id,node_id,number,title,user,state,locked,assignee,milestone,comments,created_at,updated_at,closed_at,author_association,pull_request,body,repo,type,active_lock_reason,performed_via_github_app,reactions,draft,state_reason 628089318,MDU6SXNzdWU2MjgwODkzMTg=,787,"""datasette publish"" should bake in a random --secret",9599,closed,0,,5512395,1,2020-06-01T01:15:26Z,2020-06-11T16:02:05Z,2020-06-11T16:02:05Z,OWNER,,"To allow signed cookies etc to work reliably (see #785) all of the `datasette publish` commands should generate a random secret on publish and bake it into the configuration - probably by setting the `DATASETTE_SECRET` environment variable. - [ ] Cloud Run - [ ] Heroku - [ ] https://github.com/simonw/datasette-publish-now - [ ] https://github.com/simonw/datasette-publish-fly",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/787/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed 636614868,MDU6SXNzdWU2MzY2MTQ4Njg=,831,"It would be more intuitive if ""allow"": none meant ""no-one can do this""",9599,closed,0,,5512395,1,2020-06-10T23:43:56Z,2020-06-10T23:57:25Z,2020-06-10T23:50:55Z,OWNER,,"Now that I'm starting to write alternative plugins to control permissions - see #818 - I think I need an easy way to tell Datasette ""no-one has permission to do X unless a plugin says otherwise"". One relatively intuitive way to do that could be like this: ```json { ""databases"": { ""fixtures"": { ""allow"": null } } } ``` Right now I think that opens up permissions to everyone, which isn't as obvious.",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/831/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed 635696400,MDU6SXNzdWU2MzU2OTY0MDA=,827,Document CSRF protection (for plugins),9599,closed,0,,5512395,1,2020-06-09T19:19:10Z,2020-06-09T19:38:30Z,2020-06-09T19:35:13Z,OWNER,,"Plugin authors need to know that if they want to POST a form they should include this: ```html+jinja ```",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/827/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed 633066114,MDU6SXNzdWU2MzMwNjYxMTQ=,810,Refactor permission check for canned query,9599,closed,0,,5512395,1,2020-06-07T05:33:05Z,2020-06-07T17:03:15Z,2020-06-07T17:03:15Z,OWNER,,"This code here (TODO is follow-on from #808). https://github.com/simonw/datasette/blob/86dec9e8fffd6c4efec928ae9b5713748dec7e74/datasette/views/database.py#L133-L142 I can improve this with extra code in https://github.com/simonw/datasette/blob/86dec9e8fffd6c4efec928ae9b5713748dec7e74/datasette/default_permissions.py",107914493,issue,,,"{""url"": ""https://api.github.com/repos/simonw/datasette/issues/810/reactions"", ""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",,completed