Document that "allow": {} denies all

https://github.com/simonw/datasette/issues/831#issuecomment-642324847
2025-12-10 16:51:24 +01:00 · 2020-06-10 16:56:53 -07:00 · 2020-06-10 16:56:53 -07:00 · 198545733b
commit 198545733b
parent 9f236c4c00
2 changed files with 26 additions and 4 deletions
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@ -94,6 +94,14 @@ This will match any actors with an ``"id"`` property of ``"root"`` - for example
        "name": "Root User"
    }

+An allow block can specify "no-one is allowed to do this" using an empty ``{}``:
+
+.. code-block:: json
+
+    {
+        "allow": {}
+    }
+
 Allow keys can provide a list of values. These will match any actor that has any of those values.

 .. code-block:: json
@ -181,6 +189,17 @@ Here's how to restrict access to your entire Datasette instance to just the ``"i
        }
    }

+To deny access to all users, you can use ``"allow": {}``:
+
+.. code-block:: json
+
+    {
+        "title": "My entirely inaccessible instance",
+        "allow": {}
+    }
+
+One reason to do this is if you are using a Datasette plugin - such as `datasette-permissions-sql <https://github.com/simonw/datasette-permissions-sql>`__ - to control permissions instead.
+
 .. _authentication_permissions_database:

 Controlling access to specific databases