github
html_url | issue_url | id | node_id | user | created_at | updated_at | author_association | body | reactions | issue | performed_via_github_app |
---|---|---|---|---|---|---|---|---|---|---|---|
https://github.com/simonw/datasette/issues/215#issuecomment-640121917 | https://api.github.com/repos/simonw/datasette/issues/215 | 640121917 | MDEyOklzc3VlQ29tbWVudDY0MDEyMTkxNw== | 9599 | 2020-06-06T21:42:58Z | 2020-06-07T05:58:36Z | OWNER | I might use some dependency injection here, with `call_with_supported_arguments()` from https://github.com/simonw/datasette/commit/41a0cd7b6afe0397efbbf27ad822679fc574811a#diff-942305c83055fdc0ff5f4e7d6ab06b29 Maybe a view function can take `request` and optionally also take `datasette`? Or `scope` or `receive` or `send`. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
314506669 | |
https://github.com/simonw/datasette/issues/807#issuecomment-640135332 | https://api.github.com/repos/simonw/datasette/issues/807 | 640135332 | MDEyOklzc3VlQ29tbWVudDY0MDEzNTMzMg== | 9599 | 2020-06-07T00:13:51Z | 2020-06-07T00:13:51Z | OWNER | These should not be shipped as the latest version on Docker Hub. They also should not become the "stable" release on ReadTheDocs. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
632843030 | |
https://github.com/simonw/datasette/issues/808#issuecomment-640152036 | https://api.github.com/repos/simonw/datasette/issues/808 | 640152036 | MDEyOklzc3VlQ29tbWVudDY0MDE1MjAzNg== | 9599 | 2020-06-07T03:38:07Z | 2020-06-07T03:38:07Z | OWNER | I'm going to need to add permissions documentation for this. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
632918799 | |
https://github.com/simonw/datasette/issues/808#issuecomment-640157216 | https://api.github.com/repos/simonw/datasette/issues/808 | 640157216 | MDEyOklzc3VlQ29tbWVudDY0MDE1NzIxNg== | 9599 | 2020-06-07T04:58:40Z | 2020-06-07T04:58:40Z | OWNER | ... and I want a unit test which confirms that all permissions are documented. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
632918799 | |
https://github.com/simonw/datasette/issues/800#issuecomment-640160487 | https://api.github.com/repos/simonw/datasette/issues/800 | 640160487 | MDEyOklzc3VlQ29tbWVudDY0MDE2MDQ4Nw== | 9599 | 2020-06-07T05:34:07Z | 2020-06-07T05:34:07Z | OWNER | See #810 for work to finish this. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
631931408 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640248669 | https://api.github.com/repos/simonw/datasette/issues/811 | 640248669 | MDEyOklzc3VlQ29tbWVudDY0MDI0ODY2OQ== | 9599 | 2020-06-07T17:01:44Z | 2020-06-07T17:01:44Z | OWNER | If the allow block at the database level forbids access this needs to cascade down to the table, query and row levels as well. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/810#issuecomment-640248864 | https://api.github.com/repos/simonw/datasette/issues/810 | 640248864 | MDEyOklzc3VlQ29tbWVudDY0MDI0ODg2NA== | 9599 | 2020-06-07T17:03:15Z | 2020-06-07T17:03:15Z | OWNER | This is obsoleted by #811. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633066114 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640248972 | https://api.github.com/repos/simonw/datasette/issues/811 | 640248972 | MDEyOklzc3VlQ29tbWVudDY0MDI0ODk3Mg== | 9599 | 2020-06-07T17:04:22Z | 2020-06-07T17:04:22Z | OWNER | I'll need a neat testing pattern for this. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640270178 | https://api.github.com/repos/simonw/datasette/issues/811 | 640270178 | MDEyOklzc3VlQ29tbWVudDY0MDI3MDE3OA== | 9599 | 2020-06-07T19:48:39Z | 2020-06-07T19:48:39Z | OWNER | Testing pattern: ```python def test_canned_query_with_custom_metadata(app_client): response = app_client.get("/fixtures/neighborhood_search?text=town") assert_permissions_checked( app_client.ds, [ "view-instance", ("view-database", "database", "fixtures"), ("view-query", "query", ("fixtures", "neighborhood_search")), ], ) ``` | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640273945 | https://api.github.com/repos/simonw/datasette/issues/811 | 640273945 | MDEyOklzc3VlQ29tbWVudDY0MDI3Mzk0NQ== | 9599 | 2020-06-07T20:19:15Z | 2020-06-07T20:19:15Z | OWNER | I'm going to add a `test_permissions.py` module that checks for 403 errors against different patterns of the `actors` block at different levels in `metadata.json`. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640274171 | https://api.github.com/repos/simonw/datasette/issues/811 | 640274171 | MDEyOklzc3VlQ29tbWVudDY0MDI3NDE3MQ== | 9599 | 2020-06-07T20:21:14Z | 2020-06-07T20:21:14Z | OWNER | Next step: fix this ``` - # TODO: fix this to use that permission check - if not actor_matches_allow( - request.scope.get("actor", None), metadata.get("allow") - ): - return Response("Permission denied", status=403) ``` | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 | |
https://github.com/simonw/datasette/issues/801#issuecomment-640277557 | https://api.github.com/repos/simonw/datasette/issues/801 | 640277557 | MDEyOklzc3VlQ29tbWVudDY0MDI3NzU1Nw== | 9599 | 2020-06-07T20:48:00Z | 2020-06-07T20:48:00Z | OWNER | Now that I'm expanding permission checks to everything else too (#811), not just canned queries, I think it makes sense to re-prioritize this. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
631932926 | |
https://github.com/simonw/datasette/issues/801#issuecomment-640277775 | https://api.github.com/repos/simonw/datasette/issues/801 | 640277775 | MDEyOklzc3VlQ29tbWVudDY0MDI3Nzc3NQ== | 9599 | 2020-06-07T20:49:40Z | 2020-06-07T20:49:40Z | OWNER | I'm going to pass the entire actor object as a dictionary of available named query parameters. So if the actor looks like this: ```json { "id": "simonw", "roles": ["staff", "developer"] } ``` Then the SQL query will be called like this: ```python conn.execute(sql, { "id": "simonw", "roles: '["staff", "developer"]', }) ``` | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
631932926 | |
https://github.com/simonw/datasette/issues/395#issuecomment-640280741 | https://api.github.com/repos/simonw/datasette/issues/395 | 640280741 | MDEyOklzc3VlQ29tbWVudDY0MDI4MDc0MQ== | 9599 | 2020-06-07T21:12:57Z | 2020-06-07T21:12:57Z | OWNER | This is a pattern I like: ```python with make_app_client( template_dir=str(pathlib.Path(__file__).parent / "test_templates") ) as client: response = client.get("/-/metadata") assert response.status == 200 ``` | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
396215043 | |
https://github.com/simonw/datasette/issues/811#issuecomment-640287967 | https://api.github.com/repos/simonw/datasette/issues/811 | 640287967 | MDEyOklzc3VlQ29tbWVudDY0MDI4Nzk2Nw== | 9599 | 2020-06-07T22:16:10Z | 2020-06-07T22:16:10Z | OWNER | The tests in test_permissions.py could check the .json variants and assert that permission checks were carried out too. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
633578769 |