-
-
Notifications
You must be signed in to change notification settings - Fork 702
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Having view-table permission but NOT view-database should still grant access to /db/table #832
Comments
Relevant code: datasette/datasette/views/table.py Lines 267 to 272 in ce49580
|
May the fix here is to implement a await self.check_permissions(request, [
("view-table", (database, table)),
("view-database", database),
"view-instance",
]) |
How would I document this? Probably in another section on https://datasette.readthedocs.io/en/latest/authentication.html#permissions But I'd also need to add documentation to the individual views stating what permissions are checked and in what order. I could do that on this page: https://datasette.readthedocs.io/en/latest/pages.html |
So for the following:
The logic is: if the first test returns |
I think the new |
I already have this method on Datasette: async def permission_allowed(self, actor, action, resource=None, default=False): What would be a good method name that complements that and indicates "check a list of permissions in order"? Should it even run against the request or should you have to hand it |
I could rename This is a breaking change but we're pre-1.0 so I think that's OK. I could even set up a temporary |
|
Hah... but check_permission datasette/datasette/default_permissions.py Lines 5 to 14 in 6c26345
And on BaseView: datasette/datasette/views/base.py Lines 65 to 70 in a8a5f81
|
I'm going to put the new |
Tests needed for this:
|
I don't think this needs any additional documentation - the new behaviour matches how the permissions are documented here: https://datasette.readthedocs.io/en/0.44/authentication.html#built-in-permissions |
Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832
Stumbled into this while working on
datasette-permissions-sql
. I had granted table permissions, but the permission check wasn't even executed because the user failed the previousview-database
check.The text was updated successfully, but these errors were encountered: