{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1192862243", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1192862243, "node_id": "IC_kwDOBm6k_c5HGaIj", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-07-22T19:10:48Z", "updated_at": "2022-07-22T19:11:01Z", "author_association": "OWNER", "body": "I keep running into a need for this. Every time I create a new plugin that defines a new permission I wish there was a clean way to grant that permission to new users without installing some other permissions plugin.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1192862767", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1192862767, "node_id": "IC_kwDOBm6k_c5HGaQv", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-07-22T19:11:41Z", "updated_at": "2022-07-22T19:11:41Z", "author_association": "OWNER", "body": "I keep shipping plugins that set a special hook just so the root user can try them out.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1334666806", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1334666806, "node_id": "IC_kwDOBm6k_c5PjWY2", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-02T01:58:40Z", "updated_at": "2022-12-02T02:00:53Z", "author_association": "OWNER", "body": "Current design:\r\n\r\n```json\r\n{\r\n    \"databases\": {\r\n        \"private\": {\r\n            \"allow\": {\r\n                \"id\": \"*\"\r\n            }\r\n        }\r\n    }\r\n}\r\n```\r\nThis can be applied at the instance, database, table or query level within the nested JSON.\r\n\r\nhttps://docs.datasette.io/en/stable/authentication.html#controlling-access-to-specific-databases\r\n\r\nIt's actually controlling the following permissions:\r\n\r\n- `view-instance`\r\n- `view-database`\r\n- `view-table`\r\n- `view-query`\r\n\r\nThere's also a special case for allowing SQL queries,at the instance and database level:\r\n\r\n```json\r\n{\r\n    \"databases\": {\r\n        \"mydatabase\": {\r\n            \"allow_sql\": {\r\n                \"id\": \"root\"\r\n            }\r\n        }\r\n    }\r\n}\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1334673179", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1334673179, "node_id": "IC_kwDOBm6k_c5PjX8b", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-02T02:07:20Z", "updated_at": "2022-12-02T04:27:07Z", "author_association": "OWNER", "body": "So the new mechanism needs to extend that to handle all of the other permissions as well.\r\n\r\nThe simplest design I can think of is this (here illustrated using YAML):\r\n\r\n```yaml\r\n# instance-level permissions - give every logged in user the debug menu:\r\npermissions:\r\n  debug-menu:\r\n    id: *\r\ndatabases:\r\n  content:\r\n    # Allow bob to create-table in the content database\r\n    permissions:\r\n      create-table:\r\n        id: bob\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1334757597", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1334757597, "node_id": "IC_kwDOBm6k_c5Pjsjd", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-02T04:42:35Z", "updated_at": "2022-12-02T04:42:35Z", "author_association": "OWNER", "body": "Should I call this key `permissions` or something else?\r\n\r\nSome options:\r\n\r\n- `permissions`\r\n- `perms` - shorter to type\r\n- `allow` - I like the word, but might be confusing to change its meaning since we use it already", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1334758766", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1334758766, "node_id": "IC_kwDOBm6k_c5Pjs1u", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-02T04:45:16Z", "updated_at": "2022-12-02T04:45:16Z", "author_association": "OWNER", "body": "Also, this is another thing which should live in `config.yml` rather than being crammed into `metadata.yml` - but I can fix that when I address:\r\n- #493", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1334759315", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1334759315, "node_id": "IC_kwDOBm6k_c5Pjs-T", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-02T04:46:32Z", "updated_at": "2022-12-02T04:46:32Z", "author_association": "OWNER", "body": "Thankfully all of the logic for this already lives in just one place:\r\n\r\nhttps://github.com/simonw/datasette/blob/d7e5e3c9f98d194fdfb12f1ecc60ed5b3afbc464/datasette/default_permissions.py#L23-L59", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1341854373", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1341854373, "node_id": "IC_kwDOBm6k_c5P-xKl", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-08T01:43:35Z", "updated_at": "2022-12-08T01:43:35Z", "author_association": "OWNER", "body": "I'm going to write the documentation for this first.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1343440504", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1343440504, "node_id": "IC_kwDOBm6k_c5QE0Z4", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-08T22:10:28Z", "updated_at": "2022-12-08T22:10:48Z", "author_association": "OWNER", "body": "What if you want to grant `insert-row` to a user for ALL tables in a database, or even for all tables in all databases?\r\n\r\nYou should be able to do that by putting that in the root `permissions:` block. Need to figure out how the implementation will handle that.\r\n\r\nAlso: there are some permissions like `view-instance` or `debug-menu` for which putting them at the `database` or `table` or `query` level doesn't actually make any sense.\r\n\r\nIdeally the implementation would spot those on startup and refuse to start the server, with a helpful error message.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1343446071", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1343446071, "node_id": "IC_kwDOBm6k_c5QE1w3", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-08T22:16:17Z", "updated_at": "2022-12-08T22:16:17Z", "author_association": "OWNER", "body": "First draft of documentation: https://datasette--1938.org.readthedocs.build/en/1938/authentication.html#other-permissions-in-metadata", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1343715746", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1343715746, "node_id": "IC_kwDOBm6k_c5QF3mi", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-09T01:27:41Z", "updated_at": "2022-12-09T01:27:58Z", "author_association": "OWNER", "body": "I may need to consult this file to figure out if the permission that is being checked can act at the database/table/instance level:\r\n\r\nhttps://github.com/simonw/datasette/blob/e539c1c024bc62d88df91d9107cbe37e7f0fe55f/datasette/permissions.py#L1-L19", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1347647298", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1347647298, "node_id": "IC_kwDOBm6k_c5QU3dC", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:08:46Z", "updated_at": "2022-12-13T02:08:46Z", "author_association": "OWNER", "body": "A bunch of the work for this just landed - in particular the new scheme is now documented (even though it doesn't work yet):\r\n\r\nhttps://docs.datasette.io/en/latest/authentication.html#other-permissions-in-metadata", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1347648326", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1347648326, "node_id": "IC_kwDOBm6k_c5QU3tG", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:10:02Z", "updated_at": "2022-12-13T02:10:02Z", "author_association": "OWNER", "body": "The implementation for this will go here: https://github.com/simonw/datasette/blob/8bf06a76b51bc9ace7cf72cf0cca8f1da7704ea7/datasette/default_permissions.py#L81-L83\r\n\r\nHere's the start of the tests (currently marked as `xfail`):\r\n\r\nhttps://github.com/simonw/datasette/blob/8bf06a76b51bc9ace7cf72cf0cca8f1da7704ea7/tests/test_permissions.py#L652-L689", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1636#issuecomment-1347655074", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1636", "id": 1347655074, "node_id": "IC_kwDOBm6k_c5QU5Wi", "user": {"value": 9599, "label": "simonw"}, "created_at": "2022-12-13T02:21:04Z", "updated_at": "2022-12-13T02:21:23Z", "author_association": "OWNER", "body": "The thing I'm stuck on at the moment is how to implement it such that an `allow` block for `create-table` at the root of the metadata will be checked correctly.\r\n\r\nMaybe the algorithm when `_resolve_metadata_permissions_blocks(datasette, actor, action, resource)` is called should do this:\r\n\r\n1. If a root permission block matching that action exists, test with that\r\n2. Next, if resource has been passed, check at the database level\r\n3. If the resource included a table/query, check at that level too\r\n\r\nSo everything is keyed off the incoming `action` name.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 1138008042, "label": "\"permissions\" propery in metadata for configuring arbitrary permissions"}, "performed_via_github_app": null}