API tokens with view-table but not view-database/view-instance cannot access the table

[simonw]

Spotted a problem while working on this: if you grant a token access to view table for a specific table but don't also grant view database and view instance permissions, that token is useless.

This was a deliberate design decision in Datasette - it's documented on https://docs.datasette.io/en/1.0a2/authentication.html#access-permissions-in-metadata

If a user cannot access a specific database, they will not be able to access tables, views or queries within that database. If a user cannot access the instance they will not be able to access any of the databases, tables, views or queries.

I'm now second-guessing if this was a good decision.

Originally posted by @simonw in simonw/datasette-auth-tokens#7 (comment)

[simonw]

I think I made this decision because I was thinking about default deny: obviously if a user has been denied access to a database. It doesn't make sense that they could access tables within it.

But now that I am spending more time with authentication tokens, which default to denying everything, except for the things that you have explicitly listed, this policy, no longer makes as much sense.

[simonw]

Relevant code:

datasette/datasette/app.py

Lines 822 to 855 in 0f7192b

	async def ensure_permissions(
	self,
	actor: dict,
	permissions: Sequence[Union[Tuple[str, Union[str, Tuple[str, str]]], str]],
	):
	"""
	permissions is a list of (action, resource) tuples or 'action' strings
	Raises datasette.Forbidden() if any of the checks fail
	"""
	assert actor is None or isinstance(actor, dict), "actor must be None or a dict"
	for permission in permissions:
	if isinstance(permission, str):
	action = permission
	resource = None
	elif isinstance(permission, (tuple, list)) and len(permission) == 2:
	action, resource = permission
	else:
	assert (
	False
	), "permission should be string or tuple of two items: {}".format(
	repr(permission)
	)
	ok = await self.permission_allowed(
	actor,
	action,
	resource=resource,
	default=None,
	)
	if ok is not None:
	if ok:
	return
	else:
	raise Forbidden(action)

[simonw]

I tried some code spelunking and came across d6e03b0 which says:

• If you have table permission but not database permission you can now view the table page

Refs:

• Having view-table permission but NOT view-database should still grant access to /db/table #832

Which suggests that my initial design decision wasn't what appears to be implemented today.

Needs more investigation.

[simonw]

This might only be an issue with the code that checks _r on actors.

datasette/datasette/default_permissions.py

Lines 185 to 222 in 0f7192b

	if "_r" not in actor:
	# No restrictions, so we have no opinion
	return None
	_r = actor.get("_r")
	# Does this action have an abbreviation?
	to_check = {action}
	permission = datasette.permissions.get(action)
	if permission and permission.abbr:
	to_check.add(permission.abbr)
	# If _r is defined then we use those to further restrict the actor
	# Crucially, we only use this to say NO (return False) - we never
	# use it to return YES (True) because that might over-ride other
	# restrictions placed on this actor
	all_allowed = _r.get("a")
	if all_allowed is not None:
	assert isinstance(all_allowed, list)
	if to_check.intersection(all_allowed):
	return None
	# How about for the current database?
	if isinstance(resource, str):
	database_allowed = _r.get("d", {}).get(resource)
	if database_allowed is not None:
	assert isinstance(database_allowed, list)
	if to_check.intersection(database_allowed):
	return None
	# Or the current table? That's any time the resource is (database, table)
	if resource is not None and not isinstance(resource, str) and len(resource) == 2:
	database, table = resource
	table_allowed = _r.get("r", {}).get(database, {}).get(table)
	# TODO: What should this do for canned queries?
	if table_allowed is not None:
	assert isinstance(table_allowed, list)
	if to_check.intersection(table_allowed):
	return None
	# This action is not specifically allowed, so reject it
	return False

Added in bcc781f - refs:

• datasette create-token ability to create tokens with a reduced set of permissions #1855

[simonw]

Here's that crucial comment:

If _r is defined then we use those to further restrict the actor.

Crucially, we only use this to say NO (return False) - we never use it to return YES (True) because that might over-ride other restrictions placed on this actor

So that's why I implemented it like this.

The goal here is to be able to issue a token which can't do anything more than the actor it is associated with, but CAN be configured to do less.

So I think the solution here is for the _r checking code to perhaps implement its own view cascade logic - it notices if you have view-table and consequently fails to block view-table and view-instance.

I'm not sure that's going to work though - would that mean that granting view-table grants view-database in a surprising and harmful way?

Maybe that's OK: if you have view-database but permission checks fail for individual tables and queries you shouldn't be able to see a thing that you shouldn't. Need to verify that though.

Also, do Permission instances have enough information to implement this kind of cascade without hard-coding anything?

[simonw]

Confirmed that this is an issue with regular Datasette signed tokens as well. I created one on https://latest.datasette.io/-/create-token with these details:

{
    "_r": {
        "r": {
            "fixtures": {
                "sortable": [
                    "vt"
                ]
            }
        }
    },
    "a": "root",
    "d": 3600,
    "t": 1689614483
}

Run like this:

curl -H 'Authorization: Bearer dstok_eyJhIjoicm9vdCIsInQiOjE2ODk2MTQ0ODMsImQiOjM2MDAsIl9yIjp7InIiOnsiZml4dHVyZXMiOnsic29ydGFibGUiOlsidnQiXX19fX0.n-VGxxawz1Q0WK7sqLfhXUgcvY0' \
  https://latest.datasette.io/fixtures/sortable.json

Returned an HTML Forbidden page:

<!DOCTYPE html>
<html>
<head>
    <title>Forbidden</title>
    <link rel="stylesheet" href="/-/static/app.css?d59929">
...

Same token againts /-/actor.json returns:

{
  "actor": {
    "id": "root",
    "token": "dstok",
    "_r": {
      "r": {
        "fixtures": {
          "sortable": [
            "vt"
          ]
        }
      }
    },
    "token_expires": 1689618083
  }
}

Reminder - "_r" means restrict, "r" means resource.

[simonw]

I think I've figured out the problem here.

The question being asked is "can this actor access this resource, which is within this database within this instance".

The answer to this question needs to consider the full set of questions at once - yes they can access within this instance IF they have access to the specified table and that's the table being asked about.

But the questions are currently being asked independently, which means the plugin hook acting on view-instance can't see that the answer here should be yes because it's actually about a table that the actor has explicit permission to view.

So I think I may need to redesign the plugin hook to always see the full hierarchy of checks, not just a single check at a time.

[simonw]

This is the hook in question:

datasette/datasette/hookspecs.py

Lines 108 to 110 in bdf59eb

	@hookspec
	def permission_allowed(datasette, actor, action, resource):
	"""Check if actor is allowed to perform this action - return True, False or None"""

• True means they are allowed to access it. You only need a singleTrue from a plugin to allow it.
• False means they are not, and just one False from a plugin will deny it (even if another one returned True I think)
• None means that the plugin has no opinion on this question.