{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347675456", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347675456, "node_id": "IC_kwDOBm6k_c5QU-VA", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:57:46Z", "updated_at": "2022-12-13T02:57:46Z", "author_association": "OWNER", "body": "I was going to have the CLI command throw an error if you attempt to use a permission that isn't registered with Datasette, but then I remembered that one of the uses for the CLI tool is to create signed tokens that will work against other Datasette instances (via the `--secret` option) that might have different plugins installed that register different permission names.\r\n\r\nSo I might have it output warnings instead.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/1940#issuecomment-1347634128", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1940", "id": 1347634128, "node_id": "IC_kwDOBm6k_c5QU0PQ", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T01:51:56Z", "updated_at": "2022-12-13T01:51:56Z", "author_association": "OWNER", "body": "Actually one last thing: I said that the error would only occur if the permissions differed in some way.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1486011362, "label": "register_permissions() plugin hook"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/1940#issuecomment-1347640542", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1940", "id": 1347640542, "node_id": "IC_kwDOBm6k_c5QU1ze", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:02:10Z", "updated_at": "2022-12-13T02:02:10Z", "author_association": "OWNER", "body": "This PR ended up bundling part of the implementation of:\r\n- #1636\r\n\r\nI'm going to be bad an NOT untangle that from this before I merge it.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1486011362, "label": "register_permissions() plugin hook"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1943#issuecomment-1347645615", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1943", "id": 1347645615, "node_id": "IC_kwDOBm6k_c5QU3Cv", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:06:47Z", "updated_at": "2022-12-13T02:06:47Z", "author_association": "OWNER", "body": "This URL is already used for the https://latest.datasette.io/-/permissions tool - but it could include a block on that page that tells you what permissions are available.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1490576818, "label": "`/-/permissions` should list available permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1939#issuecomment-1347646516", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1939", "id": 1347646516, "node_id": "IC_kwDOBm6k_c5QU3Q0", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:07:50Z", "updated_at": "2022-12-13T02:07:50Z", "author_association": "OWNER", "body": "Documentation for the new hook: https://docs.datasette.io/en/latest/plugin_hooks.html#register-permissions-datasette", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1485757511, "label": "register_permissions(datasette) plugin hook"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1347647298", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1347647298, "node_id": "IC_kwDOBm6k_c5QU3dC", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:08:46Z", "updated_at": "2022-12-13T02:08:46Z", "author_association": "OWNER", "body": "A bunch of the work for this just landed - in particular the new scheme is now documented (even though it doesn't work yet):\r\n\r\nhttps://docs.datasette.io/en/latest/authentication.html#other-permissions-in-metadata", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1347648326", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1347648326, "node_id": "IC_kwDOBm6k_c5QU3tG", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:10:02Z", "updated_at": "2022-12-13T02:10:02Z", "author_association": "OWNER", "body": "The implementation for this will go here: https://github.com/simonw/datasette/blob/8bf06a76b51bc9ace7cf72cf0cca8f1da7704ea7/datasette/default_permissions.py#L81-L83\r\n\r\nHere's the start of the tests (currently marked as `xfail`):\r\n\r\nhttps://github.com/simonw/datasette/blob/8bf06a76b51bc9ace7cf72cf0cca8f1da7704ea7/tests/test_permissions.py#L652-L689", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1347655074", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1347655074, "node_id": "IC_kwDOBm6k_c5QU5Wi", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:21:04Z", "updated_at": "2022-12-13T02:21:23Z", "author_association": "OWNER", "body": "The thing I'm stuck on at the moment is how to implement it such that an `allow` block for `create-table` at the root of the metadata will be checked correctly.\r\n\r\nMaybe the algorithm when `_resolve_metadata_permissions_blocks(datasette, actor, action, resource)` is called should do this:\r\n\r\n1. If a root permission block matching that action exists, test with that\r\n2. Next, if resource has been passed, check at the database level\r\n3. If the resource included a table/query, check at that level too\r\n\r\nSo everything is keyed off the incoming `action` name.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1855#issuecomment-1347669087", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1855", "id": 1347669087, "node_id": "IC_kwDOBm6k_c5QU8xf", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:45:15Z", "updated_at": "2022-12-13T02:45:15Z", "author_association": "OWNER", "body": "The hardest piece here is the UI. I'm going to implement the CLI command first.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1423336089, "label": "`datasette create-token` ability to create tokens with a reduced set of permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/1940#issuecomment-1347616055", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1940", "id": 1347616055, "node_id": "IC_kwDOBm6k_c5QUv03", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T01:27:03Z", "updated_at": "2022-12-13T01:27:03Z", "author_association": "OWNER", "body": "I'm going to revert that last commit, see if I can get the tests running again and then apply the changes a line at a time to figure out which ones broke things.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1486011362, "label": "register_permissions() plugin hook"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/1940#issuecomment-1347620733", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1940", "id": 1347620733, "node_id": "IC_kwDOBm6k_c5QUw99", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T01:33:06Z", "updated_at": "2022-12-13T01:33:06Z", "author_association": "OWNER", "body": "It's this change which triggers the failures:\r\n```diff\r\ndiff --git a/datasette/app.py b/datasette/app.py\r\nindex 760063d5..defa9688 100644\r\n--- a/datasette/app.py\r\n+++ b/datasette/app.py\r\n@@ -707,9 +707,12 @@ class Datasette:\r\n )\r\n return crumbs\r\n \r\n- async def permission_allowed(self, actor, action, resource=None, default=False):\r\n+ async def permission_allowed(self, actor, action, resource=None, default=None):\r\n \"\"\"Check permissions using the permissions_allowed plugin hook\"\"\"\r\n result = None\r\n+ # Use default from registered permission, if available\r\n+ if default is None and action in self.permissions:\r\n+ default = self.permissions[action].default\r\n for check in pm.hook.permission_allowed(\r\n datasette=self,\r\n actor=actor,\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1486011362, "label": "register_permissions() plugin hook"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/1940#issuecomment-1347632350", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1940", "id": 1347632350, "node_id": "IC_kwDOBm6k_c5QUzze", "user": {"value": 22429695, "label": "codecov[bot]"}, "created_at": "2022-12-13T01:48:40Z", "updated_at": "2022-12-13T02:00:52Z", "author_association": "NONE", "body": "# [Codecov](https://codecov.io/gh/simonw/datasette/pull/1940?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison) Report\nBase: **92.00**% // Head: **92.03**% // Increases project coverage by **`+0.02%`** :tada:\n> Coverage data is based on head [(`a1317ab`)](https://codecov.io/gh/simonw/datasette/pull/1940?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison) compared to base [(`e539c1c`)](https://codecov.io/gh/simonw/datasette/commit/e539c1c024bc62d88df91d9107cbe37e7f0fe55f?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison).\n> Patch coverage: 100.00% of modified lines in pull request are covered.\n\n> :exclamation: Current head a1317ab differs from pull request most recent head 94e5c75. Consider uploading reports for the commit 94e5c75 to get more accurate results\n\nAdditional details and impacted files
\n\n\n```diff\n@@ Coverage Diff @@\n## main #1940 +/- ##\n==========================================\n+ Coverage 92.00% 92.03% +0.02% \n==========================================\n Files 38 38 \n Lines 5378 5396 +18 \n==========================================\n+ Hits 4948 4966 +18 \n Misses 430 430 \n```\n\n\n| [Impacted Files](https://codecov.io/gh/simonw/datasette/pull/1940?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison) | Coverage \u0394 | |\n|---|---|---|\n| [datasette/permissions.py](https://codecov.io/gh/simonw/datasette/pull/1940/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison#diff-ZGF0YXNldHRlL3Blcm1pc3Npb25zLnB5) | `100.00% <\u00f8> (\u00f8)` | |\n| [datasette/views/database.py](https://codecov.io/gh/simonw/datasette/pull/1940/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison#diff-ZGF0YXNldHRlL3ZpZXdzL2RhdGFiYXNlLnB5) | `96.26% <\u00f8> (\u00f8)` | |\n| [datasette/views/index.py](https://codecov.io/gh/simonw/datasette/pull/1940/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison#diff-ZGF0YXNldHRlL3ZpZXdzL2luZGV4LnB5) | `96.49% <\u00f8> (\u00f8)` | |\n| [datasette/views/special.py](https://codecov.io/gh/simonw/datasette/pull/1940/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison#diff-ZGF0YXNldHRlL3ZpZXdzL3NwZWNpYWwucHk=) | `79.20% <\u00f8> (-0.21%)` | :arrow_down: |\n| [datasette/views/table.py](https://codecov.io/gh/simonw/datasette/pull/1940/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison#diff-ZGF0YXNldHRlL3ZpZXdzL3RhYmxlLnB5) | `92.57% <\u00f8> (\u00f8)` | |\n| [datasette/\\_\\_init\\_\\_.py](https://codecov.io/gh/simonw/datasette/pull/1940/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison#diff-ZGF0YXNldHRlL19faW5pdF9fLnB5) | `100.00% <100.00%> (\u00f8)` | |\n| [datasette/app.py](https://codecov.io/gh/simonw/datasette/pull/1940/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison#diff-ZGF0YXNldHRlL2FwcC5weQ==) | `94.47% <100.00%> (+0.04%)` | :arrow_up: |\n| [datasette/default\\_permissions.py](https://codecov.io/gh/simonw/datasette/pull/1940/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison#diff-ZGF0YXNldHRlL2RlZmF1bHRfcGVybWlzc2lvbnMucHk=) | `95.20% <100.00%> (+0.39%)` | :arrow_up: |\n| [datasette/hookspecs.py](https://codecov.io/gh/simonw/datasette/pull/1940/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison#diff-ZGF0YXNldHRlL2hvb2tzcGVjcy5weQ==) | `100.00% <100.00%> (\u00f8)` | |\n\nHelp us with your feedback. Take ten seconds to tell us [how you rate us](https://about.codecov.io/nps?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison). Have a feature suggestion? [Share it here.](https://app.codecov.io/gh/feedback/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simon+Willison)\n\n
This token will allow API access with the same abilities as your current user.
\r\n+This token will allow API access with the same abilities as your current user, {{ request.actor.id }}
\r\n \r\n {% if errors %}\r\n {% for error in errors %}\r\n@@ -27,8 +36,39 @@\r\n \r\n \r\n \r\n- \r\n+\r\n+Restrict actions that can be performed using this token:
\r\n+ \r\n+