Document that "allow": {} denies all

https://github.com/simonw/datasette/issues/831#issuecomment-642324847
2020-06-10 16:56:53 -07:00 · 2020-06-10 16:56:53 -07:00 · 198545733b
commit 198545733b
--- a/docs/authentication.rst
+++ b/docs/authentication.rst
@ -94,6 +94,14 @@ This will match any actors with an ``"id"`` property of ``"root"`` - for example
        "name": "Root User"
    }

+An allow block can specify "no-one is allowed to do this" using an empty ``{}``:
+
+.. code-block:: json
+
+    {
+        "allow": {}
+    }
+
 Allow keys can provide a list of values. These will match any actor that has any of those values.

 .. code-block:: json
@ -181,6 +189,17 @@ Here's how to restrict access to your entire Datasette instance to just the ``"i
        }
    }

+To deny access to all users, you can use ``"allow": {}``:
+
+.. code-block:: json
+
+    {
+        "title": "My entirely inaccessible instance",
+        "allow": {}
+    }
+
+One reason to do this is if you are using a Datasette plugin - such as `datasette-permissions-sql <https://github.com/simonw/datasette-permissions-sql>`__ - to control permissions instead.
+
 .. _authentication_permissions_database:

 Controlling access to specific databases
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@ -464,16 +464,19 @@ def test_multi_params(data, should_raise):
@pytest.mark.parametrize(
    "actor,allow,expected",
    [
+        # Default is to allow:
        (None, None, True),
+        # {} means deny-all:
        (None, {}, False),
-        (None, {"id": "root"}, False),
-        ({"id": "root"}, None, True),
        ({"id": "root"}, {}, False),
-        ({"id": "simon", "staff": True}, {"staff": True}, True),
-        ({"id": "simon", "staff": False}, {"staff": True}, False),
        # Special case for "unauthenticated": true
        (None, {"unauthenticated": True}, True),
        (None, {"unauthenticated": False}, False),
+        # Match on just one property:
+        (None, {"id": "root"}, False),
+        ({"id": "root"}, None, True),
+        ({"id": "simon", "staff": True}, {"staff": True}, True),
+        ({"id": "simon", "staff": False}, {"staff": True}, False),
        # Special "*" value for any key:
        ({"id": "root"}, {"id": "*"}, True),
        ({}, {"id": "*"}, False),