id,node_id,number,title,user,user_label,state,locked,assignee,assignee_label,milestone,milestone_label,comments,created_at,updated_at,closed_at,author_association,pull_request,body,repo,repo_label,type,active_lock_reason,performed_via_github_app,reactions,draft,state_reason
1495821607,I_kwDOBm6k_c5ZKG0n,1953,Release notes for Datasette 1.0a2,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,2,2022-12-14T06:26:40Z,2022-12-15T02:02:15Z,2022-12-15T02:01:08Z,OWNER,,"https://github.com/simonw/datasette/milestone/27?closed=1

https://github.com/simonw/datasette/compare/1.0a1...9ad76d279e2c3874ca5070626a25458ce129f126",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1953/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1473411197,I_kwDOBm6k_c5X0nh9,1927,ignore:true/replace:true options for /db/-/create API,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,5,2022-12-02T20:32:30Z,2022-12-15T01:47:01Z,2022-12-08T01:43:01Z,OWNER,,"See also:
- #1924

It turns out I want to be able to call `/db/-/create` multiple times with the `rows` argument, so that I don't have to worry about creating the table first.

As such I find myself wanting support for the `""insert"": true` and `""replace"": true` options as well.

Still TODO:

- [x] A test for the case where you call `/-/create` twice with `rows` without using these options
- [x] `pk` should be required if you are using these options
- [x] Error if you pass `pk` and the table exists already but has a different `pk`
- [x] Documentation for `insert` and `replace` - and what happens if you repeat a `/-/create` with rows generally
- [x] Documentation should explain that you are allowed to call `/-/create` more than once using `rows`.",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1927/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1483320357,I_kwDOBm6k_c5Yaawl,1937,/db/-/create API should require insert-rows permission to use row: or rows: option,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,2,2022-12-08T01:33:09Z,2022-12-14T20:21:26Z,2022-12-14T20:21:26Z,OWNER,,Otherwise someone with `create-table` but no` insert-rows` permission could abuse it to insert data.,107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1937/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1497288666,I_kwDOBm6k_c5ZPs_a,1956,Handle abbreviations properly in permission_allowed_actor_restrictions,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,2,2022-12-14T19:54:21Z,2022-12-14T20:04:29Z,2022-12-14T20:04:28Z,OWNER,,"This code currently assumes abbreviations are:

 ```pyton
action_initials = """".join([word[0] for word in action.split(""-"")])
```

https://github.com/simonw/datasette/blob/1a3dcf494376e32f7cff110c86a88e5b0a3f3924/datasette/default_permissions.py#L182-L208

That's no longer correct, they are now registered by the new plugin hook:
- #1939 ",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1956/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1493390939,I_kwDOBm6k_c5ZA1Zb,1947,UI to create reduced scope tokens from the `/-/create-token` page,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,22,2022-12-13T05:10:48Z,2022-12-14T05:22:00Z,2022-12-14T05:13:24Z,OWNER,,"Split from:
- #1855",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1947/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1495431932,I_kwDOBm6k_c5ZInr8,1951,`datasette.create_token(...)` method for creating signed API tokens,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,6,2022-12-14T01:25:34Z,2022-12-14T02:43:45Z,2022-12-14T02:42:05Z,OWNER,,"I need this for:
- #1947

And I can refactor this to use it too:
- #1855

By making this a documented internal API it can be used by other plugins too. It's also going to be really useful for writing tests.",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1951/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1423336089,I_kwDOBm6k_c5U1mKZ,1855,`datasette create-token` ability to create tokens with a reduced set of permissions,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,19,2022-10-26T02:20:52Z,2022-12-14T01:24:49Z,2022-12-13T05:20:24Z,OWNER,,"Initial design ideas: https://github.com/simonw/datasette/issues/1852#issuecomment-1289733483

> Token design concept:
> 
> ```json
> {
>     ""t"": {
>         ""a"": [""ir"", ""ur"", ""dr""],
>         ""d"": {
>             ""fixtures"": [""ir"", ""ur"", ""dr""]
>         },
>         ""t"": {
>             ""fixtures"": {
>                 ""searchable"": [""ir""]
>             }
>         }
>     }
> }
> ```
> 
> That JSON would be minified and signed.
> 
> Minified version of the above looks like this (101 characters):
> 
> `{""t"":{""a"":[""ir"",""ur"",""dr""],""d"":{""fixtures"":[""ir"",""ur"",""dr""]},""t"":{""fixtures"":{""searchable"":[""ir""]}}}}`
> 
> The `""t""` key shows this is a token that as a default API key.
> 
> `""a""` means ""all"" - these are permissions that have been granted on all tables and databases.
> 
> `""d""` means ""databases"" - this is a way to set permissions for all tables in a specific database.
> 
> `""t""` means ""tables"" - this lets you set permissions at a finely grained table level.
> 
> Then the permissions themselves are two character codes which are shortened versions - so:
> 
> * `ir` = `insert-row`
> * `ur` = `update-row`
> * `dr` = `delete-row`

## Remaining tasks

- [x] Add these options to the `datasette create-token` command
- [x] Tests for `datasette create-token` options
- [x] Documentation for those options at https://docs.datasette.io/en/latest/authentication.html#datasette-create-token
- [x] A way to handle permissions that don't have known abbreviations (permissions added by plugins). Probably need to solve the plugin permission registration problem as part of that
- [x] Stop hard-coding names of actions in the `permission_allowed_actor_restrictions` function",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1855/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1485488236,PR_kwDOBm6k_c5E1iJG,1938,"""permissions"" blocks in metadata.json/yaml",9599,simonw,closed,0,,,8711695, Datasette 1.0a2,3,2022-12-08T22:07:36Z,2022-12-13T05:23:18Z,2022-12-13T05:23:18Z,OWNER,simonw/datasette/pulls/1938,"Refs #1636

- [x] Documentation
- [ ] Implementation
- [ ] Validate metadata to check there are no nonsensical permissions (like `debug-menu` set at the table level)
- [ ] Tests

<!-- readthedocs-preview datasette start -->
----
:books: Documentation preview :books:: https://datasette--1938.org.readthedocs.build/en/1938/

<!-- readthedocs-preview datasette end -->",107914493,datasette,pull,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1938/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",0,
1493339206,I_kwDOBm6k_c5ZAoxG,1946,`datasette --get` mechanism for sending tokens,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,2,2022-12-13T04:25:05Z,2022-12-13T04:36:57Z,2022-12-13T04:36:57Z,OWNER,,"> For the tests for `datasette create-token` it would be useful if `datasette --get` had a mechanism for sending an `Authorization: Bearer X` header.

_Originally posted by @simonw in https://github.com/simonw/datasette/issues/1855#issuecomment-1347731288_
      ",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1946/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1493306655,I_kwDOBm6k_c5ZAg0f,1945,`view-instance` should not be checked for /-/actor.json,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,0,2022-12-13T04:01:46Z,2022-12-13T04:11:56Z,2022-12-13T04:11:56Z,OWNER,,"Spotted this while testing:

- #1855
```
export TOKEN=$(datasette create-token root --secret s -a foo)
curl -H ""Authorization: Bearer $TOKEN"" http://localhost:8002/-/actor.json
```
Returned a Forbidden error (and not in JSON either).",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1945/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1138008042,I_kwDOBm6k_c5D1J_q,1636,"""permissions"" propery in metadata for configuring arbitrary permissions",9599,simonw,closed,0,,,8711695, Datasette 1.0a2,14,2022-02-15T00:25:59Z,2022-12-13T02:40:50Z,2022-12-13T02:40:50Z,OWNER,,"The `""allow""` block mechanism can already be used to configure various default permissions. When adding permissions to `datasette-tiddlywiki` I realized it would be good to be able to configure arbitrary permissions such as `edit-tiddlywiki` there too.",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1636/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1485757511,I_kwDOBm6k_c5YjtxH,1939,register_permissions(datasette) plugin hook,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,20,2022-12-09T01:33:25Z,2022-12-13T02:07:50Z,2022-12-13T02:05:56Z,OWNER,,"A plugin hook that adds more named permissions to the list which is initially populated here:

https://github.com/simonw/datasette/blob/e539c1c024bc62d88df91d9107cbe37e7f0fe55f/datasette/permissions.py#L1-L19

Originally imagined this hook in this comment:

- https://github.com/simonw/datasette/issues/1881#issuecomment-1301639370

I need this for a few reasons:

- https://github.com/simonw/datasette/issues/1636
  - Needs it in order to validate that permissions defined in `metadata.json` are set in the right place (don't set an instance permissions at table level for example)
- https://github.com/simonw/datasette/issues/1855
  - Needs it to be able to register additional abbreviations for use in signed cookies
  - And for validation when you use `datasette create-token` and pass in extra permissions
- The https://latest.datasette.io/-/permissions debug interface needs it to add extra debug options to the `<select>`",107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1939/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1486011362,PR_kwDOBm6k_c5E3XqB,1940,register_permissions() plugin hook,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,6,2022-12-09T05:09:28Z,2022-12-13T02:05:55Z,2022-12-13T02:05:54Z,OWNER,simonw/datasette/pulls/1940,"Refs #1939

From this comment: https://github.com/simonw/datasette/issues/1939#issuecomment-1343872168

- [x] Unit test for the registration plugin hook itself
- [x] Use them in `check_permission_actions_are_documented` test in `conftest.py`
- [x] Add description field to `Permissions` (and update tests and docs)
- [x] Documentation for `datasette.permissions` dictionary
- [x] If no `default=` provided in call to `permission_allowed()` then use default from `datasette.permissions` list
- [x] Remove `default=` from a bunch of places
- [x] Throw an error if two permissions are registered with the same name or abbreviation (but other attributes differ)
- [x] Update authentication and permissions documentation to explain that permissions are now registered and have a registered default

<!-- readthedocs-preview datasette start -->
----
:books: Documentation preview :books:: https://datasette--1940.org.readthedocs.build/en/1940/

<!-- readthedocs-preview datasette end -->",107914493,datasette,pull,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1940/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",0,
1432013704,I_kwDOBm6k_c5VWsuI,1878,/db/table/-/upsert API,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,8,2022-11-01T20:01:18Z,2022-12-08T01:12:18Z,2022-12-08T01:12:17Z,OWNER,,Equivalent to `sqlite-utils upsert`: https://sqlite-utils.datasette.io/en/stable/python-api.html#upserting-data,107914493,datasette,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1878/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed
1473814539,PR_kwDOBm6k_c5EMVug,1931,/db/table/-/upsert,9599,simonw,closed,0,,,8711695, Datasette 1.0a2,8,2022-12-03T07:01:44Z,2022-12-08T01:12:17Z,2022-12-08T01:12:16Z,OWNER,simonw/datasette/pulls/1931,"Refs #1878

Still todo:
- [x] Support `""return"": true` properly for upserts (with tests)
- [x] Require both `insert-row` and `update-row` permissions
- [x] Tests are going to need to cover both rowid-only and compound primary key tables, including all of the error states
- [x] Documentation

<!-- readthedocs-preview datasette start -->
----
:books: Documentation preview :books:: https://datasette--1931.org.readthedocs.build/en/1931/

<!-- readthedocs-preview datasette end -->",107914493,datasette,pull,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/1931/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",0,