github
id | node_id | number | title | user | state | locked | assignee | milestone | comments | created_at | updated_at | closed_at | author_association | pull_request | body | repo | type | active_lock_reason | performed_via_github_app | reactions | draft | state_reason |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1423336089 | I_kwDOBm6k_c5U1mKZ | 1855 | `datasette create-token` ability to create tokens with a reduced set of permissions | 9599 | closed | 0 | 8711695 | 19 | 2022-10-26T02:20:52Z | 2022-12-14T01:24:49Z | 2022-12-13T05:20:24Z | OWNER | Initial design ideas: https://github.com/simonw/datasette/issues/1852#issuecomment-1289733483 > Token design concept: > > ```json > { > "t": { > "a": ["ir", "ur", "dr"], > "d": { > "fixtures": ["ir", "ur", "dr"] > }, > "t": { > "fixtures": { > "searchable": ["ir"] > } > } > } > } > ``` > > That JSON would be minified and signed. > > Minified version of the above looks like this (101 characters): > > `{"t":{"a":["ir","ur","dr"],"d":{"fixtures":["ir","ur","dr"]},"t":{"fixtures":{"searchable":["ir"]}}}}` > > The `"t"` key shows this is a token that as a default API key. > > `"a"` means "all" - these are permissions that have been granted on all tables and databases. > > `"d"` means "databases" - this is a way to set permissions for all tables in a specific database. > > `"t"` means "tables" - this lets you set permissions at a finely grained table level. > > Then the permissions themselves are two character codes which are shortened versions - so: > > * `ir` = `insert-row` > * `ur` = `update-row` > * `dr` = `delete-row` ## Remaining tasks - [x] Add these options to the `datasette create-token` command - [x] Tests for `datasette create-token` options - [x] Documentation for those options at https://docs.datasette.io/en/latest/authentication.html#datasette-create-token - [x] A way to handle permissions that don't have known abbreviations (permissions added by plugins). Probably need to solve the plugin permission registration problem as part of that - [x] Stop hard-coding names of actions in the `permission_allowed_actor_restrictions` function | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/1855/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
1423369494 | I_kwDOBm6k_c5U1uUW | 1859 | datasette create-token CLI command | 9599 | closed | 0 | 8658075 | 3 | 2022-10-26T03:12:59Z | 2022-11-15T19:59:00Z | 2022-10-26T04:31:39Z | OWNER | The CLI equivalent of the `/-/create-token` page. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/1859/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
1423364990 | I_kwDOBm6k_c5U1tN- | 1858 | `max_signed_tokens_ttl` setting for a maximum duration on API tokens | 9599 | closed | 0 | 8658075 | 4 | 2022-10-26T03:05:53Z | 2022-11-15T19:58:52Z | 2022-10-27T03:15:05Z | OWNER | It's currently possible to use `/-/create-token` to create a token that lasts forever. Some administrators may wish to have a maximum expiry instead. I should support that with a setting. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/1858/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
1423347412 | I_kwDOBm6k_c5U1o7U | 1857 | Prevent API tokens from using /-/create-token to create more tokens | 9599 | closed | 0 | 8658075 | 1 | 2022-10-26T02:38:09Z | 2022-11-15T19:57:11Z | 2022-10-26T02:57:26Z | OWNER | > It strikes me that users should NOT be able to use a token to create additional tokens. > > The current design actually does allow that, since the `dstok_` Bearer token can be used to authenticate calls to the `/-/create-token` page. > > So I think I need a mechanism whereby that page can only allow access to users authenticated by cookie. > > Not obvious how to do that though, since Datasette's authentication actor system is designed to abstract that detail away! _Originally posted by @simonw in https://github.com/simonw/datasette/issues/1850#issuecomment-1291417100_ | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/1857/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
1423336122 | I_kwDOBm6k_c5U1mK6 | 1856 | allow_signed_tokens setting for disabling API signed token mechanism | 9599 | closed | 0 | 8658075 | 3 | 2022-10-26T02:20:55Z | 2022-11-15T19:57:05Z | 2022-10-26T02:58:35Z | OWNER | Had some design thoughts here: https://github.com/simonw/datasette/issues/1852#issuecomment-1291272280 I liked this option the most: --setting allow_create_tokens off | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/1856/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed | |||||
1424378012 | I_kwDOBm6k_c5U5kic | 1860 | SQL query field can't begin by a comment | 562352 | closed | 0 | 12 | 2022-10-26T16:55:31Z | 2022-10-27T18:57:37Z | 2022-10-27T04:21:40Z | NONE | ![image](https://user-images.githubusercontent.com/562352/198085197-f26fcd61-4dac-4ca4-a346-e70f88a30ecc.png) SQL comments are **very** useful to explain the meaning of the query. It's currently impossible to put it at the beginning of the field as seen on the screen capture: it leads to an error: `Statement must be a SELECT`. It would be great to make it possible because: * as the request is the title of the page: * it eases the search with search engines * it eases the search in the browsers' url field * it acts as a kind of title: the global meaning of the query is immediately understandable * some tools, such as Slack, are shortening long URLs and displaying the beginning of the URLs (eg. `https://example.org/products?sql=select+%28length%28data_quality_errors_ta[...]+%21%3D+%22%22+group+by+NB_of_issues+order+by+NB_of_issues+desc+limit+200`) Beginning a query with a comment is possible with SQLite. | 107914493 | issue | { "url": "https://api.github.com/repos/simonw/datasette/issues/1860/reactions", "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
completed |