{"id": 1138008042, "node_id": "I_kwDOBm6k_c5D1J_q", "number": 1636, "title": "\"permissions\" propery in metadata for configuring arbitrary permissions", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 14, "created_at": "2022-02-15T00:25:59Z", "updated_at": "2022-12-13T02:40:50Z", "closed_at": "2022-12-13T02:40:50Z", "author_association": "OWNER", "pull_request": null, "body": "The `\"allow\"` block mechanism can already be used to configure various default permissions. When adding permissions to `datasette-tiddlywiki` I realized it would be good to be able to configure arbitrary permissions such as `edit-tiddlywiki` there too.", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1636/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1423336089, "node_id": "I_kwDOBm6k_c5U1mKZ", "number": 1855, "title": "`datasette create-token` ability to create tokens with a reduced set of permissions", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 19, "created_at": "2022-10-26T02:20:52Z", "updated_at": "2022-12-14T01:24:49Z", "closed_at": "2022-12-13T05:20:24Z", "author_association": "OWNER", "pull_request": null, "body": "Initial design ideas: https://github.com/simonw/datasette/issues/1852#issuecomment-1289733483\r\n\r\n> Token design concept:\r\n> \r\n> ```json\r\n> {\r\n>     \"t\": {\r\n>         \"a\": [\"ir\", \"ur\", \"dr\"],\r\n>         \"d\": {\r\n>             \"fixtures\": [\"ir\", \"ur\", \"dr\"]\r\n>         },\r\n>         \"t\": {\r\n>             \"fixtures\": {\r\n>                 \"searchable\": [\"ir\"]\r\n>             }\r\n>         }\r\n>     }\r\n> }\r\n> ```\r\n> \r\n> That JSON would be minified and signed.\r\n> \r\n> Minified version of the above looks like this (101 characters):\r\n> \r\n> `{\"t\":{\"a\":[\"ir\",\"ur\",\"dr\"],\"d\":{\"fixtures\":[\"ir\",\"ur\",\"dr\"]},\"t\":{\"fixtures\":{\"searchable\":[\"ir\"]}}}}`\r\n> \r\n> The `\"t\"` key shows this is a token that as a default API key.\r\n> \r\n> `\"a\"` means \"all\" - these are permissions that have been granted on all tables and databases.\r\n> \r\n> `\"d\"` means \"databases\" - this is a way to set permissions for all tables in a specific database.\r\n> \r\n> `\"t\"` means \"tables\" - this lets you set permissions at a finely grained table level.\r\n> \r\n> Then the permissions themselves are two character codes which are shortened versions - so:\r\n> \r\n> * `ir` = `insert-row`\r\n> * `ur` = `update-row`\r\n> * `dr` = `delete-row`\r\n\r\n## Remaining tasks\r\n\r\n- [x] Add these options to the `datasette create-token` command\r\n- [x] Tests for `datasette create-token` options\r\n- [x] Documentation for those options at https://docs.datasette.io/en/latest/authentication.html#datasette-create-token\r\n- [x] A way to handle permissions that don't have known abbreviations (permissions added by plugins). Probably need to solve the plugin permission registration problem as part of that\r\n- [x] Stop hard-coding names of actions in the `permission_allowed_actor_restrictions` function", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1855/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1432013704, "node_id": "I_kwDOBm6k_c5VWsuI", "number": 1878, "title": "/db/table/-/upsert API", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 8, "created_at": "2022-11-01T20:01:18Z", "updated_at": "2022-12-08T01:12:18Z", "closed_at": "2022-12-08T01:12:17Z", "author_association": "OWNER", "pull_request": null, "body": "Equivalent to `sqlite-utils upsert`: https://sqlite-utils.datasette.io/en/stable/python-api.html#upserting-data", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1878/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1473411197, "node_id": "I_kwDOBm6k_c5X0nh9", "number": 1927, "title": "ignore:true/replace:true options for /db/-/create API", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 5, "created_at": "2022-12-02T20:32:30Z", "updated_at": "2022-12-15T01:47:01Z", "closed_at": "2022-12-08T01:43:01Z", "author_association": "OWNER", "pull_request": null, "body": "See also:\r\n- #1924\r\n\r\nIt turns out I want to be able to call `/db/-/create` multiple times with the `rows` argument, so that I don't have to worry about creating the table first.\r\n\r\nAs such I find myself wanting support for the `\"insert\": true` and `\"replace\": true` options as well.\r\n\r\nStill TODO:\r\n\r\n- [x] A test for the case where you call `/-/create` twice with `rows` without using these options\r\n- [x] `pk` should be required if you are using these options\r\n- [x] Error if you pass `pk` and the table exists already but has a different `pk`\r\n- [x] Documentation for `insert` and `replace` - and what happens if you repeat a `/-/create` with rows generally\r\n- [x] Documentation should explain that you are allowed to call `/-/create` more than once using `rows`.", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1927/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1483320357, "node_id": "I_kwDOBm6k_c5Yaawl", "number": 1937, "title": "/db/-/create API should require insert-rows permission to use row: or rows: option", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 2, "created_at": "2022-12-08T01:33:09Z", "updated_at": "2022-12-14T20:21:26Z", "closed_at": "2022-12-14T20:21:26Z", "author_association": "OWNER", "pull_request": null, "body": "Otherwise someone with `create-table` but no` insert-rows` permission could abuse it to insert data.", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1937/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1485757511, "node_id": "I_kwDOBm6k_c5YjtxH", "number": 1939, "title": "register_permissions(datasette) plugin hook", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 20, "created_at": "2022-12-09T01:33:25Z", "updated_at": "2022-12-13T02:07:50Z", "closed_at": "2022-12-13T02:05:56Z", "author_association": "OWNER", "pull_request": null, "body": "A plugin hook that adds more named permissions to the list which is initially populated here:\r\n\r\nhttps://github.com/simonw/datasette/blob/e539c1c024bc62d88df91d9107cbe37e7f0fe55f/datasette/permissions.py#L1-L19\r\n\r\nOriginally imagined this hook in this comment:\r\n\r\n- https://github.com/simonw/datasette/issues/1881#issuecomment-1301639370\r\n\r\nI need this for a few reasons:\r\n\r\n- https://github.com/simonw/datasette/issues/1636\r\n  - Needs it in order to validate that permissions defined in `metadata.json` are set in the right place (don't set an instance permissions at table level for example)\r\n- https://github.com/simonw/datasette/issues/1855\r\n  - Needs it to be able to register additional abbreviations for use in signed cookies\r\n  - And for validation when you use `datasette create-token` and pass in extra permissions\r\n- The https://latest.datasette.io/-/permissions debug interface needs it to add extra debug options to the `<select>`", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1939/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1493390939, "node_id": "I_kwDOBm6k_c5ZA1Zb", "number": 1947, "title": "UI to create reduced scope tokens from the `/-/create-token` page", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 22, "created_at": "2022-12-13T05:10:48Z", "updated_at": "2022-12-14T05:22:00Z", "closed_at": "2022-12-14T05:13:24Z", "author_association": "OWNER", "pull_request": null, "body": "Split from:\r\n- #1855", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1947/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1493306655, "node_id": "I_kwDOBm6k_c5ZAg0f", "number": 1945, "title": "`view-instance` should not be checked for /-/actor.json", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 0, "created_at": "2022-12-13T04:01:46Z", "updated_at": "2022-12-13T04:11:56Z", "closed_at": "2022-12-13T04:11:56Z", "author_association": "OWNER", "pull_request": null, "body": "Spotted this while testing:\r\n\r\n- #1855\r\n```\r\nexport TOKEN=$(datasette create-token root --secret s -a foo)\r\ncurl -H \"Authorization: Bearer $TOKEN\" http://localhost:8002/-/actor.json\r\n```\r\nReturned a Forbidden error (and not in JSON either).", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1945/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1493339206, "node_id": "I_kwDOBm6k_c5ZAoxG", "number": 1946, "title": "`datasette --get` mechanism for sending tokens", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 2, "created_at": "2022-12-13T04:25:05Z", "updated_at": "2022-12-13T04:36:57Z", "closed_at": "2022-12-13T04:36:57Z", "author_association": "OWNER", "pull_request": null, "body": "> For the tests for `datasette create-token` it would be useful if `datasette --get` had a mechanism for sending an `Authorization: Bearer X` header.\r\n\r\n_Originally posted by @simonw in https://github.com/simonw/datasette/issues/1855#issuecomment-1347731288_\r\n      ", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1946/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1495431932, "node_id": "I_kwDOBm6k_c5ZInr8", "number": 1951, "title": "`datasette.create_token(...)` method for creating signed API tokens", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 6, "created_at": "2022-12-14T01:25:34Z", "updated_at": "2022-12-14T02:43:45Z", "closed_at": "2022-12-14T02:42:05Z", "author_association": "OWNER", "pull_request": null, "body": "I need this for:\r\n- #1947\r\n\r\nAnd I can refactor this to use it too:\r\n- #1855\r\n\r\nBy making this a documented internal API it can be used by other plugins too. It's also going to be really useful for writing tests.", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1951/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1495821607, "node_id": "I_kwDOBm6k_c5ZKG0n", "number": 1953, "title": "Release notes for Datasette 1.0a2", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 2, "created_at": "2022-12-14T06:26:40Z", "updated_at": "2022-12-15T02:02:15Z", "closed_at": "2022-12-15T02:01:08Z", "author_association": "OWNER", "pull_request": null, "body": "https://github.com/simonw/datasette/milestone/27?closed=1\r\n\r\nhttps://github.com/simonw/datasette/compare/1.0a1...9ad76d279e2c3874ca5070626a25458ce129f126", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1953/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1497288666, "node_id": "I_kwDOBm6k_c5ZPs_a", "number": 1956, "title": "Handle abbreviations properly in permission_allowed_actor_restrictions", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 2, "created_at": "2022-12-14T19:54:21Z", "updated_at": "2022-12-14T20:04:29Z", "closed_at": "2022-12-14T20:04:28Z", "author_association": "OWNER", "pull_request": null, "body": "This code currently assumes abbreviations are:\r\n\r\n ```pyton\r\naction_initials = \"\".join([word[0] for word in action.split(\"-\")])\r\n```\r\n\r\nhttps://github.com/simonw/datasette/blob/1a3dcf494376e32f7cff110c86a88e5b0a3f3924/datasette/default_permissions.py#L182-L208\r\n\r\nThat's no longer correct, they are now registered by the new plugin hook:\r\n- #1939 ", "repo": {"value": 107914493, "label": "datasette"}, "type": "issue", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1956/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": null, "state_reason": "completed"}
{"id": 1485488236, "node_id": "PR_kwDOBm6k_c5E1iJG", "number": 1938, "title": "\"permissions\" blocks in metadata.json/yaml", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 3, "created_at": "2022-12-08T22:07:36Z", "updated_at": "2022-12-13T05:23:18Z", "closed_at": "2022-12-13T05:23:18Z", "author_association": "OWNER", "pull_request": "simonw/datasette/pulls/1938", "body": "Refs #1636\r\n\r\n- [x] Documentation\r\n- [ ] Implementation\r\n- [ ] Validate metadata to check there are no nonsensical permissions (like `debug-menu` set at the table level)\r\n- [ ] Tests\r\n\r\n<!-- readthedocs-preview datasette start -->\r\n----\r\n:books: Documentation preview :books:: https://datasette--1938.org.readthedocs.build/en/1938/\r\n\r\n<!-- readthedocs-preview datasette end -->", "repo": {"value": 107914493, "label": "datasette"}, "type": "pull", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1938/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": 0, "state_reason": null}
{"id": 1486011362, "node_id": "PR_kwDOBm6k_c5E3XqB", "number": 1940, "title": "register_permissions() plugin hook", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 6, "created_at": "2022-12-09T05:09:28Z", "updated_at": "2022-12-13T02:05:55Z", "closed_at": "2022-12-13T02:05:54Z", "author_association": "OWNER", "pull_request": "simonw/datasette/pulls/1940", "body": "Refs #1939\r\n\r\nFrom this comment: https://github.com/simonw/datasette/issues/1939#issuecomment-1343872168\r\n\r\n- [x] Unit test for the registration plugin hook itself\r\n- [x] Use them in `check_permission_actions_are_documented` test in `conftest.py`\r\n- [x] Add description field to `Permissions` (and update tests and docs)\r\n- [x] Documentation for `datasette.permissions` dictionary\r\n- [x] If no `default=` provided in call to `permission_allowed()` then use default from `datasette.permissions` list\r\n- [x] Remove `default=` from a bunch of places\r\n- [x] Throw an error if two permissions are registered with the same name or abbreviation (but other attributes differ)\r\n- [x] Update authentication and permissions documentation to explain that permissions are now registered and have a registered default\r\n\r\n<!-- readthedocs-preview datasette start -->\r\n----\r\n:books: Documentation preview :books:: https://datasette--1940.org.readthedocs.build/en/1940/\r\n\r\n<!-- readthedocs-preview datasette end -->", "repo": {"value": 107914493, "label": "datasette"}, "type": "pull", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1940/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": 0, "state_reason": null}
{"id": 1473814539, "node_id": "PR_kwDOBm6k_c5EMVug", "number": 1931, "title": "/db/table/-/upsert", "user": {"value": 9599, "label": "simonw"}, "state": "closed", "locked": 0, "assignee": null, "milestone": {"value": 8711695, "label": " Datasette 1.0a2"}, "comments": 8, "created_at": "2022-12-03T07:01:44Z", "updated_at": "2022-12-08T01:12:17Z", "closed_at": "2022-12-08T01:12:16Z", "author_association": "OWNER", "pull_request": "simonw/datasette/pulls/1931", "body": "Refs #1878\r\n\r\nStill todo:\r\n- [x] Support `\"return\": true` properly for upserts (with tests)\r\n- [x] Require both `insert-row` and `update-row` permissions\r\n- [x] Tests are going to need to cover both rowid-only and compound primary key tables, including all of the error states\r\n- [x] Documentation\r\n\r\n<!-- readthedocs-preview datasette start -->\r\n----\r\n:books: Documentation preview :books:: https://datasette--1931.org.readthedocs.build/en/1931/\r\n\r\n<!-- readthedocs-preview datasette end -->", "repo": {"value": 107914493, "label": "datasette"}, "type": "pull", "active_lock_reason": null, "performed_via_github_app": null, "reactions": "{\"url\": \"https://api.github.com/repos/simonw/datasette/issues/1931/reactions\", \"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "draft": 0, "state_reason": null}