`default_allow_sql` setting (a re-imagining of the old `allow_sql` setting)

[simonw]

In 49d6d2f as part of #813 I removed the allow_sql setting - on the basis that users could disable the ability to execute custom SQL queries using the new permission system instead.

I don't think this was the right decision. Disabling custom SQL is an important security capability, and explaining how to do it using permissions is significantly more complex than letting people know they can add --setting allow_sql off.

So I want to bring that setting back - maybe with a different, better name - and have it modify the default for that option if the permissions system doesn't have an opinion.

That way people can still use the setting but then use permissions to allow specific signed-in users access to execute SQL.

[simonw]

I think I may like disable_sql better. Some options:

• --setting allow_sql off (consistent with allow_facet and allow_download and allow_csv_stream - all which default to on already)
• --setting disable_sql on
• --setting disable_custom_sql on

The existence of three allow_* settings does make a strong argument for staying consistent with that.

[simonw]

I'm going to stick with --setting allow_sql off.

[simonw]

I think I can make this modification by teaching the default permissions code here to take the allow_sql setting into account:

datasette/datasette/default_permissions.py

Lines 38 to 45 in ff253f5

	elif action == "execute-sql":
	# Use allow_sql block from database block, or from top-level
	database_allow_sql = datasette.metadata("allow_sql", database=resource)
	if database_allow_sql is None:
	database_allow_sql = datasette.metadata("allow_sql")
	if database_allow_sql is None:
	return None
	return actor_matches_allow(actor, database_allow_sql)

[simonw]

The other option would be to use the setting to pick the default= argument when calling self.ds.permission_allowed( request.actor, "execute-sql", resource=database, default=True).

The problem with that is that there are actually a few different places which perform that check, so changing all of them raises the risk of missing one in the future:

datasette/datasette/views/table.py

Lines 436 to 444 in a6c8e7f

	# Add _where= from querystring
	if "_where" in request.args:
	if not await self.ds.permission_allowed(
	request.actor,
	"execute-sql",
	resource=database,
	default=True,
	):
	raise DatasetteError("_where= is not allowed", status=403)

datasette/datasette/views/table.py

Lines 964 to 966 in a6c8e7f

	"allow_execute_sql": await self.ds.permission_allowed(
	request.actor, "execute-sql", database, default=True
	),

datasette/datasette/views/database.py

Lines 220 to 221 in d23a267

	else:
	await self.check_permission(request, "execute-sql", database)

datasette/datasette/views/database.py

Lines 343 to 345 in d23a267

	allow_execute_sql = await self.ds.permission_allowed(
	request.actor, "execute-sql", database, default=True
	)

datasette/datasette/views/database.py

Lines 134 to 136 in d23a267

	"allow_execute_sql": await self.ds.permission_allowed(
	request.actor, "execute-sql", database, default=True
	),

[simonw]

I think the correct solution is for the default permissions logic to take the allow_sql setting into account, and to return False if that setting is set to off AND the current actor fails the actor_matches_allow checks.

[simonw]

My rationale for removing it: #813 (comment)

Naming problem: Datasette already has a config option with this name:

$ datasette serve data.db --config allow_sql:1

https://datasette.readthedocs.io/en/stable/config.html#allow-sql

It's confusing to have two things called allow_sql that do slightly different things.

I could retire the --config allow_sql:0 option entirely, since the new metadata.json mechanism can be used to achieve the exact same thing.

I'm going to do that.

This is true. The "allow_sql" permissions block in metadata.json does indeed have a name that is easily confused with --setting allow_sql off.

So I definitely need to pick a different name from the setting. --setting default_allow_sql off is a good option here.

[simonw]

One of these two options:

• --setting default_allow_sql off
• --setting allow_sql_default off

Existing settings from https://docs.datasette.io/en/0.58.1/settings.html with similar names that I need to be consistent with:

• default_page_size
• allow_facet
• default_facet_size
• allow_download
• default_cache_ttl
• default_cache_ttl_hashed
• allow_csv_stream

[simonw]

I think default_allow_sql is more consistent with the current naming conventions, because both allow and default are used as prefixes at the moment but neither of them are ever used as a suffix.

Plus default_allow_sql off makes sense to me but allow_default_sql off does not - what is "default SQL"?

[simonw]

If I was prone to over-thinking (which I am) I'd note that allow_facet and allow_download and allow_csv_stream are all settings that do NOT have an equivalent in the newer permissions system, which is itself a little weird and inconsistent.

So maybe there's a future task where I introduce those as both permissions and metadata "allow_x" blocks, then rename the settings themselves to be called default_allow_facet and default_allow_download and default_allow_csv_stream.

If I was going to do that I should get it in before Datasette 1.0.