diff --git a/docs/authentication.rst b/docs/authentication.rst index 9b66132a..0da5a38b 100644 --- a/docs/authentication.rst +++ b/docs/authentication.rst @@ -94,6 +94,14 @@ This will match any actors with an ``"id"`` property of ``"root"`` - for example "name": "Root User" } +An allow block can specify "no-one is allowed to do this" using an empty ``{}``: + +.. code-block:: json + + { + "allow": {} + } + Allow keys can provide a list of values. These will match any actor that has any of those values. .. code-block:: json @@ -181,6 +189,17 @@ Here's how to restrict access to your entire Datasette instance to just the ``"i } } +To deny access to all users, you can use ``"allow": {}``: + +.. code-block:: json + + { + "title": "My entirely inaccessible instance", + "allow": {} + } + +One reason to do this is if you are using a Datasette plugin - such as `datasette-permissions-sql `__ - to control permissions instead. + .. _authentication_permissions_database: Controlling access to specific databases diff --git a/tests/test_utils.py b/tests/test_utils.py index 0ffe8ae6..b490953f 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -464,16 +464,19 @@ def test_multi_params(data, should_raise): @pytest.mark.parametrize( "actor,allow,expected", [ + # Default is to allow: (None, None, True), + # {} means deny-all: (None, {}, False), - (None, {"id": "root"}, False), - ({"id": "root"}, None, True), ({"id": "root"}, {}, False), - ({"id": "simon", "staff": True}, {"staff": True}, True), - ({"id": "simon", "staff": False}, {"staff": True}, False), # Special case for "unauthenticated": true (None, {"unauthenticated": True}, True), (None, {"unauthenticated": False}, False), + # Match on just one property: + (None, {"id": "root"}, False), + ({"id": "root"}, None, True), + ({"id": "simon", "staff": True}, {"staff": True}, True), + ({"id": "simon", "staff": False}, {"staff": True}, False), # Special "*" value for any key: ({"id": "root"}, {"id": "*"}, True), ({}, {"id": "*"}, False),