From 092874202c8748d6e0d4800eaf707c0145d95ffe Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Fri, 24 Jul 2020 17:04:06 -0700 Subject: [PATCH] Improvements to allow block logic and debug tool true and false allow block values are now supported, closes #906 Added a bunch of demo links to the documentation, refs #908 --- datasette/templates/allow_debug.html | 8 +++--- datasette/utils/__init__.py | 4 +++ docs/authentication.rst | 41 +++++++++++++++++++++++----- tests/test_utils.py | 6 ++++ 4 files changed, 48 insertions(+), 11 deletions(-) diff --git a/datasette/templates/allow_debug.html b/datasette/templates/allow_debug.html index 6f2a8122..2f8e9873 100644 --- a/datasette/templates/allow_debug.html +++ b/datasette/templates/allow_debug.html @@ -36,14 +36,14 @@ p.message-warning {

Use this tool to try out different actor and allow combinations. See Defining permissions with "allow" blocks for documentation.

-
-

- -

+
+

+ +
diff --git a/datasette/utils/__init__.py b/datasette/utils/__init__.py index 6e3fd0db..a006f71f 100644 --- a/datasette/utils/__init__.py +++ b/datasette/utils/__init__.py @@ -874,6 +874,10 @@ async def async_call_with_supported_arguments(fn, **kwargs): def actor_matches_allow(actor, allow): + if allow is True: + return True + if allow is False: + return False if actor is None and allow and allow.get("unauthenticated") is True: return True if allow is None: diff --git a/docs/authentication.rst b/docs/authentication.rst index 648d40f8..e9611ed5 100644 --- a/docs/authentication.rst +++ b/docs/authentication.rst @@ -75,7 +75,7 @@ Defining permissions with "allow" blocks The standard way to define permissions in Datasette is to use an ``"allow"`` block. This is a JSON document describing which actors are allowed to perfom a permission. -The most basic form of allow block is this: +The most basic form of allow block is this (`allow demo `__, `deny demo `__): .. code-block:: json @@ -94,7 +94,7 @@ This will match any actors with an ``"id"`` property of ``"root"`` - for example "name": "Root User" } -An allow block can specify "no-one is allowed to do this" using an empty ``{}``: +An allow block can specify "deny all" using an empty ``{}`` (`demo `__): .. code-block:: json @@ -102,7 +102,23 @@ An allow block can specify "no-one is allowed to do this" using an empty ``{}``: "allow": {} } -Allow keys can provide a list of values. These will match any actor that has any of those values. +You can also use ``false`` to deny all (`demo `__): + +.. code-block:: json + + { + "allow": false + } + +An ``"allow"`` of ``true`` allows all access (`demo `__): + +.. code-block:: json + + { + "allow": true + } + +Allow keys can provide a list of values. These will match any actor that has any of those values (`allow demo `__, `deny demo `__): .. code-block:: json @@ -123,7 +139,7 @@ Actors can have properties that feature a list of values. These will be matched "roles": ["staff", "developer"] } -This allow block will provide access to any actor that has ``"developer"`` as one of their roles: +This allow block will provide access to any actor that has ``"developer"`` as one of their roles (`allow demo `__, `deny demo `__): .. code-block:: json @@ -135,7 +151,7 @@ This allow block will provide access to any actor that has ``"developer"`` as on Note that "roles" is not a concept that is baked into Datasette - it's a convention that plugins can choose to implement and act on. -If you want to provide access to any actor with a value for a specific key, use ``"*"``. For example, to match any logged-in user specify the following: +If you want to provide access to any actor with a value for a specific key, use ``"*"``. For example, to match any logged-in user specify the following (`allow demo `__, `deny demo `__): .. code-block:: json @@ -145,7 +161,7 @@ If you want to provide access to any actor with a value for a specific key, use } } -You can specify that unauthenticated actors (from anynomous HTTP requests) should be allowed access using the special ``"unauthenticated": true`` key in an allow block: +You can specify that only unauthenticated actors (from anynomous HTTP requests) should be allowed access using the special ``"unauthenticated": true`` key in an allow block (`allow demo `__, `deny demo `__): .. code-block:: json @@ -155,7 +171,18 @@ You can specify that unauthenticated actors (from anynomous HTTP requests) shoul } } -Allow keys act as an "or" mechanism. An actor will be able to execute the query if any of their JSON properties match any of the values in the corresponding lists in the ``allow`` block. +Allow keys act as an "or" mechanism. An actor will be able to execute the query if any of their JSON properties match any of the values in the corresponding lists in the ``allow`` block. The following block will allow users with either a ``role`` of ``"ops"`` OR users who have an ``id`` of ``"simon"`` or ``"cleopaws"``: + +.. code-block:: json + + { + "allow": { + "id": ["simon", "cleopaws"], + "role": "ops" + } + } + +`Demo for cleopaws `__, `demo for ops role `__, `demo for an actor matching neither rule `__. .. _AllowDebugView: diff --git a/tests/test_utils.py b/tests/test_utils.py index fb2d71f9..73001f0d 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -473,6 +473,12 @@ def test_multi_params(data, should_raise): # {} means deny-all: (None, {}, False), ({"id": "root"}, {}, False), + # true means allow-all + ({"id": "root"}, True, True), + (None, True, True), + # false means deny-all + ({"id": "root"}, False, False), + (None, False, False), # Special case for "unauthenticated": true (None, {"unauthenticated": True}, True), (None, {"unauthenticated": False}, False),