github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Update permission hooks to include source_plugin column and simplify menu_links

Browse source 
- Added source_plugin column to all permission SQL queries (required by new system)
- Removed unused InstanceResource import from default_menu_links.py
- Fixed SQL format to match (parent, child, allow, reason, source_plugin) schema
This commit is contained in:
Simon Willison 2025-10-24 13:53:58 -07:00
commit cde1624d0a
2 changed files with 6 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
datasette/default_menu_links.py
View file

@ -4,7 +4,7 @@ from datasette import hookimpl
@hookimpl @hookimpl
def menu_links(datasette, actor): def menu_links(datasette, actor):
async def inner(): async def inner():
if not await datasette.permission_allowed(actor, "debug-menu"): if not await datasette.allowed(action="debug-menu", actor=actor):
return [] return []
return [ return [

9
datasette/default_permissions.py
View file

@ -211,7 +211,7 @@ async def permission_resources_sql(datasette, actor, action):
# Add a single global-level allow rule (NULL, NULL) for root # Add a single global-level allow rule (NULL, NULL) for root
# This allows root to access everything by default, but database-level # This allows root to access everything by default, but database-level
# and table-level deny rules in config can still block specific resources # and table-level deny rules in config can still block specific resources
sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'root user' AS reason" sql = "SELECT NULL AS parent, NULL AS child, 1 AS allow, 'root user' AS reason, 'root_permissions' AS source_plugin"
rules.append( rules.append(
PermissionSQL( PermissionSQL(
source="root_permissions", source="root_permissions",
@ -226,7 +226,7 @@ async def permission_resources_sql(datasette, actor, action):
# Check default_allow_sql setting for execute-sql action # Check default_allow_sql setting for execute-sql action
if action == "execute-sql" and not datasette.setting("default_allow_sql"): if action == "execute-sql" and not datasette.setting("default_allow_sql"):
# Return a deny rule for all databases # Return a deny rule for all databases
sql = "SELECT NULL AS parent, NULL AS child, 0 AS allow, 'default_allow_sql is false' AS reason" sql = "SELECT NULL AS parent, NULL AS child, 0 AS allow, 'default_allow_sql is false' AS reason, 'default_allow_sql_setting' AS source_plugin"
rules.append( rules.append(
PermissionSQL( PermissionSQL(
source="default_allow_sql_setting", source="default_allow_sql_setting",
@ -250,7 +250,8 @@ async def permission_resources_sql(datasette, actor, action):
if action in default_allow_actions: if action in default_allow_actions:
reason = f"default allow for {action}".replace("'", "''") reason = f"default allow for {action}".replace("'", "''")
sql = ( sql = (
"SELECT NULL AS parent, NULL AS child, 1 AS allow, " f"'{reason}' AS reason" "SELECT NULL AS parent, NULL AS child, 1 AS allow, "
f"'{reason}' AS reason, 'default_permissions' AS source_plugin"
) )
rules.append( rules.append(
PermissionSQL( PermissionSQL(
@ -407,7 +408,7 @@ async def _config_permission_rules(datasette, actor, action) -> list[PermissionS
for idx, (parent, child, allow, reason) in enumerate(rows): for idx, (parent, child, allow, reason) in enumerate(rows):
key = f"cfg_{idx}" key = f"cfg_{idx}"
parts.append( parts.append(
f"SELECT :{key}_parent AS parent, :{key}_child AS child, :{key}_allow AS allow, :{key}_reason AS reason" f"SELECT :{key}_parent AS parent, :{key}_child AS child, :{key}_allow AS allow, :{key}_reason AS reason, 'config_permissions' AS source_plugin"
) )
params[f"{key}_parent"] = parent params[f"{key}_parent"] = parent
params[f"{key}_child"] = child params[f"{key}_child"] = child