issue_comments

I'd love to come up with a good short name for the second part of the resource two-tuple, the thing which is usually the name of a table but could also be the name of a SQL view or the name of a canned query.

Idea 8th December: why not call it resource? A resource could be a thing that lives inside a database.

Tool is now live here: https://latest-1-0-dev.datasette.io/-/permissions

Needs root perms, so access this first: https://latest-1-0-dev.datasette.io/login-as-root

Has tests now.

The whole database_name or (database_name, table_name) tuple for resource is a bit of a code smell. Maybe this is a chance to tidy that up too?

The plugin hook would be called register_permissions(), for consistency with register_routes() and register_commands().

I've also introduced a new concept of a permission abbreviation, which like the permission name needs to be globally unique.

That's a problem for plugins - they might just be able to guarantee that their permission long-form name is unique among other plugins (through sensible naming conventions) but the thing where they declare a initial-letters-only abbreviation is far more risky.

I think abbreviations are optional - they are provided for core permissions but plugins are advised not to use them.

Also Datasette could check that the installed plugins do not provide conflicting permissions on startup and refuse to start if they do.

If I have the permissions defined like this: python PERMISSIONS = ( Permission("view-instance", "vi", False, False, True), Permission("view-database", "vd", True, False, True), Permission("view-database-download", "vdd", True, False, True), Permission("view-table", "vt", True, True, True), Permission("view-query", "vq", True, True, True), Permission("insert-row", "ir", True, True, False), Permission("delete-row", "dr", True, True, False), Permission("drop-table", "dt", True, True, False), Permission("execute-sql", "es", True, False, True), Permission("permissions-debug", "pd", False, False, False), Permission("debug-menu", "dm", False, False, False), ) Instead of just calling them by their undeclared names in places like this: python await self.ds.permission_allowed( request.actor, "execute-sql", database, default=True ) On the one hand I can ditch that confusing default=True option - whether a permission is on by default becomes a characteristic of that Permission() itself, which feels much neater.

On the other hand though, plugins that introduce their own permissions - like https://datasette.io/plugins/datasette-edit-schema - will need a way to register those permissions with Datasette core. Probably another plugin hook.

I built this prototype on the http://127.0.0.1:8001/-/allow-debug page, which is open to anyone to visit.

But... I just realized that using this tool can leak information - you can use it to guess the names of invisible databases and tables and run theoretical permission checks against them.

Using the tool also pollutes the list of permission checks that show up on the root-anlo /-/permissions page.

So.... I'm going to restrict the usage of this tool to users with access to /-/permissions and put it on that page instead.

Built this prototype:

In building it I realized I needed to know which permissions took a table, a database, both or neither. So I had to bake that into the code.

Here's the prototype so far (which includes a prototype of the logic for the _r field on actor, see #1855):

```diff diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py index 32b0c758..f68aa38f 100644 --- a/datasette/default_permissions.py +++ b/datasette/default_permissions.py @@ -6,8 +6,8 @@ import json import time

-@hookimpl(tryfirst=True) -def permission_allowed(datasette, actor, action, resource): +@hookimpl(tryfirst=True, specname="permission_allowed") +def permission_allowed_default(datasette, actor, action, resource): async def inner(): if action in ( "permissions-debug", @@ -57,6 +57,44 @@ def permission_allowed(datasette, actor, action, resource): return inner

+@hookimpl(specname="permission_allowed") +def permission_allowed_actor_restrictions(actor, action, resource): + if actor is None: + return None + r = actor.get("_r") + if not _r: + # No restrictions, so we have no opinion + return None + action_initials = "".join([word[0] for word in action.split("-")]) + # If _r is defined then we use those to further restrict the actor + # Crucially, we only use this to say NO (return False) - we never + # use it to return YES (True) because that might over-ride other + # restrictions placed on this actor + all_allowed = _r.get("a") + if all_allowed is not None: + assert isinstance(all_allowed, list) + if action_initials in all_allowed: + return None + # How about for the current database? + if action in ("view-database", "view-database-download", "execute-sql"): + database_allowed = _r.get("d", {}).get(resource) + if database_allowed is not None: + assert isinstance(database_allowed, list) + if action_initials in database_allowed: + return None + # Or the current table? That's any time the resource is (database, table) + if not isinstance(resource, str) and len(resource) == 2: + database, table = resource + table_allowed = _r.get("t", {}).get(database, {}).get(table) + # TODO: What should this do for canned queries? + if table_allowed is not None: + assert isinstance(table_allowed, list) + if action_initials in table_allowed: + return None + # This action is not specifically allowed, so reject it + return False + + @hookimpl def actor_from_request(datasette, request): prefix = "dstok" diff --git a/datasette/templates/allow_debug.html b/datasette/templates/allow_debug.html index 0f1b30f0..ae43f0f5 100644 --- a/datasette/templates/allow_debug.html +++ b/datasette/templates/allow_debug.html @@ -35,7 +35,7 @@ p.message-warning {

Use this tool to try out different actor and allow combinations. See Defining permissions with "allow" blocks for documentation.

-<form action="{{ urls.path('-/allow-debug') }}" method="get"> +<form action="{{ urls.path('-/allow-debug') }}" method="get" style="margin-bottom: 1em">