9ac9f0152f
Migrate allow from metadata to config if necessary, closes #2249
2024-02-06 22:18:38 -08:00
5c64af6936
Upgrade to latest Black, closes #2239
2024-01-30 19:55:26 -08:00
35deaabcb1
Move non-metadata configuration from metadata.yaml to datasette.yaml
...
* Allow and permission blocks moved to datasette.yaml
* Documentation updates, initial framework for configuration reference
2023-10-12 09:16:37 -07:00
98ffad9aed
execute-sql now implies can view instance/database, closes #2169
2023-08-31 15:46:26 -07:00
50da908213
Cascade for restricted token view-table/view-database/view-instance operations ( #2154 )
...
Closes #2102
* Permission is now a dataclass, not a namedtuple - refs https://github.com/simonw/datasette/pull/2154/#discussion_r1308087800
* datasette.get_permission() method
2023-08-29 09:32:34 -07:00
01e0558825
Merge pull request from GHSA-7ch3-7pp7-7cpq
...
* API explorer requires view-instance permission
* Check database/table permissions on /-/api page
* Release notes for 1.0a4
Refs #2119 , #2133 , #2138 , #2140
Refs https://github.com/simonw/datasette/security/advisories/GHSA-7ch3-7pp7-7cpq
2023-08-22 10:10:01 -07:00
9c43b4164d
Removed @pytest.mark.ds_client mark - refs #1959
...
I don't need it - can run 'pytest -k ds_client' instead.
See https://github.com/simonw/datasette/pull/1960#issuecomment-1355685828
2022-12-17 13:47:55 -08:00
e70974a4f1
Ran Black, refs #1959
2022-12-17 13:47:55 -08:00
be95359a80
ds_client for test_permissions.py, refs #1959
2022-12-17 13:47:55 -08:00
e238df3959
Handle non-initials in permission_allowed_actor_restrictions, closes #1956
2022-12-14 12:04:23 -08:00
a1a372f179
/-/actor no longer requires view-instance, refs #1945
2022-12-12 21:06:30 -08:00
260fbb598e
Fix some failing tests, refs #1855
2022-12-12 21:00:40 -08:00
809fad2392
Tests for datasette create-token restrictions, refs #1855
2022-12-12 20:44:19 -08:00
c6a811237c
/-/actor.json no longer requires view-instance, closes #1945
2022-12-12 20:11:51 -08:00
3e6a208ba3
Rename 't' to 'r' in '_r' actor format, refs #1855
2022-12-12 19:27:34 -08:00
c5d30b58a1
Implemented metadata permissions: property, closes #1636
2022-12-12 18:40:45 -08:00
8bf06a76b5
register_permissions() plugin hook ( #1940 )
...
* Docs for permissions: in metadata, refs #1636
* Refactor default_permissions.py to help with implementation of #1636
* register_permissions() plugin hook, closes #1939 - also refs #1938
* Tests for register_permissions() hook, refs #1939
* Documentation for datasette.permissions, refs #1939
* permission_allowed() falls back on Permission.default, refs #1939
* Raise StartupError on duplicate permissions
* Allow dupe permisisons if exact matches
2022-12-12 18:05:54 -08:00
83a6872d1b
Include views in SQL autocomplete, refs #1897
2022-11-17 18:53:48 -08:00
98611b3da0
Include SQL schema for CodeMirror on query pages, closes #1897
...
Refs #1893
2022-11-17 17:24:44 -08:00
bcc781f4c5
Implementation and tests for _r field on actor, refs #1855
...
New mechanism for restricting permissions further for a given actor.
This still needs documentation. It will eventually be used by the mechanism to issue
signed API tokens that are only able to perform a subset of actions.
This also adds tests that exercise the POST /-/permissions tool, refs #1881
2022-11-03 17:12:23 -07:00
5be86d48b2
Fix display of padlocks on database page, closes #1848
2022-10-23 19:42:30 -07:00
78dad236df
check_visibility can now take multiple permissions into account
...
Closes #1829
2022-10-23 19:11:33 -07:00
1a5e5f2aa9
Refactor breadcrumbs to respect permissions, refs #1831
2022-10-13 14:42:52 -07:00
c09c53f345
New handle_exception plugin hook, refs #1770
...
Also refs:
- https://github.com/simonw/datasette-sentry/issues/1
- https://github.com/simonw/datasette-show-errors/issues/2
2022-07-17 16:24:39 -07:00
194e4f6c3f
Removed check_permission() from BaseView, closes #1677
...
Refs #1660
2022-03-21 11:41:56 -07:00
baf986c871
New get_metadata() plugin hook for dynamic metadata
...
The following hook is added:
get_metadata(
datasette=self, key=key, database=database, table=table,
fallback=fallback
)
This gets called when we're building our metdata for the rest
of the system to use. We merge whatever the plugins return
with any local metadata (from metadata.yml/yaml/json) allowing
for a live-editable dynamic Datasette.
As a security precation, local meta is *not* overwritable by
plugin hooks. The workflow for transitioning to live-meta would
be to load the plugin with the full metadata.yaml and save.
Then remove the parts of the metadata that you want to be able
to change from the file.
* Avoid race condition: don't mutate databases list
This avoids the nasty "RuntimeError: OrderedDict mutated during
iteration" error that randomly happens when a plugin adds a
new database to Datasette, using `add_database`. This change
makes the add and remove database functions more expensive, but
it prevents the random explosion race conditions that make for
confusing user experience when importing live databases.
Thanks, @brandonrobertz
2021-06-26 15:24:54 -07:00
a882d67962
Modernize code to Python 3.6+ ( #1158 )
...
* Compact dict and set building
* Remove redundant parentheses
* Simplify chained conditions
* Change method name to lowercase
* Use triple double quotes for docstrings
Thanks, @eumiro!
2020-12-23 09:04:32 -08:00
2a3d5b720b
Redirect /-/config to /-/settings, closes #1103
2020-11-24 12:19:14 -08:00
222f79bb4c
debug-menu permission, closes #1068
...
Also added tests for navigation menu logic.
2020-10-30 08:41:57 -07:00
78b3eeaad9
.blob output renderer
...
* _blob_hash= checking plus refactored to use new BadRequest class, refs #1050
* Replace BlobView with new .blob renderer, closes #1050
* .blob downloads on arbitrary queries, closes #1051
2020-10-29 15:01:38 -07:00
7d9fedc176
Cascading permissions for .db download, closes #1058
2020-10-27 20:15:41 -07:00
5a15197960
/db/table/-/blob/pk/column.blob download URL, refs #1036
2020-10-24 16:09:18 -07:00
a648bb82ba
Upgrade to Black 20.8b1, closes #958
2020-09-02 15:24:55 -07:00
12c0bc09cc
/-/allow-debug tool, closes #908
2020-07-24 15:55:10 -07:00
57879dc8b3
Better titles for canned query pages, closes #887
2020-07-01 17:23:37 -07:00
d6e03b0430
Cascading view permissions, closes #832
...
- If you have table permission but not database permission you can now view the table page
- New BaseView.check_permissions() method
2020-06-30 16:40:50 -07:00
308bcc8805
Fixed test_permissions_debug
2020-06-11 17:25:12 -07:00
29c5ff493a
view-instance permission for debug URLs, closes #833
2020-06-11 15:14:51 -07:00
57e812d5de
ds_author cookie can now expire, closes #829
...
Refs https://github.com/simonw/datasette-auth-github/issues/62#issuecomment-642152076
2020-06-10 12:39:54 -07:00
5ef3b7b0c9
Applied Black
...
Refs #825
2020-06-09 12:25:48 -07:00
7633b9ab24
unauthenticated: true method plus allow block docs, closes #825
2020-06-09 10:01:03 -07:00
49d6d2f7b0
allow_sql block to control execute-sql upermission in metadata.json, closes #813
...
Also removed the --config allow_sql:0 mechanism in favour of the new allow_sql block.
2020-06-08 17:05:44 -07:00
040fc0546f
Updated tests, refs #817
2020-06-08 12:02:56 -07:00
5598c5de01
Database list on index page respects table/view permissions, refs #811
2020-06-08 11:34:14 -07:00
dcec89270a
View list respects view-table permission, refs #811
...
Also makes a small change to the /fixtures.json JSON:
"views": ["view_name"]
Is now:
"views": [{"name": "view_name", "private": true}]
2020-06-08 11:20:59 -07:00
9ac27f67fe
Show padlock on private query page, refs #811
2020-06-08 11:13:32 -07:00
aa420009c0
Show padlock on private table page, refs #811
2020-06-08 11:07:11 -07:00
3ce7f2e7da
Show padlock on private database page, refs #811
2020-06-08 07:23:10 -07:00
1cf86e5ecc
Show padlock on private index page, refs #811
2020-06-08 07:18:47 -07:00
cc218fa9be
Move assert_permissions_checked() calls from test_html.py to test_permissions.py, refs #811
2020-06-08 07:02:31 -07:00
Simon Willison