register_permissions() plugin hook (#1940)

* Docs for permissions: in metadata, refs #1636 * Refactor default_permissions.py to help with implementation of #1636 * register_permissions() plugin hook, closes #1939 - also refs #1938 * Tests for register_permissions() hook, refs #1939 * Documentation for datasette.permissions, refs #1939 * permission_allowed() falls back on Permission.default, refs #1939 * Raise StartupError on duplicate permissions * Allow dupe permisisons if exact matches
2025-12-10 16:51:24 +01:00 · 2022-12-12 18:05:54 -08:00 · 2022-12-12 18:05:54 -08:00 · 8bf06a76b5
commit 8bf06a76b5
parent e539c1c024
20 changed files with 513 additions and 88 deletions
--- a/datasette/views/database.py
+++ b/datasette/views/database.py
@ -138,7 +138,7 @@ class DatabaseView(DataView):
        attached_databases = [d.name for d in await db.attached_databases()]

        allow_execute_sql = await self.ds.permission_allowed(
-            request.actor, "execute-sql", database, default=True
+            request.actor, "execute-sql", database
        )
        return (
            {
@ -375,7 +375,7 @@ class QueryView(DataView):
                columns = []

        allow_execute_sql = await self.ds.permission_allowed(
-            request.actor, "execute-sql", database, default=True
+            request.actor, "execute-sql", database
        )

        async def extra_template():
--- a/datasette/views/index.py
+++ b/datasette/views/index.py
@ -142,7 +142,7 @@ class IndexView(BaseView):
                    "metadata": self.ds.metadata(),
                    "datasette_version": __version__,
                    "private": not await self.ds.permission_allowed(
-                        None, "view-instance", default=True
+                        None, "view-instance"
                    ),
                },
            )
--- a/datasette/views/special.py
+++ b/datasette/views/special.py
@ -1,8 +1,6 @@
 import json
-from datasette.permissions import PERMISSIONS
 from datasette.utils.asgi import Response, Forbidden
 from datasette.utils import actor_matches_allow, add_cors_headers
-from datasette.permissions import PERMISSIONS
 from .base import BaseView
 import secrets
 import time
@ -108,7 +106,7 @@ class PermissionsDebugView(BaseView):
            # list() avoids error if check is performed during template render:
            {
                "permission_checks": list(reversed(self.ds._permission_checks)),
-                "permissions": PERMISSIONS,
+                "permissions": list(self.ds.permissions.values()),
            },
        )

--- a/datasette/views/table.py
+++ b/datasette/views/table.py
@ -864,7 +864,7 @@ class TableView(DataView):
                "next_url": next_url,
                "private": private,
                "allow_execute_sql": await self.ds.permission_allowed(
-                    request.actor, "execute-sql", database_name, default=True
+                    request.actor, "execute-sql", database_name
                ),
            },
            extra_template,