{"html_url": "https://github.com/simonw/datasette/issues/698#issuecomment-636617140", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/698", "id": 636617140, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjYxNzE0MA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-01T05:14:39Z", "updated_at": "2020-06-01T05:14:39Z", "author_association": "OWNER", "body": "Here's the new `default_permissions.py` file I can add this permission check to: https://github.com/simonw/datasette/blob/dfdbdf378aba9afb66666f66b78df2f2069d2595/datasette/default_permissions.py#L1-L7", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 582517965, "label": "Ability for a canned query to write to the database"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/698#issuecomment-636569917", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/698", "id": 636569917, "node_id": "MDEyOklzc3VlQ29tbWVudDYzNjU2OTkxNw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-01T01:39:44Z", "updated_at": "2020-06-01T01:39:44Z", "author_association": "OWNER", "body": "Idea for the authentication piece: I'll have the canned query code execute the following:\r\n\r\n```python\r\nif await datasette.permission_allowed(\r\n    request.scope.get(\"actor\"),  \"execute_query\", \"canned_query\", query_name, default=True\r\n):\r\n```\r\nThen I'll add a default plugin to Datasette which implements that plugin hook, looks at the Datasette metadata for that query, and says \"No\" if the following (and `request.scope[\"actor\"]` is empty):\r\n\r\n```json\r\n{\r\n    \"databases\": {\r\n       \"my-database\": {\r\n           \"queries\": {\r\n               \"add_twitter_handle\": {\r\n                   \"sql\": \"insert into twitter_handles (username) values (:username)\",\r\n                   \"write\": true,\r\n                   \"requires_actor\": true\r\n               }\r\n           }\r\n       }\r\n    }\r\n}\r\n```\r\nI think I'll support this too:\r\n\r\n```json\r\n                   \"allowed_actors\": [\"root\"]\r\n```\r\nSo you can configure queries to only be available to specific `{\"id\": xxx}` actors.\r\n\r\nThis will be the first time the new `permission_allowed` mechanism from #699 will be exercised in Datasette core.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 582517965, "label": "Ability for a canned query to write to the database"}, "performed_via_github_app": null}