mirror of
https://github.com/simonw/datasette.git
synced 2026-07-09 09:04:42 +02:00
- New CSRF protection middleware inspired by Go 1.25 and research by Filippo Valsorda - https://words.filippo.io/csrf/ - this replaces the old CSRF token based protection. - Removes all instances of `<input type="hidden" name="csrftoken" value="{{ csrftoken() }}">` in the templates - they are no longer needed. - Removes the `def skip_csrf(datasette, scope):` plugin hook defined in `datasette/hookspecs.py` and its documentation and tests. - Updated CSRF protection documentation to describe the new approach. - Upgrade guide now describes the CSRF change.
48 lines
1.8 KiB
Python
48 lines
1.8 KiB
Python
"""
|
|
Default permission implementations for Datasette.
|
|
|
|
This module provides the built-in permission checking logic through implementations
|
|
of the permission_resources_sql hook. The hooks are organized by their purpose:
|
|
|
|
1. Actor Restrictions - Enforces _r allowlists embedded in actor tokens
|
|
2. Root User - Grants full access when --root flag is used
|
|
3. Config Rules - Applies permissions from datasette.yaml
|
|
4. Default Settings - Enforces default_allow_sql and default view permissions
|
|
|
|
IMPORTANT: These hooks return PermissionSQL objects that are combined using SQL
|
|
UNION/INTERSECT operations. The order of evaluation is:
|
|
- restriction_sql fields are INTERSECTed (all must match)
|
|
- Regular sql fields are UNIONed and evaluated with cascading priority
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from typing import TYPE_CHECKING
|
|
|
|
if TYPE_CHECKING:
|
|
from datasette.app import Datasette
|
|
|
|
from datasette import hookimpl
|
|
|
|
# Re-export all hooks and public utilities
|
|
from .restrictions import (
|
|
actor_restrictions_sql as actor_restrictions_sql,
|
|
restrictions_allow_action as restrictions_allow_action,
|
|
ActorRestrictions as ActorRestrictions,
|
|
)
|
|
from .root import root_user_permissions_sql as root_user_permissions_sql
|
|
from .config import config_permissions_sql as config_permissions_sql
|
|
from .defaults import (
|
|
default_allow_sql_check as default_allow_sql_check,
|
|
default_action_permissions_sql as default_action_permissions_sql,
|
|
DEFAULT_ALLOW_ACTIONS as DEFAULT_ALLOW_ACTIONS,
|
|
)
|
|
|
|
|
|
@hookimpl
|
|
def canned_queries(datasette: "Datasette", database: str, actor) -> dict:
|
|
"""Return canned queries defined in datasette.yaml configuration."""
|
|
queries = (
|
|
((datasette.config or {}).get("databases") or {}).get(database) or {}
|
|
).get("queries") or {}
|
|
return queries
|