mirror of
https://github.com/simonw/datasette.git
synced 2025-12-10 16:51:24 +01:00
2b879e462f
This introduces a new hierarchical permission system that uses SQL queries
for efficient permission checking across resources. The system replaces the
older permission_allowed() pattern with a more flexible resource-based
approach.
Core changes:
- New Resource ABC and Action dataclass in datasette/permissions.py
* Resources represent hierarchical entities (instance, database, table)
* Each resource type implements resources_sql() to list all instances
* Actions define operations on resources with cascading rules
- New plugin hook: register_actions(datasette)
* Plugins register actions with their associated resource types
* Replaces register_permissions() and register_resource_types()
* See docs/plugin_hooks.rst for full documentation
- Three new Datasette methods for permission checks:
* allowed_resources(action, actor) - returns list[Resource]
* allowed_resources_with_reasons(action, actor) - for debugging
* allowed(action, resource, actor) - checks single resource
* All use SQL for filtering, never Python iteration
- New /-/tables endpoint (TablesView)
* Returns JSON list of tables user can view
* Supports ?q= parameter for regex filtering
* Format: {"matches": [{"name": "db/table", "url": "/db/table"}]}
* Respects all permission rules from configuration and plugins
- SQL-based permission evaluation (datasette/utils/actions_sql.py)
* Cascading rules: child-level → parent-level → global-level
* DENY beats ALLOW at same specificity
* Uses CTEs for efficient SQL-only filtering
* Combines permission_resources_sql() hook results
- Default actions in datasette/default_actions.py
* InstanceResource, DatabaseResource, TableResource, QueryResource
* Core actions: view-instance, view-database, view-table, etc.
- Fixed default_permissions.py to handle database-level allow blocks
* Now creates parent-level rules for view-table action
* Fixes: datasette ... -s databases.fixtures.allow.id root
Documentation:
- Comprehensive register_actions() hook documentation
- Detailed resources_sql() method explanation
- /-/tables endpoint documentation in docs/introspection.rst
- Deprecated register_permissions() with migration guide
Tests:
- tests/test_actions_sql.py: 7 tests for core permission API
- tests/test_tables_endpoint.py: 13 tests for /-/tables endpoint
- All 118 documentation tests pass
- Tests verify SQL does filtering (not Python)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| plugins | ||
| test_templates | ||
| __init__.py | ||
| build_small_spatialite_db.py | ||
| conftest.py | ||
| ext.c | ||
| fixtures.py | ||
| spatialite.db | ||
| test-datasette-load-plugins.sh | ||
| test_actions_sql.py | ||
| test_api.py | ||
| test_api_write.py | ||
| test_auth.py | ||
| test_base_view.py | ||
| test_black.py | ||
| test_canned_queries.py | ||
| test_cli.py | ||
| test_cli_serve_get.py | ||
| test_cli_serve_server.py | ||
| test_config_dir.py | ||
| test_config_permission_rules.py | ||
| test_crossdb.py | ||
| test_csv.py | ||
| test_custom_pages.py | ||
| test_datasette_https_server.sh | ||
| test_docs.py | ||
| test_docs_plugins.py | ||
| test_facets.py | ||
| test_filters.py | ||
| test_html.py | ||
| test_internal_db.py | ||
| test_internals_database.py | ||
| test_internals_datasette.py | ||
| test_internals_datasette_client.py | ||
| test_internals_request.py | ||
| test_internals_response.py | ||
| test_internals_urls.py | ||
| test_label_column_for_table.py | ||
| test_load_extensions.py | ||
| test_messages.py | ||
| test_package.py | ||
| test_permission_endpoints.py | ||
| test_permissions.py | ||
| test_plugins.py | ||
| test_publish_cloudrun.py | ||
| test_publish_heroku.py | ||
| test_routes.py | ||
| test_spatialite.py | ||
| test_table_api.py | ||
| test_table_html.py | ||
| test_tables_endpoint.py | ||
| test_tracer.py | ||
| test_utils.py | ||
| test_utils_check_callable.py | ||
| test_utils_permissions.py | ||
| utils.py | ||