Improvements to allow block logic and debug tool

true and false allow block values are now supported, closes #906 Added a bunch of demo links to the documentation, refs #908
2025-12-10 16:51:24 +01:00 · 2020-07-24 17:04:06 -07:00 · 2020-07-24 17:04:06 -07:00 · 092874202c
commit 092874202c
parent 88065fb74f
4 changed files with 48 additions and 11 deletions
--- a/datasette/templates/allow_debug.html
+++ b/datasette/templates/allow_debug.html
@ -36,14 +36,14 @@ p.message-warning {
 <p>Use this tool to try out different actor and allow combinations. See <a href="https://datasette.readthedocs.io/en/stable/authentication.html#defining-permissions-with-allow-blocks">Defining permissions with "allow" blocks</a> for documentation.</p>

 <form action="/-/allow-debug" method="get">
-    <div class="two-col">
-        <p><label>Actor</label></p>
-        <textarea name="actor">{{ actor_input }}</textarea>
-    </div>
    <div class="two-col">
        <p><label>Allow block</label></p>
        <textarea name="allow">{{ allow_input }}</textarea>
    </div>
+    <div class="two-col">
+        <p><label>Actor</label></p>
+        <textarea name="actor">{{ actor_input }}</textarea>
+    </div>
    <div style="margin-top: 1em;">
        <input type="submit" value="Apply allow block to actor">
    </div>
--- a/datasette/utils/init.py
+++ b/datasette/utils/init.py
@ -874,6 +874,10 @@ async def async_call_with_supported_arguments(fn, **kwargs):


 def actor_matches_allow(actor, allow):
+    if allow is True:
+        return True
+    if allow is False:
+        return False
    if actor is None and allow and allow.get("unauthenticated") is True:
        return True
    if allow is None:
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@ -75,7 +75,7 @@ Defining permissions with "allow" blocks

 The standard way to define permissions in Datasette is to use an ``"allow"`` block. This is a JSON document describing which actors are allowed to perfom a permission.

-The most basic form of allow block is this:
+The most basic form of allow block is this (`allow demo <https://latest.datasette.io/-/allow-debug?actor=%7B%22id%22%3A+%22root%22%7D&allow=%7B%0D%0A++++++++%22id%22%3A+%22root%22%0D%0A++++%7D>`__, `deny demo <https://latest.datasette.io/-/allow-debug?actor=%7B%22id%22%3A+%22trevor%22%7D&allow=%7B%0D%0A++++++++%22id%22%3A+%22root%22%0D%0A++++%7D>`__):

 .. code-block:: json

@ -94,7 +94,7 @@ This will match any actors with an ``"id"`` property of ``"root"`` - for example
        "name": "Root User"
    }

-An allow block can specify "no-one is allowed to do this" using an empty ``{}``:
+An allow block can specify "deny all" using an empty ``{}`` (`demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22root%22%0D%0A%7D&allow=%7B%7D>`__):

 .. code-block:: json

@ -102,7 +102,23 @@ An allow block can specify "no-one is allowed to do this" using an empty ``{}``:
        "allow": {}
    }

-Allow keys can provide a list of values. These will match any actor that has any of those values.
+You can also use ``false`` to deny all (`demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22root%22%0D%0A%7D&allow=false>`__):
+
+.. code-block:: json
+
+    {
+        "allow": false
+    }
+
+An ``"allow"`` of ``true`` allows all access (`demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22root%22%0D%0A%7D&allow=true>`__):
+
+.. code-block:: json
+
+    {
+        "allow": true
+    }
+
+Allow keys can provide a list of values. These will match any actor that has any of those values (`allow demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22cleopaws%22%0D%0A%7D&allow=%7B%0D%0A++++%22id%22%3A+%5B%0D%0A++++++++%22simon%22%2C%0D%0A++++++++%22cleopaws%22%0D%0A++++%5D%0D%0A%7D>`__, `deny demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22pancakes%22%0D%0A%7D&allow=%7B%0D%0A++++%22id%22%3A+%5B%0D%0A++++++++%22simon%22%2C%0D%0A++++++++%22cleopaws%22%0D%0A++++%5D%0D%0A%7D>`__):

 .. code-block:: json

@ -123,7 +139,7 @@ Actors can have properties that feature a list of values. These will be matched
        "roles": ["staff", "developer"]
    }

-This allow block will provide access to any actor that has ``"developer"`` as one of their roles:
+This allow block will provide access to any actor that has ``"developer"`` as one of their roles (`allow demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22simon%22%2C%0D%0A++++%22roles%22%3A+%5B%0D%0A++++++++%22staff%22%2C%0D%0A++++++++%22developer%22%0D%0A++++%5D%0D%0A%7D&allow=%7B%0D%0A++++%22roles%22%3A+%5B%0D%0A++++++++%22developer%22%0D%0A++++%5D%0D%0A%7D>`__, `deny demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22cleopaws%22%2C%0D%0A++++%22roles%22%3A+%5B%22dog%22%5D%0D%0A%7D&allow=%7B%0D%0A++++%22roles%22%3A+%5B%0D%0A++++++++%22developer%22%0D%0A++++%5D%0D%0A%7D>`__):

 .. code-block:: json

@ -135,7 +151,7 @@ This allow block will provide access to any actor that has ``"developer"`` as on

 Note that "roles" is not a concept that is baked into Datasette - it's a convention that plugins can choose to implement and act on.

-If you want to provide access to any actor with a value for a specific key, use ``"*"``. For example, to match any logged-in user specify the following:
+If you want to provide access to any actor with a value for a specific key, use ``"*"``. For example, to match any logged-in user specify the following (`allow demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22simon%22%0D%0A%7D&allow=%7B%0D%0A++++%22id%22%3A+%22*%22%0D%0A%7D>`__, `deny demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22bot%22%3A+%22readme-bot%22%0D%0A%7D&allow=%7B%0D%0A++++%22id%22%3A+%22*%22%0D%0A%7D>`__):

 .. code-block:: json

@ -145,7 +161,7 @@ If you want to provide access to any actor with a value for a specific key, use
        }
    }

-You can specify that unauthenticated actors (from anynomous HTTP requests) should be allowed access using the special ``"unauthenticated": true`` key in an allow block:
+You can specify that only unauthenticated actors (from anynomous HTTP requests) should be allowed access using the special ``"unauthenticated": true`` key in an allow block (`allow demo <https://latest.datasette.io/-/allow-debug?actor=null&allow=%7B%0D%0A++++%22unauthenticated%22%3A+true%0D%0A%7D>`__, `deny demo <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22hello%22%0D%0A%7D&allow=%7B%0D%0A++++%22unauthenticated%22%3A+true%0D%0A%7D>`__):

 .. code-block:: json

@ -155,7 +171,18 @@ You can specify that unauthenticated actors (from anynomous HTTP requests) shoul
        }
    }

-Allow keys act as an "or" mechanism. An actor will be able to execute the query if any of their JSON properties match any of the values in the corresponding lists in the ``allow`` block.
+Allow keys act as an "or" mechanism. An actor will be able to execute the query if any of their JSON properties match any of the values in the corresponding lists in the ``allow`` block. The following block will allow users with either a ``role`` of ``"ops"`` OR users who have an ``id`` of ``"simon"`` or ``"cleopaws"``:
+
+.. code-block:: json
+
+    {
+        "allow": {
+            "id": ["simon", "cleopaws"],
+            "role": "ops"
+        }
+    }
+
+`Demo for cleopaws <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22cleopaws%22%0D%0A%7D&allow=%7B%0D%0A++++%22id%22%3A+%5B%0D%0A++++++++%22simon%22%2C%0D%0A++++++++%22cleopaws%22%0D%0A++++%5D%2C%0D%0A++++%22role%22%3A+%22ops%22%0D%0A%7D>`__, `demo for ops role <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22trevor%22%2C%0D%0A++++%22role%22%3A+%5B%0D%0A++++++++%22ops%22%2C%0D%0A++++++++%22staff%22%0D%0A++++%5D%0D%0A%7D&allow=%7B%0D%0A++++%22id%22%3A+%5B%0D%0A++++++++%22simon%22%2C%0D%0A++++++++%22cleopaws%22%0D%0A++++%5D%2C%0D%0A++++%22role%22%3A+%22ops%22%0D%0A%7D>`__, `demo for an actor matching neither rule <https://latest.datasette.io/-/allow-debug?actor=%7B%0D%0A++++%22id%22%3A+%22percy%22%2C%0D%0A++++%22role%22%3A+%5B%0D%0A++++++++%22staff%22%0D%0A++++%5D%0D%0A%7D&allow=%7B%0D%0A++++%22id%22%3A+%5B%0D%0A++++++++%22simon%22%2C%0D%0A++++++++%22cleopaws%22%0D%0A++++%5D%2C%0D%0A++++%22role%22%3A+%22ops%22%0D%0A%7D>`__.

 .. _AllowDebugView:

--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@ -473,6 +473,12 @@ def test_multi_params(data, should_raise):
        # {} means deny-all:
        (None, {}, False),
        ({"id": "root"}, {}, False),
+        # true means allow-all
+        ({"id": "root"}, True, True),
+        (None, True, True),
+        # false means deny-all
+        ({"id": "root"}, False, False),
+        (None, False, False),
        # Special case for "unauthenticated": true
        (None, {"unauthenticated": True}, True),
        (None, {"unauthenticated": False}, False),