Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Way to enable a default=False permission for anonymous users #825

Closed
simonw opened this issue Jun 9, 2020 · 6 comments
Closed

Way to enable a default=False permission for anonymous users #825

simonw opened this issue Jun 9, 2020 · 6 comments
Labels
authentication-and-permissions
Milestone
Datasette 0.44

Comments

@simonw
Copy link
Owner

simonw commented Jun 9, 2020
edited
Loading

I'd like plugins to be able to ship with a default that says "anonymous users cannot do this", but allow site administrators to over-ride that such that anonymous users can use the feature after all.

This is tricky because right now the anonymous user doesn't have an actor dictionary at all, so there's no key to match to an allow block.
@simonw simonw added this to the Datasette 0.44 milestone Jun 9, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 9, 2020
edited
Loading

Idea: the anonymous actor could be passed to actor_matches_allow() as:

{"anonymous": true}

Then allow blocks like this could be used to allow them:

{
    "plugins": {
        "datasette-upload-csvs": {
            "allow": {
                 "anonymous": true
            }
        }
    }
}

simonw added a commit that referenced this issue Jun 9, 2020
@simonw
Test for anonymous: true, refs #825
eb3ec27
simonw added a commit that referenced this issue Jun 9, 2020
@simonw
Support anonymous: true in actor_matches_allow, refs #825
fec7504
@simonw simonw changed the title Way to open a default False permission to anonymous users Way to enable a default=False permission for anonymous users Jun 9, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 9, 2020

I'm torn between anonymous and anon - because the latter is less typing, and I envisage people writing a lot of code like this:

    if actor.get("anonymous"):
        # ...

I'm going with anonymous because it's that tiny bit clearer than anon.

@simonw
Copy link
Owner Author

simonw commented Jun 9, 2020
edited
Loading

Alternative design: leave actor alone. Instead specify that allow blocks can look like this:

{
    "allow": {
        "unauthenticated": true
    }
}

I like this: the above block is very self-documenting.

The "id": "*" mechanism means there is already precedent for allow keys with special meaning.

I'm going with this design.

@simonw
Copy link
Owner Author

simonw commented Jun 9, 2020

When I implement this I should also document default allow vs default deny as a concept, and specify that default next to every documented permission.

@simonw simonw closed this as completed in 7633b9a Jun 9, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 9, 2020

Documented at the bottom of this section: https://github.com/simonw/datasette/blob/7633b9ab249b2dce5ee0b4fcf9542c13a1703ef0/docs/authentication.rst#defining-permissions-with-allow-blocks

@simonw
Copy link
Owner Author

simonw commented Jun 9, 2020

https://datasette.readthedocs.io/en/latest/authentication.html#defining-permissions-with-allow-blocks

simonw added a commit that referenced this issue Jun 9, 2020
@simonw
Applied Black
5ef3b7b 
Refs #825
simonw added a commit that referenced this issue Jun 12, 2020
@simonw
Release Datasette 0.44
b906030 
Refs #395, #519, #576, #699, #706, #774, #777, #781, #784, #788, #790, #797,
#798, #800, #802, #804, #819, #822, #825, #826, #827, #828, #829, #830,
#833, #836, #837, #839

Closes #806.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authentication-and-permissions
Projects
None yet
Milestone
Datasette 0.44
Development

No branches or pull requests
1 participant
@simonw