diff --git a/datasette/app.py b/datasette/app.py index c12e0af0..2f89d17c 100644 --- a/datasette/app.py +++ b/datasette/app.py @@ -464,16 +464,11 @@ class Datasette: else: return [] - async def permission_allowed( - self, actor, action, resource_identifier=None, default=False - ): + async def permission_allowed(self, actor, action, resource=None, default=False): "Check permissions using the permissions_allowed plugin hook" result = None for check in pm.hook.permission_allowed( - datasette=self, - actor=actor, - action=action, - resource_identifier=resource_identifier, + datasette=self, actor=actor, action=action, resource=resource, ): if callable(check): check = check() @@ -490,7 +485,7 @@ class Datasette: "when": datetime.datetime.utcnow().isoformat(), "actor": actor, "action": action, - "resource_identifier": resource_identifier, + "resource": resource, "used_default": used_default, "result": result, } diff --git a/datasette/default_permissions.py b/datasette/default_permissions.py index d27704aa..e989c0fa 100644 --- a/datasette/default_permissions.py +++ b/datasette/default_permissions.py @@ -3,7 +3,7 @@ from datasette.utils import actor_matches_allow @hookimpl -def permission_allowed(datasette, actor, action, resource_identifier): +def permission_allowed(datasette, actor, action, resource): if action == "permissions-debug": if actor and actor.get("id") == "root": return True @@ -12,12 +12,12 @@ def permission_allowed(datasette, actor, action, resource_identifier): if allow is not None: return actor_matches_allow(actor, allow) elif action == "view-database": - database_allow = datasette.metadata("allow", database=resource_identifier) + database_allow = datasette.metadata("allow", database=resource) if database_allow is None: return True return actor_matches_allow(actor, database_allow) elif action == "view-table": - database, table = resource_identifier + database, table = resource tables = datasette.metadata("tables", database=database) or {} table_allow = (tables.get(table) or {}).get("allow") if table_allow is None: @@ -25,7 +25,7 @@ def permission_allowed(datasette, actor, action, resource_identifier): return actor_matches_allow(actor, table_allow) elif action == "view-query": # Check if this query has a "allow" block in metadata - database, query_name = resource_identifier + database, query_name = resource queries_metadata = datasette.metadata("queries", database=database) assert query_name in queries_metadata if isinstance(queries_metadata[query_name], str): diff --git a/datasette/hookspecs.py b/datasette/hookspecs.py index 3c202553..d5fd232f 100644 --- a/datasette/hookspecs.py +++ b/datasette/hookspecs.py @@ -66,5 +66,5 @@ def actor_from_request(datasette, request): @hookspec -def permission_allowed(datasette, actor, action, resource_identifier): +def permission_allowed(datasette, actor, action, resource): "Check if actor is allowed to perfom this action - return True, False or None" diff --git a/datasette/templates/permissions_debug.html b/datasette/templates/permissions_debug.html index 7d3ee712..d898ea8c 100644 --- a/datasette/templates/permissions_debug.html +++ b/datasette/templates/permissions_debug.html @@ -46,8 +46,8 @@ {% endif %}
Actor: {{ check.actor|tojson }}
- {% if check.resource_identifier %} -Resource: {{ check.resource_identifier }}
+ {% if check.resource %} +Resource: {{ check.resource }}
{% endif %} {% endfor %} diff --git a/datasette/utils/__init__.py b/datasette/utils/__init__.py index 257d1285..7c1f34e0 100644 --- a/datasette/utils/__init__.py +++ b/datasette/utils/__init__.py @@ -876,14 +876,14 @@ def actor_matches_allow(actor, allow): return False -async def check_visibility(datasette, actor, action, resource_identifier, default=True): +async def check_visibility(datasette, actor, action, resource, default=True): "Returns (visible, private) - visible = can you see it, private = can others see it too" visible = await datasette.permission_allowed( - actor, action, resource_identifier=resource_identifier, default=default, + actor, action, resource=resource, default=default, ) if not visible: return (False, False) private = not await datasette.permission_allowed( - None, action, resource_identifier=resource_identifier, default=default, + None, action, resource=resource, default=default, ) return visible, private diff --git a/datasette/views/base.py b/datasette/views/base.py index 2ca5e86a..f327c6cd 100644 --- a/datasette/views/base.py +++ b/datasette/views/base.py @@ -64,12 +64,9 @@ class BaseView(AsgiView): response.body = b"" return response - async def check_permission(self, request, action, resource_identifier=None): + async def check_permission(self, request, action, resource=None): ok = await self.ds.permission_allowed( - request.actor, - action, - resource_identifier=resource_identifier, - default=True, + request.actor, action, resource=resource, default=True, ) if not ok: raise Forbidden(action) diff --git a/datasette/views/database.py b/datasette/views/database.py index d562ecb1..e1b29c27 100644 --- a/datasette/views/database.py +++ b/datasette/views/database.py @@ -88,7 +88,7 @@ class DatabaseView(DataView): "views": views, "queries": canned_queries, "private": not await self.ds.permission_allowed( - None, "view-database", "database", database + None, "view-database", database ), }, { diff --git a/docs/authentication.rst b/docs/authentication.rst index 67112969..f5209dfc 100644 --- a/docs/authentication.rst +++ b/docs/authentication.rst @@ -159,7 +159,7 @@ This is designed to help administrators and plugin authors understand exactly ho Permissions =========== -This section lists all of the permission checks that are carried out by Datasette core, along with the ``resource_identifier`` if it was passed. +This section lists all of the permission checks that are carried out by Datasette core, along with the ``resource`` if it was passed. .. _permissions_view_instance: @@ -176,7 +176,7 @@ view-database Actor is allowed to view a database page, e.g. https://latest.datasette.io/fixtures -``resource_identifier`` - string +``resource`` - string The name of the database .. _permissions_view_database_download: @@ -186,7 +186,7 @@ view-database-download Actor is allowed to download a database, e.g. https://latest.datasette.io/fixtures.db -``resource_identifier`` - string +``resource`` - string The name of the database .. _permissions_view_table: @@ -196,7 +196,7 @@ view-table Actor is allowed to view a table (or view) page, e.g. https://latest.datasette.io/fixtures/complex_foreign_keys -``resource_identifier`` - tuple: (string, string) +``resource`` - tuple: (string, string) The name of the database, then the name of the table .. _permissions_view_query: @@ -206,7 +206,7 @@ view-query Actor is allowed to view a :ref:`canned query