datasette/datasette/default_permissions.py

from datasette import hookimpl
from datasette.utils import actor_matches_allow
import itsdangerous
import time


@hookimpl(tryfirst=True)
def permission_allowed(datasette, actor, action, resource):
    async def inner():
        if action in ("permissions-debug", "debug-menu"):
            if actor and actor.get("id") == "root":
                return True
        elif action == "view-instance":
            allow = datasette.metadata("allow")
            if allow is not None:
                return actor_matches_allow(actor, allow)
        elif action == "view-database":
            if resource == "_internal" and (actor is None or actor.get("id") != "root"):
                return False
            database_allow = datasette.metadata("allow", database=resource)
            if database_allow is None:
                return None
            return actor_matches_allow(actor, database_allow)
        elif action == "view-table":
            database, table = resource
            tables = datasette.metadata("tables", database=database) or {}
            table_allow = (tables.get(table) or {}).get("allow")
            if table_allow is None:
                return None
            return actor_matches_allow(actor, table_allow)
        elif action == "view-query":
            # Check if this query has a "allow" block in metadata
            database, query_name = resource
            query = await datasette.get_canned_query(database, query_name, actor)
            assert query is not None
            allow = query.get("allow")
            if allow is None:
                return None
            return actor_matches_allow(actor, allow)
        elif action == "execute-sql":
            # Use allow_sql block from database block, or from top-level
            database_allow_sql = datasette.metadata("allow_sql", database=resource)
            if database_allow_sql is None:
                database_allow_sql = datasette.metadata("allow_sql")
            if database_allow_sql is None:
                return None
            return actor_matches_allow(actor, database_allow_sql)

    return inner


@hookimpl
def actor_from_request(datasette, request):
    prefix = "dstok_"
    authorization = request.headers.get("authorization")
    if not authorization:
        return None
    if not authorization.startswith("Bearer "):
        return None
    token = authorization[len("Bearer ") :]
    if not token.startswith(prefix):
        return None
    token = token[len(prefix) :]
    try:
        decoded = datasette.unsign(token, namespace="token")
    except itsdangerous.BadSignature:
        return None
    expires_at = decoded.get("e")
    if expires_at is not None:
        if expires_at < time.time():
            return None
    return {"id": decoded["a"], "token": "dstok"}
Added /-/permissions debug tool, closes #788 Also started the authentication.rst docs page, refs #786. Part of authentication work, refs #699. 2020-06-01 05:00:36 +00:00			`from datasette import hookimpl`
Test + default impl for view-query permission, refs #811 2020-06-07 21:23:16 +00:00			`from datasette.utils import actor_matches_allow`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00			`import itsdangerous`
			`import time`
Added /-/permissions debug tool, closes #788 Also started the authentication.rst docs page, refs #786. Part of authentication work, refs #699. 2020-06-01 05:00:36 +00:00

Better example plugin for permission_allowed Also fixed it so default permission checks run after plugin permission checks, refs #818 2020-06-08 22:09:57 +00:00			`@hookimpl(tryfirst=True)`
Renamed resource_identifier to resource, refs #817 2020-06-08 18:59:11 +00:00			`def permission_allowed(datasette, actor, action, resource):`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`async def inner():`
debug-menu permission, closes #1068 Also added tests for navigation menu logic. 2020-10-30 15:41:57 +00:00			`if action in ("permissions-debug", "debug-menu"):`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`if actor and actor.get("id") == "root":`
			`return True`
			`elif action == "view-instance":`
			`allow = datasette.metadata("allow")`
			`if allow is not None:`
			`return actor_matches_allow(actor, allow)`
			`elif action == "view-database":`
Rename _schemas to _internal, closes #1156 2020-12-21 19:48:06 +00:00			`if resource == "_internal" and (actor is None or actor.get("id") != "root"):`
In-memory _schemas database tracking schemas of attached tables, closes #1150 2020-12-18 22:34:05 +00:00			`return False`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`database_allow = datasette.metadata("allow", database=resource)`
			`if database_allow is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`return actor_matches_allow(actor, database_allow)`
			`elif action == "view-table":`
			`database, table = resource`
			`tables = datasette.metadata("tables", database=database) or {}`
			`table_allow = (tables.get(table) or {}).get("allow")`
			`if table_allow is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`return actor_matches_allow(actor, table_allow)`
			`elif action == "view-query":`
			`# Check if this query has a "allow" block in metadata`
			`database, query_name = resource`
			`query = await datasette.get_canned_query(database, query_name, actor)`
			`assert query is not None`
			`allow = query.get("allow")`
			`if allow is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
Implemented view-instance permission, refs #811 2020-06-07 21:30:39 +00:00			`return actor_matches_allow(actor, allow)`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`elif action == "execute-sql":`
			`# Use allow_sql block from database block, or from top-level`
			`database_allow_sql = datasette.metadata("allow_sql", database=resource)`
			`if database_allow_sql is None:`
			`database_allow_sql = datasette.metadata("allow_sql")`
			`if database_allow_sql is None:`
Express no opinion if allow block is missing Default permission policy was returning True by default for permission checks - which means that if allow was not defined for a level it would be treated as a passing check. This is better: we now return None of the allow block is not defined, which means 'I have no opinion on this' and allows other code to make its own decisions. Added while working on #832 2020-06-30 22:49:06 +00:00			`return None`
New plugin hook: canned_queries(), refs #852 2020-06-18 23:22:33 +00:00			`return actor_matches_allow(actor, database_allow_sql)`

			`return inner`
actor_from_request for dstok_ tokens, refs #1852 2022-10-26 02:18:41 +00:00

			`@hookimpl`
			`def actor_from_request(datasette, request):`
			`prefix = "dstok_"`
			`authorization = request.headers.get("authorization")`
			`if not authorization:`
			`return None`
			`if not authorization.startswith("Bearer "):`
			`return None`
			`token = authorization[len("Bearer ") :]`
			`if not token.startswith(prefix):`
			`return None`
			`token = token[len(prefix) :]`
			`try:`
			`decoded = datasette.unsign(token, namespace="token")`
			`except itsdangerous.BadSignature:`
			`return None`
			`expires_at = decoded.get("e")`
			`if expires_at is not None:`
			`if expires_at < time.time():`
			`return None`
Mechanism to prevent tokens creating tokens, closes #1857 2022-10-26 02:43:55 +00:00			`return {"id": decoded["a"], "token": "dstok"}`