mirror of
https://github.com/simonw/datasette.git
synced 2025-12-10 16:51:24 +01:00
18fd373a8fImplement INTERSECT-based actor restrictions to prevent permission bypass Actor restrictions are now implemented as SQL filters using INTERSECT rather than as deny/allow permission rules. This ensures restrictions act as hard limits that cannot be overridden by other permission plugins or config blocks. Previously, actor restrictions (_r in actor dict) were implemented by generating permission rules with deny/allow logic. This approach had a critical flaw: database-level config allow blocks could bypass table-level restrictions, granting access to tables not in the actor's allowlist. The new approach separates concerns: - Permission rules determine what's allowed based on config and plugins - Restriction filters limit the result set to only allowlisted resources - Restrictions use INTERSECT to ensure all restriction criteria are met - Database-level restrictions (parent, NULL) properly match all child tables Implementation details: - Added restriction_sql field to PermissionSQL dataclass - Made PermissionSQL.sql optional to support restriction-only plugins - Updated actor_restrictions_sql() to return restriction filters instead of rules - Modified SQL builders to apply restrictions via INTERSECT and EXISTS clauses Closes #2572 |
||
|---|---|---|
| .. | ||
| publish | ||
| static | ||
| templates | ||
| utils | ||
| views | ||
| __init__.py | ||
| __main__.py | ||
| actor_auth_cookie.py | ||
| app.py | ||
| blob_renderer.py | ||
| cli.py | ||
| database.py | ||
| default_actions.py | ||
| default_magic_parameters.py | ||
| default_menu_links.py | ||
| default_permissions.py | ||
| events.py | ||
| facets.py | ||
| filters.py | ||
| forbidden.py | ||
| handle_exception.py | ||
| hookspecs.py | ||
| inspect.py | ||
| permissions.py | ||
| plugins.py | ||
| renderer.py | ||
| resources.py | ||
| sql_functions.py | ||
| tracer.py | ||
| url_builder.py | ||
| version.py | ||