{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640362879", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640362879, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDM2Mjg3OQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T04:42:28Z", "updated_at": "2020-06-08T13:39:46Z", "author_association": "OWNER", "body": "I'm finding myself repeating this pattern a lot:\r\n```python\r\n        for table in table_counts:\r\n            allowed = await self.ds.permission_allowed(\r\n                request.scope.get(\"actor\"),\r\n                \"view-table\",\r\n                resource_type=\"table\",\r\n                resource_identifier=(database, table),\r\n                default=True,\r\n            )\r\n            if not allowed:\r\n                continue\r\n            private = not await self.ds.permission_allowed(\r\n                None,\r\n                \"view-table\",\r\n                resource_type=\"table\",\r\n                resource_identifier=(database, table),\r\n            )\r\n```\r\nI use a similar pattern for lists of databases and lists of queries, and I'll be doing the same thing for lists of SQL views too.\r\n\r\nAn abstraction around this would be useful.\r\n\r\nIdea:\r\n\r\n```python\r\nvisible, private = await check_visibility(\r\n    self.ds, actor, \"view-table\", \"table\", (database, table)\r\n)\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640367128", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640367128, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDM2NzEyOA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T05:00:13Z", "updated_at": "2020-06-08T05:00:49Z", "author_association": "OWNER", "body": "Should the padlock show up on tables that are private only because they inherited their privacy from their parent database or even the parent instance?\r\n\r\nInteresting question. If an instance is private, I'm not sure it makes sense to show padlocks on absolutely everything.\r\n\r\nLikewise, a list of tables shown on the database table with a padlock next to every single table (when the database itself is private) doesn't seem to add any useful information.\r\n\r\nI think \"Show \ud83d\udd12 in header on private database page\" will resolve this for me. I'll always show the padlock in the header of a database/table page even if that privacy is inherited - but I won't do that for padlocks shown in the list of tables or list of databases.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640365512", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640365512, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDM2NTUxMg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T04:53:49Z", "updated_at": "2020-06-08T04:53:49Z", "author_association": "OWNER", "body": "I really like the padlocks. I should include a screenshot in the documentation that illustrates them.\r\n\r\n<img width=\"620\" alt=\"data\" src=\"https://user-images.githubusercontent.com/9599/83993771-483d5400-a909-11ea-8e7b-85b54e40f900.png\">\r\n\r\nMaybe I should figure out a way to have the https://latest.datasette.io/ demo illustrate both a logged-in and a logged-out state.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640348785", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640348785, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDM0ODc4NQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T03:51:50Z", "updated_at": "2020-06-08T03:51:50Z", "author_association": "OWNER", "body": "New convention: the \ud83d\udd12 icon is now shown next to resources that are private - that are visible to you now, but would not be visible to the anonymous user.\r\n\r\n<img width=\"823\" alt=\"Datasette__fixtures__data\" src=\"https://user-images.githubusercontent.com/9599/83991127-b3cef380-a900-11ea-9df3-8fcd4c10cc42.png\">\r\n", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640345115", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640345115, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDM0NTExNQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T03:37:33Z", "updated_at": "2020-06-08T03:37:33Z", "author_association": "OWNER", "body": "Per-table permissions is pretty interesting for large installations though - an organization might have hundreds of CSV files imported into Datasette and then allow users to specify which exact users within that organization are allowed to see which CSV.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640344950", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640344950, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDM0NDk1MA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T03:36:49Z", "updated_at": "2020-06-08T03:36:49Z", "author_association": "OWNER", "body": "Oh this is a bit awkward - should I be running per-table permission checks for every table that might be shown on the index page?\r\n\r\n<img width=\"841\" alt=\"Datasette__fixtures__data\" src=\"https://user-images.githubusercontent.com/9599/83990459-9862e900-a8fe-11ea-8a42-60cc3d6f7693.png\">\r\n", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640339674", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640339674, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDMzOTY3NA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T03:18:15Z", "updated_at": "2020-06-08T03:18:15Z", "author_association": "OWNER", "body": "I should take these permissions into account when displaying a list of tables or a list of databases (like I do right now when displaying a list of queries).", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640338347", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640338347, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDMzODM0Nw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T03:13:23Z", "updated_at": "2020-06-08T03:13:23Z", "author_association": "OWNER", "body": "Do row-level permissions even make sense? Might be a good idea to remove those until I have a good use-case for them.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640338151", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640338151, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDMzODE1MQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T03:12:41Z", "updated_at": "2020-06-08T03:12:41Z", "author_association": "OWNER", "body": "Also need to expand the docs on https://datasette.readthedocs.io/en/latest/authentication.html to explain where you can put `allow` blocks to control access to the instance, database or table.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640337951", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640337951, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDMzNzk1MQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-08T03:11:58Z", "updated_at": "2020-06-08T03:11:58Z", "author_association": "OWNER", "body": "I'd like to be able to apply permissions for the ability to run a SQL query - but I'm not sure where the best place for that `\"allow\"` block to live would be.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640287967", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640287967, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDI4Nzk2Nw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-07T22:16:10Z", "updated_at": "2020-06-07T22:16:10Z", "author_association": "OWNER", "body": "The tests in test_permissions.py could check the .json variants and assert that permission checks were carried out too.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640274171", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640274171, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDI3NDE3MQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-07T20:21:14Z", "updated_at": "2020-06-07T20:21:14Z", "author_association": "OWNER", "body": "Next step: fix this\r\n```\r\n-            # TODO: fix this to use that permission check\r\n-            if not actor_matches_allow(\r\n-                request.scope.get(\"actor\", None), metadata.get(\"allow\")\r\n-            ):\r\n-                return Response(\"Permission denied\", status=403)\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640273945", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640273945, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDI3Mzk0NQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-07T20:19:15Z", "updated_at": "2020-06-07T20:19:15Z", "author_association": "OWNER", "body": "I'm going to add a `test_permissions.py` module that checks for 403 errors against different patterns of the `actors` block at different levels in `metadata.json`.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640270178", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640270178, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDI3MDE3OA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-07T19:48:39Z", "updated_at": "2020-06-07T19:48:39Z", "author_association": "OWNER", "body": "Testing pattern:\r\n```python\r\ndef test_canned_query_with_custom_metadata(app_client):\r\n    response = app_client.get(\"/fixtures/neighborhood_search?text=town\")\r\n    assert_permissions_checked(\r\n        app_client.ds,\r\n        [\r\n            \"view-instance\",\r\n            (\"view-database\", \"database\", \"fixtures\"),\r\n            (\"view-query\", \"query\", (\"fixtures\", \"neighborhood_search\")),\r\n        ],\r\n    )\r\n```\r\n", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640248972", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640248972, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDI0ODk3Mg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-07T17:04:22Z", "updated_at": "2020-06-07T17:04:22Z", "author_association": "OWNER", "body": "I'll need a neat testing pattern for this.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/811#issuecomment-640248669", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/811", "id": 640248669, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MDI0ODY2OQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-07T17:01:44Z", "updated_at": "2020-06-07T17:01:44Z", "author_association": "OWNER", "body": "If the allow block at the database level forbids access this needs to cascade down to the table, query and row levels as well.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 633578769, "label": "Support \"allow\" block on root, databases and tables, not just queries"}, "performed_via_github_app": null}