Permissions SQL API improvements (#2558)

* Neater design for PermissionSQL class, refs #2556 - source is now automatically set to the source plugin - params is optional * PermissionSQL.allow() and PermissionSQL.deny() shortcuts Closes #2556 * Filter out temp database from attached_databases() Refs https://github.com/simonw/datasette/issues/2557#issuecomment-3470510837
2025-12-10 16:51:24 +01:00 · 2025-10-30 15:48:46 -07:00 · 2025-10-30 15:48:46 -07:00 · 6a71bde37f
commit 6a71bde37f
parent 5247856bd4
14 changed files with 241 additions and 227 deletions
--- a/tests/plugins/my_plugin.py
+++ b/tests/plugins/my_plugin.py
@ -473,6 +473,39 @@ def register_actions(datasette):
            takes_child=False,
            resource_class=DatabaseResource,
        ),
+        # Test actions for test_hook_permission_allowed
+        Action(
+            name="this_is_allowed",
+            abbr=None,
+            description=None,
+            takes_parent=False,
+            takes_child=False,
+            resource_class=InstanceResource,
+        ),
+        Action(
+            name="this_is_denied",
+            abbr=None,
+            description=None,
+            takes_parent=False,
+            takes_child=False,
+            resource_class=InstanceResource,
+        ),
+        Action(
+            name="this_is_allowed_async",
+            abbr=None,
+            description=None,
+            takes_parent=False,
+            takes_child=False,
+            resource_class=InstanceResource,
+        ),
+        Action(
+            name="this_is_denied_async",
+            abbr=None,
+            description=None,
+            takes_parent=False,
+            takes_child=False,
+            resource_class=InstanceResource,
+        ),
    ]

    # Support old-style config for backwards compatibility
@ -526,30 +559,27 @@ def permission_resources_sql(datasette, actor, action):

    # Handle test actions used in test_hook_permission_allowed
    if action == "this_is_allowed":
-        sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'test plugin allows this_is_allowed' AS reason"
-        return PermissionSQL(source="my_plugin", sql=sql, params={})
+        return PermissionSQL.allow(reason="test plugin allows this_is_allowed")
    elif action == "this_is_denied":
-        sql = "SELECT NULL AS parent, NULL AS child, 0 AS allow, 'test plugin denies this_is_denied' AS reason"
-        return PermissionSQL(source="my_plugin", sql=sql, params={})
+        return PermissionSQL.deny(reason="test plugin denies this_is_denied")
    elif action == "this_is_allowed_async":
-        sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'test plugin allows this_is_allowed_async' AS reason"
-        return PermissionSQL(source="my_plugin", sql=sql, params={})
+        return PermissionSQL.allow(reason="test plugin allows this_is_allowed_async")
    elif action == "this_is_denied_async":
-        sql = "SELECT NULL AS parent, NULL AS child, 0 AS allow, 'test plugin denies this_is_denied_async' AS reason"
-        return PermissionSQL(source="my_plugin", sql=sql, params={})
+        return PermissionSQL.deny(reason="test plugin denies this_is_denied_async")
    elif action == "view-database-download":
        # Return rule based on actor's can_download permission
        if actor and actor.get("can_download"):
-            sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'actor has can_download' AS reason"
+            return PermissionSQL.allow(reason="actor has can_download")
        else:
            return None  # No opinion
-        return PermissionSQL(source="my_plugin", sql=sql, params={})
    elif action == "view-database":
        # Also grant view-database if actor has can_download (needed for download to work)
        if actor and actor.get("can_download"):
-            sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'actor has can_download, grants view-database' AS reason"
-            return PermissionSQL(source="my_plugin", sql=sql, params={})
-        return None
+            return PermissionSQL.allow(
+                reason="actor has can_download, grants view-database"
+            )
+        else:
+            return None
    elif action in (
        "insert-row",
        "create-table",
@ -560,7 +590,6 @@ def permission_resources_sql(datasette, actor, action):
        # Special permissions for latest.datasette.io demos
        actor_id = actor.get("id") if actor else None
        if actor_id == "todomvc":
-            sql = f"SELECT NULL AS parent, NULL AS child, 1 AS allow, 'todomvc actor allowed for {action}' AS reason"
-            return PermissionSQL(source="my_plugin", sql=sql, params={})
+            return PermissionSQL.allow(reason=f"todomvc actor allowed for {action}")

    return None