github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Simplify types in datasette/permissions.py

Browse source
This commit is contained in:
Simon Willison 2025-10-23 21:59:46 -07:00
commit 58ac5ccd6e
2 changed files with 21 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

24
datasette/utils/permissions.py
View file

@ -2,7 +2,7 @@
from __future__ import annotations from __future__ import annotations
import json import json
from typing import Any, Callable, Dict, Iterable, List, Optional, Sequence, Tuple, Union from typing import Any, Dict, Iterable, List, Sequence, Tuple
import sqlite3 import sqlite3
from datasette.permissions import PermissionSQL from datasette.permissions import PermissionSQL
@ -32,12 +32,8 @@ def _namespace_params(i: int, params: Dict[str, Any]) -> Tuple[str, Dict[str, An
return rewrite, namespaced return rewrite, namespaced
PluginProvider = Callable[[str], PermissionSQL]
PluginOrFactory = Union[PermissionSQL, PluginProvider]
def build_rules_union( def build_rules_union(
actor: Optional[dict], plugins: Sequence[PermissionSQL] actor: dict | None, plugins: Sequence[PermissionSQL]
) -> Tuple[str, Dict[str, Any]]: ) -> Tuple[str, Dict[str, Any]]:
""" """
Compose plugin SQL into a UNION ALL with namespaced parameters. Compose plugin SQL into a UNION ALL with namespaced parameters.
@ -80,11 +76,11 @@ def build_rules_union(
async def resolve_permissions_from_catalog( async def resolve_permissions_from_catalog(
db, db,
actor: Optional[dict], actor: dict | None,
plugins: Sequence[PluginOrFactory], plugins: Sequence[Any],
action: str, action: str,
candidate_sql: str, candidate_sql: str,
candidate_params: Optional[Dict[str, Any]] = None, candidate_params: Dict[str, Any] | None = None,
*, *,
implicit_deny: bool = True, implicit_deny: bool = True,
) -> List[Dict[str, Any]]: ) -> List[Dict[str, Any]]:
@ -96,8 +92,8 @@ async def resolve_permissions_from_catalog(
(Use child=NULL for parent-scoped actions like "execute-sql".) (Use child=NULL for parent-scoped actions like "execute-sql".)
- *db* exposes: rows = await db.execute(sql, params) - *db* exposes: rows = await db.execute(sql, params)
where rows is an iterable of sqlite3.Row where rows is an iterable of sqlite3.Row
- plugins are either PermissionSQL objects or callables accepting (action: str) - plugins: hook results handled by await_me_maybe - can be sync/async,
and returning PermissionSQL instances selecting (parent, child, allow, reason) single PermissionSQL, list, or callable returning PermissionSQL
- actor is the actor dict (or None), made available as :actor (JSON), :actor_id, and :action - actor is the actor dict (or None), made available as :actor (JSON), :actor_id, and :action
Decision policy: Decision policy:
@ -194,9 +190,9 @@ async def resolve_permissions_from_catalog(
async def resolve_permissions_with_candidates( async def resolve_permissions_with_candidates(
db, db,
actor: Optional[dict], actor: dict | None,
plugins: Sequence[PluginOrFactory], plugins: Sequence[Any],
candidates: List[Tuple[str, Optional[str]]], candidates: List[Tuple[str, str | None]],
action: str, action: str,
*, *,
implicit_deny: bool = True, implicit_deny: bool = True,

25
tests/test_utils_permissions.py
View file

@ -1,11 +1,8 @@
import pytest import pytest
from datasette.app import Datasette from datasette.app import Datasette
from datasette.permissions import PermissionSQL from datasette.permissions import PermissionSQL
from datasette.utils.permissions import ( from datasette.utils.permissions import resolve_permissions_from_catalog
PluginProvider, from typing import Callable, List
resolve_permissions_from_catalog,
)
from typing import List
@pytest.fixture @pytest.fixture
@ -25,7 +22,7 @@ NO_RULES_SQL = (
) )
def plugin_allow_all_for_user(user: str) -> PluginProvider: def plugin_allow_all_for_user(user: str) -> Callable[[str], PermissionSQL]:
def provider(action: str) -> PermissionSQL: def provider(action: str) -> PermissionSQL:
return PermissionSQL( return PermissionSQL(
"allow_all", "allow_all",
@ -40,7 +37,7 @@ def plugin_allow_all_for_user(user: str) -> PluginProvider:
return provider return provider
def plugin_deny_specific_table(user: str, parent: str, child: str) -> PluginProvider: def plugin_deny_specific_table(user: str, parent: str, child: str) -> Callable[[str], PermissionSQL]:
def provider(action: str) -> PermissionSQL: def provider(action: str) -> PermissionSQL:
return PermissionSQL( return PermissionSQL(
"deny_specific_table", "deny_specific_table",
@ -55,7 +52,7 @@ def plugin_deny_specific_table(user: str, parent: str, child: str) -> PluginProv
return provider return provider
def plugin_org_policy_deny_parent(parent: str) -> PluginProvider: def plugin_org_policy_deny_parent(parent: str) -> Callable[[str], PermissionSQL]:
def provider(action: str) -> PermissionSQL: def provider(action: str) -> PermissionSQL:
return PermissionSQL( return PermissionSQL(
"org_policy_parent_deny", "org_policy_parent_deny",
@ -69,7 +66,7 @@ def plugin_org_policy_deny_parent(parent: str) -> PluginProvider:
return provider return provider
def plugin_allow_parent_for_user(user: str, parent: str) -> PluginProvider: def plugin_allow_parent_for_user(user: str, parent: str) -> Callable[[str], PermissionSQL]:
def provider(action: str) -> PermissionSQL: def provider(action: str) -> PermissionSQL:
return PermissionSQL( return PermissionSQL(
"allow_parent", "allow_parent",
@ -84,7 +81,7 @@ def plugin_allow_parent_for_user(user: str, parent: str) -> PluginProvider:
return provider return provider
def plugin_child_allow_for_user(user: str, parent: str, child: str) -> PluginProvider: def plugin_child_allow_for_user(user: str, parent: str, child: str) -> Callable[[str], PermissionSQL]:
def provider(action: str) -> PermissionSQL: def provider(action: str) -> PermissionSQL:
return PermissionSQL( return PermissionSQL(
"allow_child", "allow_child",
@ -99,7 +96,7 @@ def plugin_child_allow_for_user(user: str, parent: str, child: str) -> PluginPro
return provider return provider
def plugin_root_deny_for_all() -> PluginProvider: def plugin_root_deny_for_all() -> Callable[[str], PermissionSQL]:
def provider(action: str) -> PermissionSQL: def provider(action: str) -> PermissionSQL:
return PermissionSQL( return PermissionSQL(
"root_deny", "root_deny",
@ -114,7 +111,7 @@ def plugin_root_deny_for_all() -> PluginProvider:
def plugin_conflicting_same_child_rules( def plugin_conflicting_same_child_rules(
user: str, parent: str, child: str user: str, parent: str, child: str
) -> List[PluginProvider]: ) -> List[Callable[[str], PermissionSQL]]:
def allow_provider(action: str) -> PermissionSQL: def allow_provider(action: str) -> PermissionSQL:
return PermissionSQL( return PermissionSQL(
"conflict_child_allow", "conflict_child_allow",
@ -140,7 +137,7 @@ def plugin_conflicting_same_child_rules(
return [allow_provider, deny_provider] return [allow_provider, deny_provider]
def plugin_allow_all_for_action(user: str, allowed_action: str) -> PluginProvider: def plugin_allow_all_for_action(user: str, allowed_action: str) -> Callable[[str], PermissionSQL]:
def provider(action: str) -> PermissionSQL: def provider(action: str) -> PermissionSQL:
if action != allowed_action: if action != allowed_action:
return PermissionSQL( return PermissionSQL(
@ -475,7 +472,7 @@ async def test_actor_actor_id_action_parameters_available(db):
"""Test that :actor (JSON), :actor_id, and :action are all available in SQL""" """Test that :actor (JSON), :actor_id, and :action are all available in SQL"""
await seed_catalog(db) await seed_catalog(db)
def plugin_using_all_parameters() -> PluginProvider: def plugin_using_all_parameters() -> Callable[[str], PermissionSQL]:
def provider(action: str) -> PermissionSQL: def provider(action: str) -> PermissionSQL:
return PermissionSQL( return PermissionSQL(
"test_all_params", "test_all_params",