issue_comments
20 rows where author_association = "OWNER" and issue = 1805076818 sorted by updated_at descending
This data as json, CSV (advanced)
Suggested facets: created_at (date), updated_at (date)
issue 1
- API tokens with view-table but not view-database/view-instance cannot access the table · 20 ✖
id | html_url | issue_url | node_id | user | created_at | updated_at ▲ | author_association | body | reactions | issue | performed_via_github_app |
---|---|---|---|---|---|---|---|---|---|---|---|
1696378239 | https://github.com/simonw/datasette/issues/2102#issuecomment-1696378239 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5lHK1_ | simonw 9599 | 2023-08-28T20:38:01Z | 2023-08-28T20:38:01Z | OWNER | I want to test "for this set of restrictions, does a GET/POST to this path return 200 or 403"? |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1696361304 | https://github.com/simonw/datasette/issues/2102#issuecomment-1696361304 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5lHGtY | simonw 9599 | 2023-08-28T20:23:47Z | 2023-08-28T20:24:35Z | OWNER | Here's an existing relevant test: It's not quite right for this new set of tests though, since they need to be exercising actual endpoints ( |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1691842259 | https://github.com/simonw/datasette/issues/2102#issuecomment-1691842259 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5k13bT | simonw 9599 | 2023-08-24T14:55:54Z | 2023-08-24T14:55:54Z | OWNER | So what's needed to finish this is:
- Tests that demonstrate that nothing is revealed that shouldn't be by tokens restricted in this way
- Similar tests for other permissions like |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1691824713 | https://github.com/simonw/datasette/issues/2102#issuecomment-1691824713 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5k1zJJ | simonw 9599 | 2023-08-24T14:45:49Z | 2023-08-24T14:45:49Z | OWNER | I tested this out against a Datasette Cloud instance. I created a restricted token and tested it like this:
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1691758168 | https://github.com/simonw/datasette/issues/2102#issuecomment-1691758168 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5k1i5Y | simonw 9599 | 2023-08-24T14:09:45Z | 2023-08-24T14:09:45Z | OWNER | I'm going to implement this in a branch to make it easier to test out. |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1691045051 | https://github.com/simonw/datasette/issues/2102#issuecomment-1691045051 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5ky0y7 | simonw 9599 | 2023-08-24T05:51:59Z | 2023-08-24T05:51:59Z | OWNER | With that fix in place, this works:
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1691044283 | https://github.com/simonw/datasette/issues/2102#issuecomment-1691044283 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5ky0m7 | simonw 9599 | 2023-08-24T05:51:02Z | 2023-08-24T05:51:02Z | OWNER | Also need to confirm that permissions like |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1691043475 | https://github.com/simonw/datasette/issues/2102#issuecomment-1691043475 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5ky0aT | simonw 9599 | 2023-08-24T05:50:04Z | 2023-08-24T05:50:04Z | OWNER | On first test this seems to work! ```diff diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py index 63a66c3c..9303dac8 100644 --- a/datasette/default_permissions.py +++ b/datasette/default_permissions.py @@ -187,6 +187,30 @@ def permission_allowed_actor_restrictions(datasette, actor, action, resource): return None _r = actor.get("_r")
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1691037971 | https://github.com/simonw/datasette/issues/2102#issuecomment-1691037971 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5kyzET | simonw 9599 | 2023-08-24T05:42:47Z | 2023-08-24T05:42:47Z | OWNER | I applied a fun trick to help test this out:
With that in place I can try this, with a token that has view-instance and view-database and view-table:
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1691036559 | https://github.com/simonw/datasette/issues/2102#issuecomment-1691036559 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5kyyuP | simonw 9599 | 2023-08-24T05:40:53Z | 2023-08-24T05:40:53Z | OWNER | There might be an easier way to solve this. Here's some permission checks that run when hitting ``` permission_allowed: action=view-table, resource=('fixtures', 'facetable'), actor={'_r': {'a': ['vi'], 'd': {'fixtures': ['vd']}, 'r': {'fixtures': {'facetable': ['vt']}}}, 'a': 'user'} File "/datasette/views/table.py", line 727, in table_view_traced view_data = await table_view_data( File "/datasette/views/table.py", line 875, in table_view_data visible, private = await datasette.check_visibility( File "/datasette/app.py", line 890, in check_visibility await self.ensure_permissions(actor, permissions) permission_allowed: action=view-database, resource=fixtures, actor={'_r': {'a': ['vi'], 'd': {'fixtures': ['vd']}, 'r': {'fixtures': {'facetable': ['vt']}}}, 'a': 'user'} File "/datasette/views/table.py", line 727, in table_view_traced view_data = await table_view_data( File "/datasette/views/table.py", line 875, in table_view_data visible, private = await datasette.check_visibility( File "/datasette/app.py", line 890, in check_visibility await self.ensure_permissions(actor, permissions) permission_allowed: action=view-instance, resource=<None>, actor={'_r': {'a': ['vi'], 'd': {'fixtures': ['vd']}, 'r': {'fixtures': {'facetable': ['vt']}}}, 'a': 'user'} File "/datasette/views/table.py", line 727, in table_view_traced view_data = await table_view_data( File "/datasette/views/table.py", line 875, in table_view_data visible, private = await datasette.check_visibility( File "/datasette/app.py", line 890, in check_visibility await self.ensure_permissions(actor, permissions) ``` That's with a token that has the view instance, view database and view table permissions required. But... what if the restrictions logic said that if you have view-table you automatically also get view-database and view-instance? Would that actually let people do anything they shouldn't be able to do? I don't think it would even let them see a list of tables that they weren't allowed to visit, so it might be OK. I'll try that and see how it works. |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1690705243 | https://github.com/simonw/datasette/issues/2102#issuecomment-1690705243 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5kxh1b | simonw 9599 | 2023-08-23T22:03:54Z | 2023-08-23T22:03:54Z | OWNER | Idea: |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1690703764 | https://github.com/simonw/datasette/issues/2102#issuecomment-1690703764 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5kxheU | simonw 9599 | 2023-08-23T22:02:14Z | 2023-08-23T22:02:14Z | OWNER | Built this new test:
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1690693830 | https://github.com/simonw/datasette/issues/2102#issuecomment-1690693830 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5kxfDG | simonw 9599 | 2023-08-23T21:51:52Z | 2023-08-23T21:52:58Z | OWNER | This is the hook in question: https://github.com/simonw/datasette/blob/bdf59eb7db42559e538a637bacfe86d39e5d17ca/datasette/hookspecs.py#L108-L110
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1640064620 | https://github.com/simonw/datasette/issues/2102#issuecomment-1640064620 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5hwWZs | simonw 9599 | 2023-07-18T11:47:21Z | 2023-07-18T11:47:21Z | OWNER | I think I've figured out the problem here. The question being asked is "can this actor access this resource, which is within this database within this instance". The answer to this question needs to consider the full set of questions at once - yes they can access within this instance IF they have access to the specified table and that's the table being asked about. But the questions are currently being asked independently, which means the plugin hook acting on So I think I may need to redesign the plugin hook to always see the full hierarchy of checks, not just a single check at a time. |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1638567228 | https://github.com/simonw/datasette/issues/2102#issuecomment-1638567228 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5hqo08 | simonw 9599 | 2023-07-17T17:24:19Z | 2023-07-17T17:25:12Z | OWNER | Confirmed that this is an issue with regular Datasette signed tokens as well. I created one on https://latest.datasette.io/-/create-token with these details:
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1636093730 | https://github.com/simonw/datasette/issues/2102#issuecomment-1636093730 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5hhM8i | simonw 9599 | 2023-07-14T16:26:27Z | 2023-07-14T16:32:49Z | OWNER | Here's that crucial comment:
So that's why I implemented it like this. The goal here is to be able to issue a token which can't do anything more than the actor it is associated with, but CAN be configured to do less. So I think the solution here is for the I'm not sure that's going to work though - would that mean that granting Maybe that's OK: if you have Also, do |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1636053060 | https://github.com/simonw/datasette/issues/2102#issuecomment-1636053060 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5hhDBE | simonw 9599 | 2023-07-14T15:51:36Z | 2023-07-14T16:14:05Z | OWNER | This might only be an issue with the code that checks Added in https://github.com/simonw/datasette/commit/bcc781f4c50a8870e3389c4e60acb625c34b0317 - refs:
|
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1636042066 | https://github.com/simonw/datasette/issues/2102#issuecomment-1636042066 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5hhAVS | simonw 9599 | 2023-07-14T15:41:54Z | 2023-07-14T15:42:32Z | OWNER | I tried some code spelunking and came across https://github.com/simonw/datasette/commit/d6e03b04302a0852e7133dc030eab50177c37be7 which says:
Refs: - #832 Which suggests that my initial design decision wasn't what appears to be implemented today. Needs more investigation. |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | |
1636040164 | https://github.com/simonw/datasette/issues/2102#issuecomment-1636040164 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5hg_3k | simonw 9599 | 2023-07-14T15:40:21Z | 2023-07-14T15:40:21Z | OWNER | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 | ||
1636036312 | https://github.com/simonw/datasette/issues/2102#issuecomment-1636036312 | https://api.github.com/repos/simonw/datasette/issues/2102 | IC_kwDOBm6k_c5hg-7Y | simonw 9599 | 2023-07-14T15:37:14Z | 2023-07-14T15:37:14Z | OWNER | I think I made this decision because I was thinking about default deny: obviously if a user has been denied access to a database. It doesn't make sense that they could access tables within it. But now that I am spending more time with authentication tokens, which default to denying everything, except for the things that you have explicitly listed, this policy, no longer makes as much sense. |
{ "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
API tokens with view-table but not view-database/view-instance cannot access the table 1805076818 |
Advanced export
JSON shape: default, array, newline-delimited, object
CREATE TABLE [issue_comments] ( [html_url] TEXT, [issue_url] TEXT, [id] INTEGER PRIMARY KEY, [node_id] TEXT, [user] INTEGER REFERENCES [users]([id]), [created_at] TEXT, [updated_at] TEXT, [author_association] TEXT, [body] TEXT, [reactions] TEXT, [issue] INTEGER REFERENCES [issues]([id]) , [performed_via_github_app] TEXT); CREATE INDEX [idx_issue_comments_issue] ON [issue_comments] ([issue]); CREATE INDEX [idx_issue_comments_user] ON [issue_comments] ([user]);
user 1