{"html_url": "https://github.com/simonw/datasette/issues/1947#issuecomment-1350037572", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1947", "id": 1350037572, "node_id": "IC_kwDOBm6k_c5Qd_BE", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T23:27:32Z", "updated_at": "2022-12-13T23:27:32Z", "author_association": "OWNER", "body": "I'm going to ignore the permissions issue for the moment - I'll allow people to select any permissions they like in any of the databases or tables that are visible to them (don't want to leak the existence of databases/tables to users who shouldn't be able to see them).\r\n\r\nI think the value of getting this working outweights any potential confusion from not using finely grained permission checks to decide if the user should be able to apply a permission or not.\r\n\r\nThe tokens themselves won't be able to perform `insert-row` or similar if the user doesn't have the ability to do that, even if they selected that checkbox.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1493390939, "label": "UI to create reduced scope tokens from the `/-/create-token` page"}, "performed_via_github_app": null} {"html_url": "https://github.com/simonw/datasette/issues/1947#issuecomment-1350019528", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1947", "id": 1350019528, "node_id": "IC_kwDOBm6k_c5Qd6nI", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T23:19:16Z", "updated_at": "2022-12-13T23:19:16Z", "author_association": "OWNER", "body": "Here's the checkbox prototype:\r\n```diff\r\ndiff --git a/datasette/templates/create_token.html b/datasette/templates/create_token.html\r\nindex a94881ed..1795ebaf 100644\r\n--- a/datasette/templates/create_token.html\r\n+++ b/datasette/templates/create_token.html\r\n@@ -2,11 +2,20 @@\r\n \r\n {% block title %}Create an API token{% endblock %}\r\n \r\n+{% block extra_head %}\r\n+\r\n+{% endblock %}\r\n+\r\n {% block content %}\r\n \r\n
This token will allow API access with the same abilities as your current user.
\r\n+This token will allow API access with the same abilities as your current user, {{ request.actor.id }}
\r\n \r\n {% if errors %}\r\n {% for error in errors %}\r\n@@ -27,8 +36,39 @@\r\n \r\n \r\n \r\n- \r\n+\r\n+Restrict actions that can be performed using this token:
\r\n+ \r\n+ \r\n+