Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow_by_query setting for configuring permissions with a SQL statement #801

Closed
simonw opened this issue Jun 5, 2020 · 6 comments
Closed

Comments

@simonw
Copy link
Owner

simonw commented Jun 5, 2020

Idea: an "allow_sql" key with a SQL query that gets passed the actor JSON as :actor and can extract the relevant keys from it and return 1 or 0.

Originally posted by @simonw in #698 (comment)

See also #800

@simonw simonw added this to the Datasette 1.0 milestone Jun 5, 2020
@simonw simonw changed the title Canned query SQL configure permissions Canned query SQL configured permissions Jun 5, 2020
@simonw simonw modified the milestones: Datasette 1.0, Datasette 0.44 Jun 6, 2020
@simonw simonw changed the title Canned query SQL configured permissions allow_sql setting for configuring permssions with a SQL statement Jun 7, 2020
@simonw simonw modified the milestones: Datasette 1.0, Datasette 0.44 Jun 7, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 7, 2020

Now that I'm expanding permission checks to everything else too (#811), not just canned queries, I think it makes sense to re-prioritize this.

@simonw
Copy link
Owner Author

simonw commented Jun 7, 2020

I'm going to pass the entire actor object as a dictionary of available named query parameters. So if the actor looks like this:

{
    "id": "simonw",
    "roles": ["staff", "developer"]
}

Then the SQL query will be called like this:

conn.execute(sql, {
  "id": "simonw",
  "roles: '["staff", "developer"]',
})

@simonw simonw changed the title allow_sql setting for configuring permssions with a SQL statement allow_by_query setting for configuring permissions with a SQL statement Jun 8, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 8, 2020

I'm going to call this key "allow_by_query" - I think I need allow_sql for something else (for configuring if users are allowed to execute arbitrary SQL queries).

@simonw
Copy link
Owner Author

simonw commented Jun 8, 2020

Example. This will only allow users to access the fixtures database if the logged-in actor's ID value appears for a record in the users table which has admin = 1.

{
    "databases": {
        "fixtures": {
            "allow_by_query": "select * from users where id = :id and admin = 1"
        }
    }
}

@simonw
Copy link
Owner Author

simonw commented Jun 8, 2020

Dropping this out of Datasette 0.44 again - I have enough other stuff to finish, this can wait.

@simonw
Copy link
Owner Author

simonw commented Jun 11, 2020

I've implemented this in a plugin instead: https://github.com/simonw/datasette-permissions-sql

@simonw simonw closed this as completed Jun 11, 2020
@simonw simonw added the wontfix label Jun 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant