html_url,issue_url,id,node_id,user,created_at,updated_at,author_association,body,reactions,issue,performed_via_github_app,,642958225,MDEyOklzc3VlQ29tbWVudDY0Mjk1ODIyNQ==,9599,2020-06-11T22:15:32Z,2020-06-11T22:15:32Z,OWNER,,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",637253789,,,642953605,MDEyOklzc3VlQ29tbWVudDY0Mjk1MzYwNQ==,9599,2020-06-11T22:02:32Z,2020-06-11T22:02:32Z,OWNER,`datasette-auth-tokens` can be the name. I can get a simple initial version of it running pretty quickly.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",635108074,,,642952962,MDEyOklzc3VlQ29tbWVudDY0Mjk1Mjk2Mg==,9599,2020-06-11T22:01:58Z,2020-06-11T22:01:58Z,OWNER,"Alternative idea: a plugin that handles Bearer token authentication. Uses `metadata.json` with secret plugin values to map an incoming token to an actor dictionary, which can then be mapped to permissions.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",635108074,,,642951150,MDEyOklzc3VlQ29tbWVudDY0Mjk1MTE1MA==,9599,2020-06-11T22:00:17Z,2020-06-11T22:00:17Z,OWNER,"I got this working:

Just one problem: it uses the existing `ds_actor` cookie, which means it doesn't actually exercise the `actor_from_request` plugin!

It does use `register_routes` though.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",635108074,,,642944645,MDEyOklzc3VlQ29tbWVudDY0Mjk0NDY0NQ==,9599,2020-06-11T21:49:55Z,2020-06-11T21:49:55Z,OWNER,"I'm OK with not implementing this - I've got used to the existing mechanism, and it doesn't frustrate me enough to work on this more.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",314847571,,,642907021,MDEyOklzc3VlQ29tbWVudDY0MjkwNzAyMQ==,9599,2020-06-11T20:20:35Z,2020-06-11T20:20:35Z,OWNER,"I think the new `.check_permissions()` should be a documented utility that is available to plugins.
 Maybe a method on `datasette`?","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",636722501,,,642906681,MDEyOklzc3VlQ29tbWVudDY0MjkwNjY4MQ==,9599,2020-06-11T20:19:47Z,2020-06-11T20:20:02Z,OWNER,"So for the following:
await self.check_permissions(request, [
    (""view-table"", (database, table)),
    (""view-database"", database),
The logic is: if the first test returns `True`, you get access. If it returns `False` you are denied. If it says `None` then move on to the next check in the list and repeat.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",636722501,,,642905424,MDEyOklzc3VlQ29tbWVudDY0MjkwNTQyNA==,9599,2020-06-11T20:16:41Z,2020-06-11T20:16:41Z,OWNER,I'll add a new test in `` which locks down an instance and  then loops through paths as the anonymous user making sure they aren't accessible.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",637253789,,,642902208,MDEyOklzc3VlQ29tbWVudDY0MjkwMjIwOA==,9599,2020-06-11T20:08:57Z,2020-06-11T20:08:57Z,OWNER,"I'm tempted to add a `view-instance` check before routing any URLs, but that wouldn't be compatible with the idea in #832 that having `view-table` should be enough to view a table even if you don't pass `view-instance`.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",637253789,,,642874724,MDEyOklzc3VlQ29tbWVudDY0Mjg3NDcyNA==,9599,2020-06-11T19:07:49Z,2020-06-11T19:07:49Z,OWNER,A live demo running the `datasette-auth-github` plugin will help demonstrate this.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",637253789,,,642870553,MDEyOklzc3VlQ29tbWVudDY0Mjg3MDU1Mw==,9599,2020-06-11T18:58:49Z,2020-06-11T18:58:49Z,OWNER,I've implemented this in a plugin instead:,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",631932926,,,642795966,MDEyOklzc3VlQ29tbWVudDY0Mjc5NTk2Ng==,9599,2020-06-11T16:37:21Z,2020-06-11T16:37:21Z,OWNER,"How would I document this? Probably in another section on

But I'd also need to add documentation to the individual views stating what permissions are checked and in what order. I could do that on this page:","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",636722501,,,642772344,MDEyOklzc3VlQ29tbWVudDY0Mjc3MjM0NA==,9599,2020-06-11T16:01:15Z,2020-06-11T16:01:15Z,OWNER,"```
datasette package fixtures.db --secret woot --branch master
Sending build context to Docker daemon  260.6kB
Step 1/9 : FROM python:3.8
3.8: Pulling from library/python
e9afc4f90ab0: Downloading [=======>                                           ]  7.195MB/50.39MB
989e6b19a265: Downloading [============================>                      ]  4.475MB/7.812MB
af14b6c2f878: Downloading [===========================>                       ]  5.422MB/9.996MB
5573c4b30949: Waiting 
11a88e764313: Waiting 
ee776f0e36af: Waiting 
513c90a1afc3: Waiting 
df9b9e95bdb9: Waiting 
86c9edb54464: Waiting 
datasette package fixtures.db --secret woot --branch master
docker run -p 8001:8001 a155798bd842
This works too.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",632919570,,,642754589,MDEyOklzc3VlQ29tbWVudDY0Mjc1NDU4OQ==,9599,2020-06-11T15:45:25Z,2020-06-11T15:45:25Z,OWNER,"    datasette publish cloudrun fixtures.db --service datasette-publish-secret --branch=master","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",632919570,,,642750790,MDEyOklzc3VlQ29tbWVudDY0Mjc1MDc5MA==,9599,2020-06-11T15:42:23Z,2020-06-11T15:42:23Z,OWNER,"    datasette publish heroku fixtures.db -n datasette-publish-secret --branch=master - Heroku works.
","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",632919570,,,642745518,MDEyOklzc3VlQ29tbWVudDY0Mjc0NTUxOA==,9599,2020-06-11T15:38:51Z,2020-06-11T15:38:51Z,OWNER,The way to manually test this is to publish a database to each provider and then check that the `/-/messages` debug tool works.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",632919570,,,642741930,MDEyOklzc3VlQ29tbWVudDY0Mjc0MTkzMA==,9599,2020-06-11T15:35:53Z,2020-06-11T15:36:05Z,OWNER,"May the fix here is to implement a `.check_permissions()` method which passes when the first permission passes?
await self.check_permissions(request, [
    (""view-table"", (database, table)),
    (""view-database"", database),
```","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",636722501,,,642420375,MDEyOklzc3VlQ29tbWVudDY0MjQyMDM3NQ==,9599,2020-06-11T05:40:07Z,2020-06-11T05:40:07Z,OWNER, is now released as a 0.1a here:,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",634917088,,,642412017,MDEyOklzc3VlQ29tbWVudDY0MjQxMjAxNw==,9599,2020-06-11T05:13:59Z,2020-06-11T05:13:59Z,OWNER,"Relevant code:","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",636722501,