New request.actor property, refs #811

datasette/app.py

@@ -667,7 +667,7 @@ class Datasette:
         return d
 
     def _actor(self, request):
-        return {"actor": request.scope.get("actor", None)}
+        return {"actor": request.actor}
 
     def table_metadata(self, database, table):
         "Fetch table-specific metadata."

datasette/utils/asgi.py

@@ -74,6 +74,10 @@ class Request:
     def args(self):
         return MultiParams(parse_qs(qs=self.query_string))
 
+    @property
+    def actor(self):
+        return self.scope.get("actor", None)
+
     async def post_vars(self):
         body = []
         body = b""

datasette/views/base.py

@@ -68,7 +68,7 @@ class BaseView(AsgiView):
         self, request, action, resource_type=None, resource_identifier=None
     ):
         ok = await self.ds.permission_allowed(
-            request.scope.get("actor"),
+            request.actor,
             action,
             resource_type=resource_type,
             resource_identifier=resource_identifier,

datasette/views/database.py

@@ -45,7 +45,7 @@ class DatabaseView(DataView):
         for table in table_counts:
             visible, private = await check_visibility(
                 self.ds,
-                request.scope.get("actor"),
+                request.actor,
                 "view-table",
                 "table",
                 (database, table),
@@ -71,7 +71,7 @@ class DatabaseView(DataView):
         for query in self.ds.get_canned_queries(database):
             visible, private = await check_visibility(
                 self.ds,
-                request.scope.get("actor"),
+                request.actor,
                 "view-query",
                 "query",
                 (database, query["name"]),

datasette/views/index.py

@@ -26,7 +26,7 @@ class IndexView(BaseView):
         databases = []
         for name, db in self.ds.databases.items():
             visible, private = await check_visibility(
-                self.ds, request.scope.get("actor"), "view-database", "database", name,
+                self.ds, request.actor, "view-database", "database", name,
             )
             if not visible:
                 continue

datasette/views/special.py

@@ -86,7 +86,7 @@ class PermissionsDebugView(BaseView):
 
     async def get(self, request):
         if not await self.ds.permission_allowed(
-            request.scope.get("actor"), "permissions-debug"
+            request.actor, "permissions-debug"
         ):
             return Response("Permission denied", status=403)
         return await self.render(

docs/authentication.rst

@@ -140,6 +140,8 @@ Plugins that wish to implement the same permissions scheme as canned queries can
     actor_matches_allow({"id": "root"}, {"id": "*"})
     # returns True
 
+The currently authenticated actor is made available to plugins as ``request.actor``.
+
 .. _PermissionsDebugView:
 
 Permissions Debug

docs/internals.rst

@@ -42,6 +42,9 @@ The request object is passed to various plugin hooks. It represents an incoming
 ``.args`` - MultiParams
     An object representing the parsed querystring parameters, see below.
 
+``.actor`` - dictionary (str -> Any) or None
+    The currently authenticated actor (see :ref:`actors <authentication_actor>`), or ``None`` if the request is unauthenticated.
+
 The object also has one awaitable method:
 
 ``await request.post_vars()`` - dictionary
@@ -122,7 +125,7 @@ await .permission_allowed(actor, action, resource_type=None, resource_identifier
 -----------------------------------------------------------------------------------------------------
 
 ``actor`` - dictionary
-    The authenticated actor. This is usually ``request.scope.get("actor")``.
+    The authenticated actor. This is usually ``request.actor``.
 
 ``action`` - string
     The name of the action that is being permission checked.