{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-652103895", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 652103895, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MjEwMzg5NQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T23:41:22Z", "updated_at": "2020-06-30T23:41:22Z", "author_association": "OWNER", "body": "I don't think this needs any additional documentation - the new behaviour matches how the permissions are documented here: https://datasette.readthedocs.io/en/0.44/authentication.html#built-in-permissions", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651999516", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651999516, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5OTUxNg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:33:49Z", "updated_at": "2020-06-30T21:34:59Z", "author_association": "OWNER", "body": "Tests needed for this:\r\n\r\n- If a user has view table but NOT view database / view instance, can they view the table page?\r\n- If a user has view canned query but NOT view database / view instance, can they view the canned query page?\r\n- If a user has view database but NOT view instance, can they view the database page?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651995453", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651995453, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5NTQ1Mw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:25:13Z", "updated_at": "2020-06-30T19:25:26Z", "author_association": "OWNER", "body": "I'm going to put the new `check_permissions()` method on `BaseView` as well. If I want that method to be available to plugins I can do so by turning that `BaseView` class into a documented API that plugins are encouraged to use themselves.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651994978", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651994978, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5NDk3OA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:24:12Z", "updated_at": "2020-06-30T19:24:12Z", "author_association": "OWNER", "body": "Hah... but check_permission` is a method on `BaseView`. Here are the various permission methods at the moment:\r\n\r\nhttps://github.com/simonw/datasette/blob/6c2634583627bfab750c115cb13850252821d637/datasette/default_permissions.py#L5-L14\r\n\r\nAnd on BaseView:\r\n\r\nhttps://github.com/simonw/datasette/blob/a8a5f813722f72703a7aae41135ccc40635cc02f/datasette/views/base.py#L65-L70", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651993977", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651993977, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5Mzk3Nw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:22:06Z", "updated_at": "2020-06-30T19:22:06Z", "author_association": "OWNER", "body": "`permission_allowed` is already the name of the pugin hook. It's actually a bit confusing that it's also the name of a method on `datasette.`.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651993537", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651993537, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5MzUzNw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:21:15Z", "updated_at": "2020-06-30T19:21:15Z", "author_association": "OWNER", "body": "I could rename `permission_allowed()` to `check_permission()` and have a complementary `check_permissions()` method.\r\n\r\nThis is a breaking change but we're pre-1.0 so I think that's OK. I could even set up a temporary `permission_allowed()` alias which prints a deprecation warning to the console, then remove that at 1.0.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651992737", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651992737, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5MjczNw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:19:33Z", "updated_at": "2020-06-30T19:20:02Z", "author_association": "OWNER", "body": "I already have this method on Datasette:\r\n```python\r\nasync def permission_allowed(self, actor, action, resource=None, default=False):\r\n```\r\nWhat would be a good method name that complements that and indicates \"check a list of permissions in order\"? Should it even run against the request or should you have to hand it `request.actor`?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642907021", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642907021, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjkwNzAyMQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T20:20:35Z", "updated_at": "2020-06-11T20:20:35Z", "author_association": "OWNER", "body": "I think the new `.check_permissions()` should be a documented utility that is available to plugins.\r\n Maybe a method on `datasette`?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642906681", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642906681, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjkwNjY4MQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T20:19:47Z", "updated_at": "2020-06-11T20:20:02Z", "author_association": "OWNER", "body": "So for the following:\r\n```\r\nawait self.check_permissions(request, [\r\n    (\"view-table\", (database, table)),\r\n    (\"view-database\", database),\r\n    \"view-instance\",\r\n])\r\n```\r\nThe logic is: if the first test returns `True`, you get access. If it returns `False` you are denied. If it says `None` then move on to the next check in the list and repeat.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642795966", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642795966, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjc5NTk2Ng==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T16:37:21Z", "updated_at": "2020-06-11T16:37:21Z", "author_association": "OWNER", "body": "How would I document this? Probably in another section on https://datasette.readthedocs.io/en/latest/authentication.html#permissions\r\n\r\nBut I'd also need to add documentation to the individual views stating what permissions are checked and in what order. I could do that on this page: https://datasette.readthedocs.io/en/latest/pages.html", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642741930", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642741930, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjc0MTkzMA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T15:35:53Z", "updated_at": "2020-06-11T15:36:05Z", "author_association": "OWNER", "body": "May the fix here is to implement a `.check_permissions()` method which passes when the first permission passes?\r\n```python\r\nawait self.check_permissions(request, [\r\n    (\"view-table\", (database, table)),\r\n    (\"view-database\", database),\r\n    \"view-instance\",\r\n])\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642412017", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642412017, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjQxMjAxNw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T05:13:59Z", "updated_at": "2020-06-11T05:13:59Z", "author_association": "OWNER", "body": "Relevant code:\r\n\r\nhttps://github.com/simonw/datasette/blob/ce4958018ede00fbdadf0c37a99889b6901bfb9b/datasette/views/table.py#L267-L272", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}