912 rows where state = "closed" sorted by updated_at descending

View and edit SQL

Suggested facets: milestone, comments, author_association, created_at (date), updated_at (date), closed_at (date)



  • closed · 912
id node_id number title user state locked assignee milestone comments created_at updated_at ▲ closed_at author_association pull_request body repo type active_lock_reason
654405302 MDU6SXNzdWU2NTQ0MDUzMDI= 42 Option for importing just specific repos simonw 9599 closed 0     0 2020-07-09T23:20:15Z 2020-07-09T23:25:35Z 2020-07-09T23:25:35Z MEMBER  

For if you know which specific repos you care about, as opposed to loading everything owned by the authenticated user.

github-to-sqlite repos specific.db -r simonw/datasette -r simonw/github-contents
github-to-sqlite 207052882 issue  
651844316 MDExOlB1bGxSZXF1ZXN0NDQ1MDIzMzI2 118 Add insert --truncate option tsibley 79913 closed 0     9 2020-07-06T21:58:40Z 2020-07-08T17:26:21Z 2020-07-08T17:26:21Z CONTRIBUTOR simonw/sqlite-utils/pulls/118

Deletes all rows in the table (if it exists) before inserting new rows.
SQLite doesn't implement a TRUNCATE TABLE statement but does optimize an
unqualified DELETE FROM.

This can be handy if you want to refresh the entire contents of a table
but a) don't have a PK (so can't use --replace), b) don't want the table
to disappear (even briefly) for other connections, and c) have to handle
records that used to exist being deleted.

Ideally the replacement of rows would appear instantaneous to other
connections by putting the DELETE + INSERT in a transaction, but this is
very difficult without breaking other code as the current transaction
handling is inconsistent and non-systematic. There exists the
possibility for the DELETE to succeed but the INSERT to fail, leaving an
empty table. This is not much worse, however, than the current
possibility of one chunked INSERT succeeding and being committed while
the next chunked INSERT fails, leaving a partially complete operation.

sqlite-utils 140912432 pull  
652816158 MDExOlB1bGxSZXF1ZXN0NDQ1ODMzOTA4 120 Fix query command's support for DML tsibley 79913 closed 0     1 2020-07-08T01:36:34Z 2020-07-08T05:14:04Z 2020-07-08T05:14:04Z CONTRIBUTOR simonw/sqlite-utils/pulls/120

See commit messages for details. I ran into this while investigating another feature/issue.

sqlite-utils 140912432 pull  
628003707 MDU6SXNzdWU2MjgwMDM3MDc= 784 Ability to sign in to Datasette as a root account simonw 9599 closed 0   Datasette 0.44 5512395 5 2020-05-31T17:10:15Z 2020-07-06T19:31:53Z 2020-06-01T01:18:20Z OWNER  

I'm going to draw the line here: default Datasette supports authentication but only for a single user account ("admin"). Plugins can then add support for multiple user accounts, social auth, SSO etc.

Originally posted by @simonw in

datasette 107914493 issue  
651159727 MDU6SXNzdWU2NTExNTk3Mjc= 41 Demo is failing to deploy simonw 9599 closed 0     7 2020-07-05T22:40:33Z 2020-07-06T01:07:03Z 2020-07-06T01:07:02Z MEMBER

Creating Revision.........................................................................................................................................failed
Deployment failed
ERROR: ( Cloud Run error: Container failed to start. Failed to start and then listen on the port defined by the PORT environment variable. Logs for this revision might contain more information.
Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.8.3/x64/bin/datasette", line 8, in <module>
  File "/opt/hostedtoolcache/Python/3.8.3/x64/lib/python3.8/site-packages/click/", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/opt/hostedtoolcache/Python/3.8.3/x64/lib/python3.8/site-packages/click/", line 782, in main
    rv = self.invoke(ctx)
  File "/opt/hostedtoolcache/Python/3.8.3/x64/lib/python3.8/site-packages/click/", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/hostedtoolcache/Python/3.8.3/x64/lib/python3.8/site-packages/click/", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/hostedtoolcache/Python/3.8.3/x64/lib/python3.8/site-packages/click/", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/hostedtoolcache/Python/3.8.3/x64/lib/python3.8/site-packages/click/", line 610, in invoke
    return callback(*args, **kwargs)
  File "/opt/hostedtoolcache/Python/3.8.3/x64/lib/python3.8/site-packages/datasette/publish/", line 138, in cloudrun
  File "/opt/hostedtoolcache/Python/3.8.3/x64/lib/python3.8/", line 364, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command 'gcloud run deploy --allow-unauthenticated --platform=managed --image github-to-sqlite' returned non-zero exit status 1.
##[error]Process completed with exit code 1.
github-to-sqlite 207052882 issue  
650305298 MDExOlB1bGxSZXF1ZXN0NDQzODIzMDQw 890 Load only python files from plugins-dir. amjith 49260 closed 0     2 2020-07-03T02:47:32Z 2020-07-03T03:08:33Z 2020-07-03T03:08:33Z CONTRIBUTOR simonw/datasette/pulls/890

The current behavior for --plugins-dir is to load every file in that folder as a python module. This can result in errors if there are non-python files in the plugins dir (such as .mypy_cache).

This PR restricts the module loading to only python files.

datasette 107914493 pull  
638270441 MDExOlB1bGxSZXF1ZXN0NDM0MDg1MjM1 848 Reload support for config_dir mode. amjith 49260 closed 0     1 2020-06-14T02:34:46Z 2020-07-03T02:44:54Z 2020-07-03T02:44:53Z CONTRIBUTOR simonw/datasette/pulls/848

A reference implementation for adding support to reload when datasette is in the config_dir mode.

This implementation is flawed since it is watching the entire directory and any changes to the database will reload the server and adding unrelated files to the directory will also reload the server.

datasette 107914493 pull  
649437530 MDU6SXNzdWU2NDk0Mzc1MzA= 887 Canned query page should show the name of the canned query simonw 9599 closed 0   Datasette 0.46 5607421 3 2020-07-02T00:10:39Z 2020-07-02T00:31:33Z 2020-07-02T00:23:45Z OWNER  

This page here - the URL is but "all_tables" is not shown in the UI:

datasette 107914493 issue  
276718605 MDU6SXNzdWUyNzY3MTg2MDU= 151 Set up a pattern portfolio simonw 9599 closed 0     2 2017-11-25T02:09:49Z 2020-07-02T00:13:24Z 2020-05-03T03:13:16Z OWNER

This will be a single page that demonstrates all of the different CSS styles and classes available to Datasette.

datasette 107914493 issue  
647103735 MDU6SXNzdWU2NDcxMDM3MzU= 875 "Logged in as: XXX - logout" navigation item simonw 9599 closed 0   Datasette 0.45 5533512 3 2020-06-29T04:31:14Z 2020-07-02T00:13:24Z 2020-06-29T18:43:50Z OWNER  

Originally posted by @simonw in

datasette 107914493 issue  
646992096 MDU6SXNzdWU2NDY5OTIwOTY= 872 Release non-alpha plugins when 0.45 is out simonw 9599 closed 0   Datasette 0.45 5533512 0 2020-06-28T19:42:01Z 2020-07-01T23:48:51Z 2020-07-01T23:48:51Z OWNER  

I have several plugins currently marked as alphas because they depend on 0.45a3. When 0.45 is released I can ship new versions of these plugins that are full releases, not alphas - and switch them to depending on 0.45 (as opposed to the alpha):

datasette 107914493 issue  
649373451 MDU6SXNzdWU2NDkzNzM0NTE= 885 Blog entry about the release simonw 9599 closed 0   Datasette 0.45 5533512 1 2020-07-01T22:44:37Z 2020-07-01T22:44:48Z 2020-07-01T22:44:47Z OWNER   datasette 107914493 issue  
648673556 MDU6SXNzdWU2NDg2NzM1NTY= 882 Release notes for 0.45 simonw 9599 closed 0   Datasette 0.45 5533512 2 2020-07-01T05:00:17Z 2020-07-01T21:48:08Z 2020-07-01T21:48:08Z OWNER  

These are mostly done thanks to the alphas, but I went to have more paragraphs of prose and less bullet points.

datasette 107914493 issue  
649329013 MDU6SXNzdWU2NDkzMjkwMTM= 884 Only show "log out" button if user is authenticated using a ds_actor cookie simonw 9599 closed 0   Datasette 0.45 5533512 0 2020-07-01T21:21:28Z 2020-07-01T21:26:07Z 2020-07-01T21:26:06Z OWNER  

Right now the "Log out" button in the navigation will show up even if the user was authenticated by a plugin using a mechanism other than the ds_actor cookie. It should only show if the logged-in user has that cookie.

datasette 107914493 issue  
634112607 MDU6SXNzdWU2MzQxMTI2MDc= 812 Ability to customize what happens when a view permission fails simonw 9599 closed 0   Datasette 0.45 5533512 3 2020-06-08T04:26:14Z 2020-07-01T04:17:46Z 2020-07-01T04:17:45Z OWNER  

Currently view permission failures raise a Forbidden error which is transformed into a 403.

It would be good if this page could offer a way forward - maybe just by linking to (or redirecting to) a login screen. This behaviour will vary based on authentication plugins, so a new plugin hook is probably the best way to do this.

datasette 107914493 issue  
637363686 MDU6SXNzdWU2MzczNjM2ODY= 835 Mechanism for skipping CSRF checks on API posts simonw 9599 closed 0   Datasette 0.45 5533512 13 2020-06-11T22:41:10Z 2020-07-01T03:08:07Z 2020-07-01T03:08:07Z OWNER  

While experimenting with I realized it's not currently possible to build API client programs that POST to Datasette because there's no mechanism for them to skip the CSRF checks added in #798.

datasette 107914493 issue  
647879783 MDU6SXNzdWU2NDc4Nzk3ODM= 876 Add log out link to the pattern portfolio simonw 9599 closed 0   Datasette 0.45 5533512 1 2020-06-30T05:42:15Z 2020-06-30T23:50:04Z 2020-06-30T23:47:31Z OWNER  

Follows #875

datasette 107914493 issue  
648569227 MDU6SXNzdWU2NDg1NjkyMjc= 879 Database page documentation still talks about hashes in URLs simonw 9599 closed 0   Datasette 0.45 5533512 1 2020-06-30T23:43:17Z 2020-06-30T23:48:06Z 2020-06-30T23:45:42Z OWNER

Note that these URLs end in a 7 character hash. This hash is derived from the contents of the database, and ensures that each URL is immutable: the data returned from a URL containing the hash will always be the same, since if the contents of the database file changes by even a single byte a new hash will be generated.

This isn't accurate any more - that's not default behaviour, and it may be removed entirely in #647.

datasette 107914493 issue  
636722501 MDU6SXNzdWU2MzY3MjI1MDE= 832 Having view-table permission but NOT view-database should still grant access to /db/table simonw 9599 closed 0   Datasette 0.45 5533512 12 2020-06-11T05:12:59Z 2020-06-30T23:42:11Z 2020-06-30T23:42:11Z OWNER  

Stumbled into this while working on datasette-permissions-sql. I had granted table permissions, but the permission check wasn't even executed because the user failed the previous view-database check.

datasette 107914493 issue  
637966833 MDU6SXNzdWU2Mzc5NjY4MzM= 840 Log out mechanism for clearing ds_actor cookie simonw 9599 closed 0   Datasette 0.45 5533512 4 2020-06-12T19:41:51Z 2020-06-29T04:31:43Z 2020-06-29T04:31:43Z OWNER  

Need a cookie clearing mechanism and a way to show that you are logged in.

datasette-auth-github had a solution for this that can be pulled into core.

datasette 107914493 issue  
647095808 MDU6SXNzdWU2NDcwOTU4MDg= 874 /favicon.ico 500 error simonw 9599 closed 0   Datasette 0.45 5533512 0 2020-06-29T04:04:22Z 2020-06-29T04:27:18Z 2020-06-29T04:27:18Z OWNER  
Traceback (most recent call last):
  File "...datasette/datasette/", line 969, in route_path
    response = await view(request, send)
TypeError: favicon() missing 1 required positional argument: 'send'
datasette 107914493 issue  
644309017 MDU6SXNzdWU2NDQzMDkwMTc= 864 datasette.add_message() doesn't work inside plugins simonw 9599 closed 0   Datasette 0.45 5533512 6 2020-06-24T04:30:06Z 2020-06-29T00:51:01Z 2020-06-29T00:51:01Z OWNER  

Similar problem to #863 - calling datasette.add_message() in a view registered using the register_routes() plugin hook doesn't work, because the code that writes accumulated messages to the ds_messages signed cookie lives in the BaseView class here:

datasette 107914493 issue  
638259643 MDU6SXNzdWU2MzgyNTk2NDM= 847 Take advantage of .coverage being a SQLite database simonw 9599 closed 0     4 2020-06-14T00:41:25Z 2020-06-28T20:50:21Z 2020-06-28T20:50:21Z OWNER  

The .coverage file generated by running pytest-cov is now a SQLite database!

I could do something interesting with this. Maybe after each test run for a new commit I could store that database file somewhere?

Lots of interesting challenges here.

I got a change into coveragepy last year which helps make the custom SQL functions available for doing fun things in Datasette:

Bigger challenge: if I have a DB file for every commit, that's hundreds (potentially thousands) of DB files. Datasette isn't designed to handle thousands of files like that.

So, do I figure out how to have Datasette open a file on-command for just a single request? Or, an easier option, do I copy data from those files into a single database with a modified schema to include the commit hash in each table row?

(Following on from #841 and #844)

datasette 107914493 issue  
646840273 MDU6SXNzdWU2NDY4NDAyNzM= 871 Rename the _timestamp magic parameters to _now simonw 9599 closed 0   Datasette 0.45 5533512 1 2020-06-28T04:49:08Z 2020-06-28T19:49:49Z 2020-06-28T19:49:49Z OWNER  

I like the shorter name better. Follows on from #842.

datasette 107914493 issue  
637342551 MDU6SXNzdWU2MzczNDI1NTE= 834 startup() plugin hook simonw 9599 closed 0   Datasette 0.45 5533512 6 2020-06-11T21:48:14Z 2020-06-28T19:38:50Z 2020-06-13T17:56:12Z OWNER  

It might be useful to have an startup hook which gets passed the datasette object as soon as Datasette has finished initializing.

My initial use-case for this is configuration verification - checking that the "plugins" configuration block for this plugin contains valid details.

I imagine there are plenty of other potential uses for this as well.

datasette 107914493 issue  
638212085 MDU6SXNzdWU2MzgyMTIwODU= 842 Magic parameters for canned queries simonw 9599 closed 0   Datasette 0.45 5533512 18 2020-06-13T18:50:08Z 2020-06-28T03:30:31Z 2020-06-28T02:58:18Z OWNER  

Now that writable canned queries (#698) have landed, it would be neat if they supported "magic" parameters - parameters that are automatically populated with:

  • the current actor ID / other actor properties
  • the current date and time
  • the user's IP or user-agent

And maybe other things potentially added by plugins.

datasette 107914493 issue  
646734280 MDExOlB1bGxSZXF1ZXN0NDQwOTQ2ODE3 869 Magic parameters for canned queries simonw 9599 closed 0   Datasette 0.45 5533512 1 2020-06-27T18:37:21Z 2020-06-28T02:58:18Z 2020-06-28T02:58:17Z OWNER simonw/datasette/pulls/869

Implementation for #842


  • Add tests for built-in magic parameters
  • Magic parameters should not show up as blank form fields on the query page
  • Update documentation for new _request_X (now called _header_X) implementation where X is a key from the ASGI scope
  • Make sure these only work for canned queries, not for arbitrary SQL queries (security issue)
  • Add test for the register_magic_parameters plugin hook
  • Add documentation for the register_magic_parameters plugin hook
datasette 107914493 pull  
645975649 MDU6SXNzdWU2NDU5NzU2NDk= 867 register_routes() should support non-async view functions too simonw 9599 closed 0   Datasette 0.45 5533512 1 2020-06-26T03:11:25Z 2020-06-27T18:30:41Z 2020-06-27T18:30:40Z OWNER  

I was looking at this:

from datasette import hookimpl
from datasette.utils.asgi import Response

async def robots_txt():
    return Response.text("User-agent: *\nDisallow: /")

def register_routes():
    return [
        (r"^/robots\.txt$", robots_txt),

And I realized that if register_routes() could support non-async view functions it could be reduced to this:

def register_routes():
    return [
        (r"^/robots\.txt$", lambda: Response.text("User-agent: *\nDisallow: /")),
datasette 107914493 issue  
644610729 MDExOlB1bGxSZXF1ZXN0NDM5MjAzODA4 866 Update pytest-asyncio requirement from <0.13,>=0.10 to >=0.10,<0.15 dependabot-preview[bot] 27856297 closed 0     1 2020-06-24T13:21:47Z 2020-06-24T18:50:57Z 2020-06-24T18:50:56Z CONTRIBUTOR simonw/datasette/pulls/866

Updates the requirements on pytest-asyncio to permit the latest version.


  • 53f3da7 Prepare for release

  • e99569d A line is added to the changelog.

  • 4099b63 One import is not needed

  • 68513b3 Clarify names and comments, according to yanlend comments 26 May

  • 907e8f2 FIX new test_cases on python 3.5 & 3.6

  • 51d986c To solve test cases that fail:

  • f97e900 1) Test case (test_async_fixtures_with_finalizer) refactoring to pass on pyth...

  • c1131f8 1) A new test case that fails with 0.12.0, and pass with this commit.

  • 7a255bc 0.13.0 open for business

  • b8e2a45 0.12.0

  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
- @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)

datasette 107914493 pull  
640943441 MDU6SXNzdWU2NDA5NDM0NDE= 853 Ensure register_routes() works for POST simonw 9599 closed 0   Datasette 0.45 5533512 1 2020-06-18T06:24:55Z 2020-06-24T04:30:30Z 2020-06-18T16:22:02Z OWNER

datasette 107914493 issue  
644283211 MDU6SXNzdWU2NDQyODMyMTE= 863 {{ csrftoken() }} doesn't work with datasette.render_template() simonw 9599 closed 0   Datasette 0.45 5533512 0 2020-06-24T03:11:49Z 2020-06-24T04:30:30Z 2020-06-24T03:24:01Z OWNER  

The documentation here suggests that it will work:

But right now the csrftoken variable is set in BaseView.render, which means it's not visible to plugins that try to render templates using datasette.render_template:

datasette 107914493 issue  
644122661 MDU6SXNzdWU2NDQxMjI2NjE= 116 Documentation for table.pks introspection property simonw 9599 closed 0     2 2020-06-23T20:27:24Z 2020-06-23T21:21:33Z 2020-06-23T21:03:14Z OWNER

sqlite-utils 140912432 issue  
576582604 MDU6SXNzdWU1NzY1ODI2MDQ= 694 datasette publish cloudrun --memory option simonw 9599 closed 0     8 2020-03-05T22:59:57Z 2020-06-23T17:10:51Z 2020-03-05T23:49:41Z OWNER  

Got this error deploying large (603MB) database with Cloud Run

X Deploying... Cloud Run error: Container failed to start. Failed to start and then listen on the port defined by the PORT environment variable. Logs for this revi
sion might contain more information.                                                                                                                               
  X Creating Revision... Cloud Run error: Container failed to start. Failed to start and then listen on the port defined by the PORT environment variable. Logs for
   this revision might contain more information.                                                                                                                   
  . Routing traffic...                                                                                                                                             
  ✓ Setting IAM Policy...                                                                                                                                          
Deployment failed                                                                                                                                                  
ERROR: ( Cloud Run error: Container failed to start. Failed to start and then listen on the port defined by the PORT environment variable. Logs for this revision might contain more information.
datasette 107914493 issue  
642652808 MDU6SXNzdWU2NDI2NTI4MDg= 861 Script to generate larger SQLite test files simonw 9599 closed 0     3 2020-06-21T22:30:58Z 2020-06-23T03:44:18Z 2020-06-23T03:44:18Z OWNER  

I'll write a little script which generates a 300MB SQLite file with a bunch of tables with lots of randomly generated rows in to help test this.

Having a tool like that which can generate larger databases with different gnarly performance characteristics will be useful for other performance work too.
Originally posted by @simonw in

datasette 107914493 issue  
572896293 MDU6SXNzdWU1NzI4OTYyOTM= 687 Expand plugins documentation to multiple pages simonw 9599 closed 0   Datasette 0.45 5533512 11 2020-02-28T17:26:21Z 2020-06-22T03:55:20Z 2020-06-22T03:53:54Z OWNER  

I think the plugins docs need to extend beyond a single page now. I want to add a whole section on writing tests for plugins, showing how httpx can be used as seen in and suchlike.

datasette 107914493 issue  
642127307 MDU6SXNzdWU2NDIxMjczMDc= 855 Add instructions for using cookiecutter plugin template to plugin docs simonw 9599 closed 0   Datasette 0.45 5533512 2 2020-06-19T17:33:25Z 2020-06-22T02:51:38Z 2020-06-22T02:51:38Z OWNER  

Once I ship the datasette-plugin template:

datasette 107914493 issue  
529429214 MDU6SXNzdWU1Mjk0MjkyMTQ= 642 Provide a cookiecutter template for creating new plugins simonw 9599 closed 0   Datasette 1.0 3268330 6 2019-11-27T15:46:36Z 2020-06-20T03:20:33Z 2020-06-20T03:20:25Z OWNER  

See this conversation:

datasette 107914493 issue  
640917326 MDU6SXNzdWU2NDA5MTczMjY= 852 canned_queries() plugin hook simonw 9599 closed 0   Datasette 0.45 5533512 9 2020-06-18T05:24:35Z 2020-06-20T03:08:40Z 2020-06-20T03:08:40Z OWNER  

Canned queries are currently baked into metadata.json which is read once on startup.

Allowing users to interactively create new canned queries - even if just through a plugin - would make a lot of sense.

Is this a new plugin hook or some other mechanism? Lots to think about here.

datasette 107914493 issue  
632843030 MDU6SXNzdWU2MzI4NDMwMzA= 807 Ability to ship alpha and beta releases simonw 9599 closed 0   Datasette 0.45 5533512 18 2020-06-07T00:12:55Z 2020-06-18T21:41:16Z 2020-06-18T21:41:16Z OWNER  

I'd like to be able to ship alphas and betas to PyPI so in-development plugins can depend on them and help test unreleased plugin hooks.

datasette 107914493 issue  
641460179 MDU6SXNzdWU2NDE0NjAxNzk= 854 Respect default scope["actor"] if one exists simonw 9599 closed 0   Datasette 0.45 5533512 0 2020-06-18T18:25:08Z 2020-06-18T18:39:22Z 2020-06-18T18:39:22Z OWNER  

ASGI wrapper plugins that themselves set the actor scope variable should be respected (though actor_from_request plugins should still execute and get the chance to replace that initial actor value).

Relevant code:

datasette 107914493 issue  
635049296 MDU6SXNzdWU2MzUwNDkyOTY= 820 Idea: Plugin hook for registering canned queries simonw 9599 closed 0     2 2020-06-09T01:58:21Z 2020-06-18T17:58:02Z 2020-06-18T17:58:02Z OWNER  

Thought of this while thinking about possible permissions plugins (#818).

Imagine an API key plugin which allows access for API keys. It could let users register new API keys by providing a writable canned query for writing to the api_keys table.

To do this the plugin needs to register the query. At the moment queries have to be registered in metadata.json - a plugin hook for registering additional queries could help solve this.

One challenge: how does the plugin know which named database the query should be registered for?

It could default to the first attached database and allow users to optionally tell the plugin "actually use this named database instead" in plugin configuration.

datasette 107914493 issue  
640330278 MDU6SXNzdWU2NDAzMzAyNzg= 851 Having trouble getting writable canned queries to work abdusco 3243482 closed 0     1 2020-06-17T10:30:28Z 2020-06-17T10:33:25Z 2020-06-17T10:32:33Z CONTRIBUTOR  


I'm trying to get canned inserts to work. I have an DB with following metadata:

sqlite> .mode line

sqlite> select name, sql from sqlite_master where name like '%search%';
 name = search
# ...
        sql: insert into search(name, url) VALUES (:name, :url),
        write: true

which renders a form as expected, but when I submit the form I get incomplete input error.

but when submit post the form

I've attached a debugger to see where the error comes from, because incomplete input string doesn't appear in datasette codebase.

Inside datasette.database.Database.execute_write_fn

result = await reply_queue.async_q.get()

this line raises an exception.

That led me to believe I had something wrong with my SQL. But running the command in sqlite3 inserts the record just fine.

sqlite> insert into search (name, url) values ('my name', 'my url');
sqlite> SELECT last_insert_rowid();
last_insert_rowid() = 3

So I'm a bit lost here.

  • datasette, version 0.44
  • Python 3.8.1
datasette 107914493 issue  
638241779 MDU6SXNzdWU2MzgyNDE3Nzk= 846 "Too many open files" error running tests simonw 9599 closed 0     6 2020-06-13T22:11:40Z 2020-06-14T00:26:31Z 2020-06-14T00:26:31Z OWNER  

I got this on my laptop:

/Users/simon/.local/share/virtualenvs/datasette-AWNrQs95/lib/python3.7/site-packages/jinja2/ in get_source
    f = open_if_exists(filename)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

filename = '/Users/simon/Dropbox/Development/datasette/datasette/templates/400.html', mode = 'rb'

    def open_if_exists(filename, mode='rb'):
        """Returns a file descriptor for the filename if that file exists,
        otherwise `None`.
>           return open(filename, mode)
E           OSError: [Errno 24] Too many open files: '/Users/simon/Dropbox/Development/datasette/datasette/templates/400.html'

/Users/simon/.local/share/virtualenvs/datasette-AWNrQs95/lib/python3.7/site-packages/jinja2/ OSError

Based on the conversation in I'm worried that my tests are opening too many files without closing them.

In particular... I call sqlite3.connect(filepath) a LOT - and I don't ever call conn.close() on those opened connections:

Could this be resulting in my tests eventually opening too many unclosed file handles? How could I confirm this?

datasette 107914493 issue  
638104520 MDU6SXNzdWU2MzgxMDQ1MjA= 841 Research feasibility of 100% test coverage simonw 9599 closed 0     9 2020-06-13T06:07:01Z 2020-06-13T21:38:46Z 2020-06-13T21:38:46Z OWNER  

Inspired by

Almost every library I’ve written in the last 2 years has had 100% coverage and that’s probably not going to change in the future. It’s not that hard to start at 100% and hold onto it and the workflow it enables is so much nicer.

datasette 107914493 issue  
638229448 MDU6SXNzdWU2MzgyMjk0NDg= 843 Configure simonw 9599 closed 0     2 2020-06-13T20:45:00Z 2020-06-13T21:36:52Z 2020-06-13T21:36:52Z OWNER  

Originally posted by @simonw in

datasette 107914493 issue  
638230433 MDExOlB1bGxSZXF1ZXN0NDM0MDU1NzUy 844 Action to run tests and upload coverage report simonw 9599 closed 0     1 2020-06-13T20:52:47Z 2020-06-13T21:36:52Z 2020-06-13T21:36:50Z OWNER simonw/datasette/pulls/844

Refs #843

datasette 107914493 pull  
637899539 MDU6SXNzdWU2Mzc4OTk1Mzk= 40 Demo deploy is broken simonw 9599 closed 0     2 2020-06-12T17:20:17Z 2020-06-12T18:06:48Z 2020-06-12T18:06:48Z MEMBER

The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.
Need to get 752 kB of archives.
After this operation, 2482 kB of additional disk space will be used.
Ign:1 bionic-updates/main amd64 sqlite3 amd64 3.22.0-1ubuntu0.3
Err:1 bionic-updates/main amd64 sqlite3 amd64 3.22.0-1ubuntu0.3
  404  Not Found [IP: 80]
E: Failed to fetch  404  Not Found [IP: 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
##[error]Process completed with exit code 100.
github-to-sqlite 207052882 issue  
637889964 MDU6SXNzdWU2Mzc4ODk5NjQ= 115 Ability to execute insert/update statements with the CLI simonw 9599 closed 0     1 2020-06-12T17:01:17Z 2020-06-12T17:51:11Z 2020-06-12T17:41:10Z OWNER  
$ sqlite-utils github.db "update stars set starred_at = ''"
Traceback (most recent call last):
  File "/Users/simon/.local/bin/sqlite-utils", line 8, in <module>
  File "/Users/simon/.local/pipx/venvs/sqlite-utils/lib/python3.8/site-packages/click/", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/Users/simon/.local/pipx/venvs/sqlite-utils/lib/python3.8/site-packages/click/", line 782, in main
    rv = self.invoke(ctx)
  File "/Users/simon/.local/pipx/venvs/sqlite-utils/lib/python3.8/site-packages/click/", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/Users/simon/.local/pipx/venvs/sqlite-utils/lib/python3.8/site-packages/click/", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/simon/.local/pipx/venvs/sqlite-utils/lib/python3.8/site-packages/click/", line 610, in invoke
    return callback(*args, **kwargs)
  File "/Users/simon/.local/pipx/venvs/sqlite-utils/lib/python3.8/site-packages/sqlite_utils/", line 673, in query
    headers = [c[0] for c in cursor.description]
TypeError: 'NoneType' object is not iterable
sqlite-utils 140912432 issue  
632753851 MDU6SXNzdWU2MzI3NTM4NTE= 806 Release Datasette 0.44 simonw 9599 closed 0   Datasette 0.44 5512395 10 2020-06-06T21:49:52Z 2020-06-12T01:20:03Z 2020-06-12T01:20:03Z OWNER  

See also milestone. This is a pretty big release: flash messaging, writable canned queries, authentication and permissions!

I'll want to ship some plugin releases in conjunction with this - datasette-auth-github for example.

datasette 107914493 issue  
637409144 MDU6SXNzdWU2Mzc0MDkxNDQ= 839 {"$file": ...} mechanism is broken simonw 9599 closed 0   Datasette 0.44 5512395 0 2020-06-12T00:46:24Z 2020-06-12T00:48:26Z 2020-06-12T00:48:26Z OWNER

    def test_plugin_config_file(app_client):
        open(TEMP_PLUGIN_SECRET_FILE, "w").write("FROM_FILE")
>       assert {"foo": "FROM_FILE"} == app_client.ds.plugin_config("file-plugin")
E       AssertionError: assert {'foo': 'FROM_FILE'} == {'foo': {'$fi...ugin-secret'}}
E         Differing items:
E         {'foo': 'FROM_FILE'} != {'foo': {'$file': '/tmp/plugin-secret'}}
E         Use -v to get the full diff

Broken in as part of #837

datasette 107914493 issue  
637370652 MDU6SXNzdWU2MzczNzA2NTI= 837 Plugin $env secrets mechanism doesn't work inside lists simonw 9599 closed 0   Datasette 0.44 5512395 0 2020-06-11T22:59:54Z 2020-06-12T00:25:20Z 2020-06-12T00:25:19Z OWNER  

This didn't work:

    "plugins": {
        "datasette-auth-tokens": [
                "token": {
                    "$env": "BOT_TOKEN"
                "actor": {
                    "bot_id": "my-bot"
datasette 107914493 issue  
635108074 MDU6SXNzdWU2MzUxMDgwNzQ= 824 Example authentication plugin simonw 9599 closed 0   Datasette 0.44 5512395 4 2020-06-09T04:49:53Z 2020-06-12T00:11:51Z 2020-06-12T00:11:50Z OWNER will work for this.

datasette 107914493 issue  
637365801 MDU6SXNzdWU2MzczNjU4MDE= 836 actor_matches_allow fails to consider all keys simonw 9599 closed 0   Datasette 0.44 5512395 0 2020-06-11T22:46:34Z 2020-06-11T22:47:25Z 2020-06-11T22:47:25Z OWNER  

actor: {"id": "root"}

allow block: {"bot_id": "my-bot", "id": ["root"]}

This should pass, because the id matches - but it fails.

datasette 107914493 issue  
637253789 MDU6SXNzdWU2MzcyNTM3ODk= 833 /-/metadata and so on should respect view-instance permission simonw 9599 closed 0   Datasette 0.44 5512395 4 2020-06-11T19:07:21Z 2020-06-11T22:15:32Z 2020-06-11T22:14:59Z OWNER  

The only URLs that should be available without authentication at all times are the /-/static/ prefix, to allow for HTTP caching.

datasette 107914493 issue  
314847571 MDU6SXNzdWUzMTQ4NDc1NzE= 220 Investigate syntactic sugar for plugins simonw 9599 closed 0     2 2018-04-16T23:01:39Z 2020-06-11T21:50:06Z 2020-06-11T21:49:55Z OWNER  

Suggested by @andrewhayward on Twitter:

Have you considered a basic abstraction on top of that, for standard hook features?

    return random.randint(a,b)

    return str.upper()

Maybe from datasette.plugins import template_filter?

Would have to work out how to get this to play well with pluggy

datasette 107914493 issue  
631932926 MDU6SXNzdWU2MzE5MzI5MjY= 801 allow_by_query setting for configuring permissions with a SQL statement simonw 9599 closed 0   Datasette 1.0 3268330 6 2020-06-05T20:30:19Z 2020-06-11T18:58:56Z 2020-06-11T18:58:49Z OWNER  

Idea: an "allow_sql" key with a SQL query that gets passed the actor JSON as :actor and can extract the relevant keys from it and return 1 or 0.

Originally posted by @simonw in

See also #800

datasette 107914493 issue  
614806683 MDExOlB1bGxSZXF1ZXN0NDE1Mjg2MTA1 763 Documentation + improvements for db.execute() and Results class simonw 9599 closed 0     0 2020-05-08T15:16:02Z 2020-06-11T16:05:48Z 2020-05-08T16:05:46Z OWNER simonw/datasette/pulls/763

Refs #685

Still TODO:

  • Implement results.first()
  • Implement results.single_value()
  • Unit tests for the above
datasette 107914493 pull  
632919570 MDExOlB1bGxSZXF1ZXN0NDI5NjEzODkz 809 Publish secrets simonw 9599 closed 0   Datasette 0.44 5512395 4 2020-06-07T02:00:31Z 2020-06-11T16:02:13Z 2020-06-11T16:02:03Z OWNER simonw/datasette/pulls/809

Refs #787. Will need quite a bit of manual testing since this involves code which runs against Heroku and Cloud Run.

datasette 107914493 pull  
628089318 MDU6SXNzdWU2MjgwODkzMTg= 787 "datasette publish" should bake in a random --secret simonw 9599 closed 0   Datasette 0.44 5512395 1 2020-06-01T01:15:26Z 2020-06-11T16:02:05Z 2020-06-11T16:02:05Z OWNER  

To allow signed cookies etc to work reliably (see #785) all of the datasette publish commands should generate a random secret on publish and bake it into the configuration - probably by setting the DATASETTE_SECRET environment variable.

datasette 107914493 issue  
396212021 MDU6SXNzdWUzOTYyMTIwMjE= 394 base_url configuration setting simonw 9599 closed 0   Datasette 0.39 5234079 27 2019-01-05T23:48:48Z 2020-06-11T09:15:20Z 2020-03-25T00:18:45Z OWNER  

I've identified a couple of use-cases for running Datasette in a way that over-rides the default way that internal URLs are generated.

  1. Running behind a reverse proxy. I tried running Datasette behind a proxy and found that some of the generated internal links incorrectly referenced - when they should have been referencing - this is a problem both for links within the HTML interface but also for the toggle_url keys returned in the JSON as part of the facets datastructure.
  2. I would like it to be possible to host a Datasette instance at e.g. - either through careful HTTP proxying or, once Datasette has been ported to ASGI, by mounting a Datasette ASGI instance deep within an existing set of URL routes.

I'm going to add a url_prefix configuration option. This will default to "", which means Datasette will behave as it does at the moment - it will use / for most URL prefixes in the HTML version, and an absolute URL derived from the incoming Host header for URLs that are returned as part of the JSON output.

If url_prefix is set to another value (either a full URL or a path) then this path will be appended to all generated URLs.

datasette 107914493 issue  
634917088 MDU6SXNzdWU2MzQ5MTcwODg= 818 Example permissions plugin simonw 9599 closed 0   Datasette 0.44 5512395 9 2020-06-08T20:35:56Z 2020-06-11T05:40:07Z 2020-06-11T05:40:07Z OWNER  

To show how they work. Also useful to confirm how they interact with the default permissions.

datasette 107914493 issue  
636614868 MDU6SXNzdWU2MzY2MTQ4Njg= 831 It would be more intuitive if "allow": none meant "no-one can do this" simonw 9599 closed 0   Datasette 0.44 5512395 1 2020-06-10T23:43:56Z 2020-06-10T23:57:25Z 2020-06-10T23:50:55Z OWNER  

Now that I'm starting to write alternative plugins to control permissions - see #818 - I think I need an easy way to tell Datasette "no-one has permission to do X unless a plugin says otherwise".

One relatively intuitive way to do that could be like this:

  "databases": {
    "fixtures": {
      "allow": null

Right now I think that opens up permissions to everyone, which isn't as obvious.

datasette 107914493 issue  
636426530 MDU6SXNzdWU2MzY0MjY1MzA= 829 Ability to set ds_actor cookie such that it expires simonw 9599 closed 0   Datasette 0.44 5512395 6 2020-06-10T17:31:40Z 2020-06-10T19:41:35Z 2020-06-10T19:40:05Z OWNER  

I need this for datasette-auth-github:

datasette 107914493 issue  
635914822 MDU6SXNzdWU2MzU5MTQ4MjI= 828 Horizontal scrollbar on changelog page on mobile simonw 9599 closed 0   Datasette 0.44 5512395 3 2020-06-10T04:18:54Z 2020-06-10T04:28:17Z 2020-06-10T04:28:17Z OWNER  

You can scroll sideways on that page and it looks bad:

The cause is these long links:

datasette 107914493 issue  
629541395 MDU6SXNzdWU2Mjk1NDEzOTU= 795 response.set_cookie() method simonw 9599 closed 0   Datasette 0.44 5512395 2 2020-06-02T21:57:05Z 2020-06-09T22:33:33Z 2020-06-09T22:19:48Z OWNER  

Mainly to clean up this code:

datasette 107914493 issue  
635519358 MDU6SXNzdWU2MzU1MTkzNTg= 826 Document the ds_actor signed cookie simonw 9599 closed 0   Datasette 0.44 5512395 3 2020-06-09T15:06:52Z 2020-06-09T22:33:12Z 2020-06-09T22:32:31Z OWNER  

Most authentication plugins ( for example) are likely to work by setting the ds_actor signed cookie, which is already magically decoded and supported by default Datasette here:

I should document this.

datasette 107914493 issue  
632673972 MDU6SXNzdWU2MzI2NzM5NzI= 804 python tests/ command has a bug simonw 9599 closed 0   Datasette 0.44 5512395 6 2020-06-06T19:17:36Z 2020-06-09T20:01:30Z 2020-06-09T19:58:34Z OWNER  

This command is meant to write out fixtures.db, metadata.json and a plugins directory:

$ python tests/ /tmp/fixtures.db /tmp/metadata.json /tmp/plugins/
Test tables written to /tmp/fixtures.db
- metadata written to /tmp/metadata.json
Traceback (most recent call last):
  File "tests/", line 833, in <module>
    ("", PLUGIN1),
NameError: name 'PLUGIN1' is not defined
datasette 107914493 issue  
635696400 MDU6SXNzdWU2MzU2OTY0MDA= 827 Document CSRF protection (for plugins) simonw 9599 closed 0   Datasette 0.44 5512395 1 2020-06-09T19:19:10Z 2020-06-09T19:38:30Z 2020-06-09T19:35:13Z OWNER  

Plugin authors need to know that if they want to POST a form they should include this:

<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">
datasette 107914493 issue  
635147716 MDU6SXNzdWU2MzUxNDc3MTY= 825 Way to enable a default=False permission for anonymous users simonw 9599 closed 0   Datasette 0.44 5512395 6 2020-06-09T06:26:27Z 2020-06-09T17:19:19Z 2020-06-09T17:01:10Z OWNER  

I'd like plugins to be able to ship with a default that says "anonymous users cannot do this", but allow site administrators to over-ride that such that anonymous users can use the feature after all.

This is tricky because right now the anonymous user doesn't have an actor dictionary at all, so there's no key to match to an allow block.

datasette 107914493 issue  
635107393 MDU6SXNzdWU2MzUxMDczOTM= 823 Documentation is inconsistent about "id" as required field on actor simonw 9599 closed 0   Datasette 0.44 5512395 3 2020-06-09T04:47:58Z 2020-06-09T14:58:36Z 2020-06-09T14:58:19Z OWNER  

Docs at say:

The only required field in an actor is "id", which must be a string.

But the example here returns {"token": token}:

def actor_from_request(datasette, request):
    async def inner():
        token = request.args.get("_token")
        if not token:
            return None
        # Look up ?_token=xxx in sessions table
        result = await datasette.get_database().execute(
            "select count(*) from sessions where token = ?", [token]
        if result.first()[0]:
            return {"token": token}
            return None

    return inner
datasette 107914493 issue  
630120235 MDU6SXNzdWU2MzAxMjAyMzU= 797 Documentation for new "params" setting for canned queries simonw 9599 closed 0   Datasette 0.44 5512395 3 2020-06-03T15:55:11Z 2020-06-09T04:00:40Z 2020-06-03T21:04:51Z OWNER  

Added here:

datasette 107914493 issue  
635077656 MDU6SXNzdWU2MzUwNzc2NTY= 822 request.url_vars helper property simonw 9599 closed 0   Datasette 0.44 5512395 2 2020-06-09T03:15:53Z 2020-06-09T03:40:07Z 2020-06-09T03:40:06Z OWNER  

This example:

from datasette.utils.asgi import Response
import html

async def hello_from(scope):
    name = scope["url_route"]["kwargs"]["name"]
    return Response.html("Hello from {}".format(

def register_routes():
    return [
        (r"^/hello-from/(?P<name>.*)$"), hello_from)

Would be nicer if you could easily get scope["url_route"]["kwargs"]["name"] directly from the request object, without looking at the scope.

datasette 107914493 issue  
635076066 MDU6SXNzdWU2MzUwNzYwNjY= 821 Add Response class to internals documentation simonw 9599 closed 0   Datasette 0.44 5512395 0 2020-06-09T03:11:06Z 2020-06-09T03:32:16Z 2020-06-09T03:32:16Z OWNER  

I'll need to add documentation of the Response object (and Response.html() and Response.text() class methods - I should add Response.json() too) to the internals page

Originally posted by @simonw in

datasette 107914493 issue  
314506669 MDU6SXNzdWUzMTQ1MDY2Njk= 215 Allow plugins to define additional URL routes and views simonw 9599 closed 0   Datasette 0.44 5512395 14 2018-04-16T05:31:09Z 2020-06-09T03:14:32Z 2020-06-09T03:12:08Z OWNER  

Might be as simple as having plugins get passed the app after the other routes have been defined:

Refs #14

datasette 107914493 issue  
635037204 MDExOlB1bGxSZXF1ZXN0NDMxNDc4NzI0 819 register_routes() plugin hook simonw 9599 closed 0   Datasette 0.44 5512395 0 2020-06-09T01:20:44Z 2020-06-09T03:12:08Z 2020-06-09T03:12:07Z OWNER simonw/datasette/pulls/819

Refs #215

datasette 107914493 pull  
626171242 MDU6SXNzdWU2MjYxNzEyNDI= 777 Error pages not correctly loading CSS simonw 9599 closed 0   Datasette 0.44 5512395 4 2020-05-28T02:47:52Z 2020-06-09T00:35:29Z 2020-06-09T00:35:29Z OWNER  


The HTML starts like this:

<!DOCTYPE html>
    <title>Error 404</title>
    <link rel="stylesheet" href="-/static/app.css?">
datasette 107914493 issue  
634139848 MDU6SXNzdWU2MzQxMzk4NDg= 813 Mechanism for specifying allow_sql permission in metadata.json simonw 9599 closed 0   Datasette 0.44 5512395 6 2020-06-08T04:57:19Z 2020-06-09T00:09:57Z 2020-06-09T00:07:19Z OWNER  

Split from #811. It would be useful if finely-grained permissions configured in metadata.json could be used to specify if a user is allowed to execute arbitrary SQL queries.

We have a permission check call for this already:

But there's currently no way to implement this check without writing a plugin.

I think a "allow_sql": {...} block at the database level in metadata.json (sibling to the current "allow" block for that database implemented in #811) would be a good option for this.

datasette 107914493 issue  
633578769 MDU6SXNzdWU2MzM1Nzg3Njk= 811 Support "allow" block on root, databases and tables, not just queries simonw 9599 closed 0   Datasette 0.44 5512395 16 2020-06-07T17:01:09Z 2020-06-08T19:34:00Z 2020-06-08T19:32:36Z OWNER  

No reason not to expand the "allow" mechanism described here to the root of metadata.json plus to databases and tables.

Refs #810 and #800.

    "databases": {
        "mydatabase": {
            "allow": {
                "id": ["root"]


  • Instance level
  • Database level
  • Table level
  • Query level
  • Affects list of queries
  • Affects list of tables on database page
  • Affects truncated list of tables on index page
  • Affects list of SQL views on database page
  • Affects list of databases on index page
  • Show 🔒 in header on index page for private instances
  • Show 🔒 in header on private database page
  • Show 🔒 in header on private table page
  • Show 🔒 in header on private query page
  • Move assert_permissions_checked() calls from to
  • Update documentation
datasette 107914493 issue  
628499086 MDU6SXNzdWU2Mjg0OTkwODY= 790 "flash messages" mechanism simonw 9599 closed 0   Datasette 0.44 5512395 20 2020-06-01T14:55:44Z 2020-06-08T19:33:59Z 2020-06-02T21:14:03Z OWNER  

Passing ?_success like this isn't necessarily the best approach. Potential improvements include:

  • Signing this message so it can't be tampered with (I could generate a signing secret on startup)
  • Using a cookie with a temporary flash message in it instead
  • Using HTML5 history API to remove the ?_success= from the URL bar when the user lands on the page

If I add an option to redirect the user to another page after success I may need a mechanism to show a flash message on that page as well, in which case I'll need a general flash message solution that works for any page.

Originally posted by @simonw in

datasette 107914493 issue  
634783573 MDU6SXNzdWU2MzQ3ODM1NzM= 816 Come up with a new example for extra_template_vars plugin simonw 9599 closed 0   Datasette 0.44 5512395 2 2020-06-08T16:57:59Z 2020-06-08T19:06:44Z 2020-06-08T19:06:11Z OWNER  

This example is obsolete, it's from a time before and authentication as a built-in concept (#699):

datasette 107914493 issue  
634844634 MDU6SXNzdWU2MzQ4NDQ2MzQ= 817 Drop resource_type from permission_allowed system simonw 9599 closed 0     1 2020-06-08T18:41:37Z 2020-06-08T19:00:12Z 2020-06-08T19:00:12Z OWNER  

Current signature:

permission_allowed(datasette, actor, action, resource_type, resource_identifier)

It turns out the resource_type is always the same thing for any given action, so it's not actually useful. I'm going to drop it.

New signature will be:

permission_allowed(datasette, actor, action, resource)

Refs #811.

datasette 107914493 issue  
396215043 MDU6SXNzdWUzOTYyMTUwNDM= 395 Find a cleaner pattern for fixtures with arguments simonw 9599 closed 0     1 2019-01-06T00:31:22Z 2020-06-07T21:23:22Z 2020-06-07T21:23:22Z OWNER  

A lot of Datasette tests look like this:

The loop here isn't actually expected to loop - it's there because the make_app_client function yields a value and then cleans it up afterwards.

This pattern works, but it is a little confusing. It would be nice to replace it with something less strange looking.

The answer may be to switch to the "factories as fixtures" pattern described here:

In particular some variant of this example:

def make_customer_record():

    created_records = []

    def _make_customer_record(name):
        record = models.Customer(name=name, orders=[])
        return record

    yield _make_customer_record

    for record in created_records:

def test_customer_records(make_customer_record):
    customer_1 = make_customer_record("Lisa")
    customer_2 = make_customer_record("Mike")
    customer_3 = make_customer_record("Meredith")
datasette 107914493 issue  
633066114 MDU6SXNzdWU2MzMwNjYxMTQ= 810 Refactor permission check for canned query simonw 9599 closed 0   Datasette 0.44 5512395 1 2020-06-07T05:33:05Z 2020-06-07T17:03:15Z 2020-06-07T17:03:15Z OWNER  

This code here (TODO is follow-on from #808).

I can improve this with extra code in

datasette 107914493 issue  
631931408 MDU6SXNzdWU2MzE5MzE0MDg= 800 Canned query permissions mechanism simonw 9599 closed 0   Datasette 0.44 5512395 14 2020-06-05T20:28:21Z 2020-06-07T16:22:53Z 2020-06-07T16:22:53Z OWNER  

Idea: default is anyone can execute a query.

Or you can specify the following:


"databases": {
"my-database": {
"queries": {
"add_twitter_handle": {
"sql": "insert into twitter_handles (username) values (:username)",
"write": true,
"allow": {
"id": ["simon"],
"role": ["staff"]
`` These get matched against the actor JSON. If any of the fields in any of the keys of"allow"` match a key on the actor, the query is allowed.

"id": "*" matches any actor with an id key.

Originally posted by @simonw in

datasette 107914493 issue  
632918799 MDU6SXNzdWU2MzI5MTg3OTk= 808 Permission check for every view in Datasette (plus docs) simonw 9599 closed 0   Datasette 0.44 5512395 2 2020-06-07T01:59:23Z 2020-06-07T05:30:49Z 2020-06-07T05:30:49Z OWNER  

Every view in Datasette should perform a permission check to see if the current user/actor is allowed to view that page.

This permission check will default to allowed, but having this check will allow plugins to lock down access selectively or even to everything in a Datasette instance.

datasette 107914493 issue  
582517965 MDU6SXNzdWU1ODI1MTc5NjU= 698 Ability for a canned query to write to the database simonw 9599 closed 0   Datasette 0.44 5512395 26 2020-03-16T18:31:59Z 2020-06-06T19:43:49Z 2020-06-06T19:43:48Z OWNER  

Canned queries are currently read-only:

Add a "write": true option to their definition in metadata.json which turns them into queries that are submitted via POST and send their queries to the write queue.

Then they can be used as a really quick way to define a writable interface and JSON API!

datasette 107914493 issue  
582526961 MDU6SXNzdWU1ODI1MjY5NjE= 699 Authentication (and permissions) as a core concept simonw 9599 closed 0   Datasette 0.44 5512395 40 2020-03-16T18:48:00Z 2020-06-06T19:42:11Z 2020-06-06T19:42:11Z OWNER  

Right now Datasette authentication is provided exclusively by plugins:

This is an all-or-nothing approach: either your Datasette instance requires authentication at the top level or it does not.

But... as I build new plugins like and I increasingly have individual features which should be reserved for logged-in users while still wanting other parts of Datasette to be open to all.

This is too much for plugins to own independently of Datasette core. Datasette needs to ship a single "user is authenticated" concept (independent of how users actually sign in) so that different plugins can integrate with it.

datasette 107914493 issue  
632645865 MDExOlB1bGxSZXF1ZXN0NDI5MzY2NjQx 803 Canned query permissions simonw 9599 closed 0     0 2020-06-06T18:20:00Z 2020-06-06T19:40:21Z 2020-06-06T19:40:20Z OWNER simonw/datasette/pulls/803

Refs #800. Closes #786

datasette 107914493 pull  
628087971 MDU6SXNzdWU2MjgwODc5NzE= 786 Documentation page describing Datasette's authentication system simonw 9599 closed 0   Datasette 0.44 5512395 2 2020-06-01T01:10:06Z 2020-06-06T19:40:20Z 2020-06-06T19:40:20Z OWNER  

Originally posted by @simonw in

datasette 107914493 issue  
629524205 MDU6SXNzdWU2Mjk1MjQyMDU= 793 CSRF protection for /-/messages tool and writable canned queries simonw 9599 closed 0   Datasette 0.44 5512395 3 2020-06-02T21:22:21Z 2020-06-06T00:43:41Z 2020-06-05T19:05:59Z OWNER  

The /-/messages debug tool will need CSRF protection or people will be able to add messages using a hidden form on another website.
Originally posted by @simonw in

datasette 107914493 issue  
631300342 MDExOlB1bGxSZXF1ZXN0NDI4MjEyNDIx 798 CSRF protection simonw 9599 closed 0   Datasette 0.44 5512395 5 2020-06-05T04:22:35Z 2020-06-06T00:43:41Z 2020-06-05T19:05:58Z OWNER simonw/datasette/pulls/798

Refs #793

datasette 107914493 pull  
628025100 MDU6SXNzdWU2MjgwMjUxMDA= 785 Datasette secret mechanism - initially for signed cookies simonw 9599 closed 0   Datasette 0.44 5512395 11 2020-05-31T19:14:52Z 2020-06-06T00:43:40Z 2020-06-01T00:18:40Z OWNER  

See comment in

Datasette needs to be able to set signed cookies - which means it needs a mechanism for safely handling a signing secret.

Since Datasette is a long-running process the default behaviour here can be to create a random secret on startup. This means that if the server restarts any signed cookies will be invalidated.

If the user wants a persistent secret they'll have to generate it themselves - maybe by setting an environment variable?

datasette 107914493 issue  
628121234 MDU6SXNzdWU2MjgxMjEyMzQ= 788 /-/permissions debugging tool simonw 9599 closed 0   Datasette 0.44 5512395 2 2020-06-01T03:13:47Z 2020-06-06T00:43:40Z 2020-06-01T05:01:01Z OWNER  

Debugging tool idea: /-/permissions page which shows you the actor and lets you type in the strings for action, resource_type and resource_identifier - then shows you EVERY plugin hook that would have executed and what it would have said, plus when the chain would have terminated.

Bonus: if you're logged in as the root user (or a user that matches some kind of permission check, maybe a check for permissions_debug) you get to see a rolling log of the last 30 permission checks and what the results were across the whole of Datasette. This should make figuring out permissions policies a whole lot easier.

Originally posted by @simonw in

datasette 107914493 issue  
632056825 MDU6SXNzdWU2MzIwNTY4MjU= 802 "datasette plugins" command is broken simonw 9599 closed 0     1 2020-06-05T23:33:01Z 2020-06-05T23:46:43Z 2020-06-05T23:46:43Z OWNER  

I broke it in - and it turns out there was no test coverage so I didn't realize it was broken.

datasette 107914493 issue  
631789422 MDU6SXNzdWU2MzE3ODk0MjI= 799 TestResponse needs to handle multiple set-cookie headers simonw 9599 closed 0     2 2020-06-05T17:39:52Z 2020-06-05T18:34:10Z 2020-06-05T18:34:10Z OWNER  

Seeing this test failure on #798:

_______________________ test_auth_token _______________________
app_client = <tests.fixtures.TestClient object at 0x11285c910>
    def test_auth_token(app_client):
        "The /-/auth-token endpoint sets the correct cookie"
        assert app_client.ds._root_token is not None
        path = "/-/auth-token?token={}".format(app_client.ds._root_token)
        response = app_client.get(path, allow_redirects=False,)
        assert 302 == response.status
        assert "/" == response.headers["Location"]
>       assert {"id": "root"} == app_client.ds.unsign(response.cookies["ds_actor"], "actor")
E       KeyError: 'ds_actor'
datasette/tests/ KeyError

It looks like that's happening because the ASGI middleware is adding another set-cookie header - but those two set-cookie headers are combined into one when the TestResponse is constructed:

datasette 107914493 issue  
570301333 MDU6SXNzdWU1NzAzMDEzMzM= 684 Add documentation on Database introspection methods to internals.rst simonw 9599 closed 0   Datasette 1.0 3268330 4 2020-02-25T04:20:24Z 2020-06-04T18:56:15Z 2020-05-30T18:40:39Z OWNER  

internals.rst will be landing as part of #683

datasette 107914493 issue  
275082158 MDU6SXNzdWUyNzUwODIxNTg= 119 Build an "export this data to google sheets" plugin simonw 9599 closed 0     1 2017-11-18T14:14:51Z 2020-06-04T18:46:40Z 2020-06-04T18:46:39Z OWNER  

Inspired by

It should be a plug-in because I'd like to keep all interactions with proprietary / non-open-source software encapsulated in plugins rather than shipped as part of core.

datasette 107914493 issue  
629595228 MDExOlB1bGxSZXF1ZXN0NDI2ODkxNDcx 796 New WIP writable canned queries simonw 9599 closed 0   Datasette 1.0 3268330 9 2020-06-03T00:08:00Z 2020-06-03T15:16:52Z 2020-06-03T15:16:50Z OWNER simonw/datasette/pulls/796

Refs #698. Replaces #703

Still todo:

  • Unit tests
  • <del>Figure out .json mode</del>
  • Flash message solution
  • <del>CSRF protection</del>
  • Better error message display on errors
  • Documentation
  • <del>Maybe widgets?</del> I'll do these later
datasette 107914493 pull  
585597133 MDExOlB1bGxSZXF1ZXN0MzkxOTI0NTA5 703 WIP implementation of writable canned queries simonw 9599 closed 0     3 2020-03-21T22:23:51Z 2020-06-03T00:08:14Z 2020-06-02T23:57:35Z OWNER simonw/datasette/pulls/703

Refs #698.

datasette 107914493 pull  
629535669 MDU6SXNzdWU2Mjk1MzU2Njk= 794 Show hooks implemented by each plugin on /-/plugins simonw 9599 closed 0   Datasette 1.0 3268330 2 2020-06-02T21:44:38Z 2020-06-02T22:30:17Z 2020-06-02T21:50:10Z OWNER  


        "name": "",
        "static": false,
        "templates": false,
        "version": null,
        "hooks": [
datasette 107914493 issue  

Next page

Advanced export

JSON shape: default, array, newline-delimited, object

CSV options:

CREATE TABLE [issues] (
   [node_id] TEXT,
   [number] INTEGER,
   [title] TEXT,
   [user] INTEGER REFERENCES [users]([id]),
   [state] TEXT,
   [locked] INTEGER,
   [assignee] INTEGER REFERENCES [users]([id]),
   [milestone] INTEGER REFERENCES [milestones]([id]),
   [comments] INTEGER,
   [created_at] TEXT,
   [updated_at] TEXT,
   [closed_at] TEXT,
   [author_association] TEXT,
   [pull_request] TEXT,
   [body] TEXT,
   [repo] INTEGER REFERENCES [repos]([id]),
   [type] TEXT
, [active_lock_reason] TEXT);
CREATE INDEX [idx_issues_repo]
                ON [issues] ([repo]);
CREATE INDEX [idx_issues_milestone]
                ON [issues] ([milestone]);
CREATE INDEX [idx_issues_assignee]
                ON [issues] ([assignee]);
CREATE INDEX [idx_issues_user]
                ON [issues] ([user]);
Powered by Datasette · Query took 223.803ms · About: github-to-sqlite