tbWVudDU5OTcwMTE0NQ==,9599,simonw,2020-03-16T18:44:19Z,2020-03-16T18:44:40Z,OWNER,This is going to need CSRF protection - see https://github.com/simonw/asgi-csrf,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-599697164,https://api.github.com/repos/simonw/datasette/issues/698,599697164,MDEyOklzc3VlQ29tbWVudDU5OTY5NzE2NA==,9599,simonw,2020-03-16T18:35:04Z,2020-03-16T18:35:27Z,OWNER,"By default this will extract the `:params` using the existing regular expression - which can occasionally break if there is a rogue `:` in the rest of the query.

To address this: allow an extra optional `""params"": [""username""]` field in metadata which, if available, is used instead of the regular expression extraction.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,
https://github.com/simonw/datasette/issues/698#issuecomment-599696286,https://api.github.com/repos/simonw/datasette/issues/698,599696286,MDEyOklzc3VlQ29tbWVudDU5OTY5NjI4Ng==,9599,simonw,2020-03-16T18:32:59Z,2020-03-16T18:33:33Z,OWNER,"```json
{
    ""databases"": {
       ""my-database"": {
           ""queries"": {
               ""add_twitter_handle"": {
                   ""sql"": ""insert into twitter_handles (username) values (:username)"",
                   ""write"": true
               }
           }
       }
    }
}
```","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",582517965,Ability for a canned query to write to the database,