github
id | node_id | number | title | user | state | locked | assignee | milestone | comments | created_at | updated_at | closed_at | author_association | pull_request | body | repo | type | active_lock_reason | performed_via_github_app | reactions | draft | state_reason |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
637253789 | MDU6SXNzdWU2MzcyNTM3ODk= | 833 | /-/metadata and so on should respect view-instance permission | 9599 | closed | 0 | 5512395 | 4 | 2020-06-11T19:07:21Z | 2020-06-11T22:15:32Z | 2020-06-11T22:14:59Z | OWNER | The only URLs that should be available without authentication at all times are the `/-/static/` prefix, to allow for HTTP caching. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/833/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
636722501 | MDU6SXNzdWU2MzY3MjI1MDE= | 832 | Having view-table permission but NOT view-database should still grant access to /db/table | 9599 | closed | 0 | 5533512 | 12 | 2020-06-11T05:12:59Z | 2020-06-30T23:42:11Z | 2020-06-30T23:42:11Z | OWNER | Stumbled into this while working on `datasette-permissions-sql`. I had granted table permissions, but the permission check wasn't even executed because the user failed the previous `view-database` check. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/832/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
637395097 | MDU6SXNzdWU2MzczOTUwOTc= | 838 | Incorrect URLs when served behind a proxy with base_url set | 79913 | closed | 0 | 6026070 | 14 | 2020-06-11T23:58:55Z | 2021-11-20T19:35:48Z | 2021-11-20T19:35:48Z | NONE | I'm running `datasette serve --config base_url:/foo/ …`, proxying to it with this Apache config: ProxyPass /foo/ http://localhost:8001/ ProxyPassReverse /foo/ http://localhost:8001/ and then accessing it via `https://example.com/foo/`. Although many of the URLs in the pages are correct (presumably because they either use absolute paths which include `base_url` or relative paths), the faceting and pagination links still use fully-qualified URLs pointing at `http://localhost:8001`. I looked into this a little in the source code, and it seems to be an issue anywhere `request.url` or `request.path` is used, as these contain the values for the request between the frontend (Apache) and backend (Datasette) server. Those properties are primarily used via the `path_with_…` family of utility functions and the `Datasette.absolute_url` method. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/838/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
637363686 | MDU6SXNzdWU2MzczNjM2ODY= | 835 | Mechanism for skipping CSRF checks on API posts | 9599 | closed | 0 | 5533512 | 13 | 2020-06-11T22:41:10Z | 2020-07-01T03:08:07Z | 2020-07-01T03:08:07Z | OWNER | While experimenting with https://github.com/simonw/datasette-auth-tokens I realized it's not currently possible to build API client programs that POST to Datasette because there's no mechanism for them to skip the CSRF checks added in #798. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/835/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
637370652 | MDU6SXNzdWU2MzczNzA2NTI= | 837 | Plugin $env secrets mechanism doesn't work inside lists | 9599 | closed | 0 | 5512395 | 0 | 2020-06-11T22:59:54Z | 2020-06-12T00:25:20Z | 2020-06-12T00:25:19Z | OWNER | This didn't work: ```json { "plugins": { "datasette-auth-tokens": [ { "token": { "$env": "BOT_TOKEN" }, "actor": { "bot_id": "my-bot" } } ] } } ``` | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/837/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
637365801 | MDU6SXNzdWU2MzczNjU4MDE= | 836 | actor_matches_allow fails to consider all keys | 9599 | closed | 0 | 5512395 | 0 | 2020-06-11T22:46:34Z | 2020-06-11T22:47:25Z | 2020-06-11T22:47:25Z | OWNER | actor: `{"id": "root"}` allow block: `{"bot_id": "my-bot", "id": ["root"]}` This should pass, because the `id` matches - but it fails. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/836/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
637342551 | MDU6SXNzdWU2MzczNDI1NTE= | 834 | startup() plugin hook | 9599 | closed | 0 | 5533512 | 6 | 2020-06-11T21:48:14Z | 2020-06-28T19:38:50Z | 2020-06-13T17:56:12Z | OWNER | It might be useful to have an `startup` hook which gets passed the `datasette` object as soon as Datasette has finished initializing. My initial use-case for this is configuration verification - checking that the `"plugins"` configuration block for this plugin contains valid details. I imagine there are plenty of other potential uses for this as well. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/834/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed |