issue_comments

Table actions

12 rows where author_association = "OWNER", issue = 636722501 and user = 9599 sorted by updated_at descending

View and edit SQL

This data as json, CSV (advanced)

Suggested facets: updated_at (date)

user 1

  • simonw · 12

issue 1

  • Having view-table permission but NOT view-database should still grant access to /db/table · 12

author_association 1

  • OWNER · 12
id html_url issue_url node_id user created_at updated_at ▲ author_association body reactions issue performed_via_github_app
652103895 https://github.com/simonw/datasette/issues/832#issuecomment-652103895 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY1MjEwMzg5NQ== simonw 9599 2020-06-30T23:41:22Z 2020-06-30T23:41:22Z OWNER

I don't think this needs any additional documentation - the new behaviour matches how the permissions are documented here: https://datasette.readthedocs.io/en/0.44/authentication.html#built-in-permissions

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
651999516 https://github.com/simonw/datasette/issues/832#issuecomment-651999516 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY1MTk5OTUxNg== simonw 9599 2020-06-30T19:33:49Z 2020-06-30T21:34:59Z OWNER

Tests needed for this:

  • If a user has view table but NOT view database / view instance, can they view the table page?
  • If a user has view canned query but NOT view database / view instance, can they view the canned query page?
  • If a user has view database but NOT view instance, can they view the database page?
 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
651995453 https://github.com/simonw/datasette/issues/832#issuecomment-651995453 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY1MTk5NTQ1Mw== simonw 9599 2020-06-30T19:25:13Z 2020-06-30T19:25:26Z OWNER

I'm going to put the new check_permissions() method on BaseView as well. If I want that method to be available to plugins I can do so by turning that BaseView class into a documented API that plugins are encouraged to use themselves.

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
651994978 https://github.com/simonw/datasette/issues/832#issuecomment-651994978 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY1MTk5NDk3OA== simonw 9599 2020-06-30T19:24:12Z 2020-06-30T19:24:12Z OWNER 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
651993977 https://github.com/simonw/datasette/issues/832#issuecomment-651993977 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY1MTk5Mzk3Nw== simonw 9599 2020-06-30T19:22:06Z 2020-06-30T19:22:06Z OWNER

permission_allowed is already the name of the pugin hook. It's actually a bit confusing that it's also the name of a method on datasette..

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
651993537 https://github.com/simonw/datasette/issues/832#issuecomment-651993537 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY1MTk5MzUzNw== simonw 9599 2020-06-30T19:21:15Z 2020-06-30T19:21:15Z OWNER

I could rename permission_allowed() to check_permission() and have a complementary check_permissions() method.

This is a breaking change but we're pre-1.0 so I think that's OK. I could even set up a temporary permission_allowed() alias which prints a deprecation warning to the console, then remove that at 1.0.

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
651992737 https://github.com/simonw/datasette/issues/832#issuecomment-651992737 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY1MTk5MjczNw== simonw 9599 2020-06-30T19:19:33Z 2020-06-30T19:20:02Z OWNER

I already have this method on Datasette: python async def permission_allowed(self, actor, action, resource=None, default=False): What would be a good method name that complements that and indicates "check a list of permissions in order"? Should it even run against the request or should you have to hand it request.actor?

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
642907021 https://github.com/simonw/datasette/issues/832#issuecomment-642907021 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY0MjkwNzAyMQ== simonw 9599 2020-06-11T20:20:35Z 2020-06-11T20:20:35Z OWNER

I think the new .check_permissions() should be a documented utility that is available to plugins. Maybe a method on datasette?

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
642906681 https://github.com/simonw/datasette/issues/832#issuecomment-642906681 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY0MjkwNjY4MQ== simonw 9599 2020-06-11T20:19:47Z 2020-06-11T20:20:02Z OWNER

So for the following: await self.check_permissions(request, [ ("view-table", (database, table)), ("view-database", database), "view-instance", ]) The logic is: if the first test returns True, you get access. If it returns False you are denied. If it says None then move on to the next check in the list and repeat.

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
642795966 https://github.com/simonw/datasette/issues/832#issuecomment-642795966 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY0Mjc5NTk2Ng== simonw 9599 2020-06-11T16:37:21Z 2020-06-11T16:37:21Z OWNER

How would I document this? Probably in another section on https://datasette.readthedocs.io/en/latest/authentication.html#permissions

But I'd also need to add documentation to the individual views stating what permissions are checked and in what order. I could do that on this page: https://datasette.readthedocs.io/en/latest/pages.html

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
642741930 https://github.com/simonw/datasette/issues/832#issuecomment-642741930 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY0Mjc0MTkzMA== simonw 9599 2020-06-11T15:35:53Z 2020-06-11T15:36:05Z OWNER

May the fix here is to implement a .check_permissions() method which passes when the first permission passes? python await self.check_permissions(request, [ ("view-table", (database, table)), ("view-database", database), "view-instance", ])

 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  
642412017 https://github.com/simonw/datasette/issues/832#issuecomment-642412017 https://api.github.com/repos/simonw/datasette/issues/832 MDEyOklzc3VlQ29tbWVudDY0MjQxMjAxNw== simonw 9599 2020-06-11T05:13:59Z 2020-06-11T05:13:59Z OWNER 
{
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
}
 Having view-table permission but NOT view-database should still grant access to /db/table 636722501  

Advanced export

JSON shape: default, array, newline-delimited, object

CSV options: 

CREATE TABLE [issue_comments] (
   [html_url] TEXT,
   [issue_url] TEXT,
   [id] INTEGER PRIMARY KEY,
   [node_id] TEXT,
   [user] INTEGER REFERENCES [users]([id]),
   [created_at] TEXT,
   [updated_at] TEXT,
   [author_association] TEXT,
   [body] TEXT,
   [reactions] TEXT,
   [issue] INTEGER REFERENCES [issues]([id])
, [performed_via_github_app] TEXT);
CREATE INDEX [idx_issue_comments_issue]
                ON [issue_comments] ([issue]);
CREATE INDEX [idx_issue_comments_user]
                ON [issue_comments] ([user]);