Permission bug in upsert API method

[simonw]

I just spotted this while working on #2261:

datasette/datasette/views/table.py

Lines 439 to 457 in 569aacd

	if upsert:
	# Must have insert-row AND upsert-row permissions
	if not (
	await self.ds.permission_allowed(
	request.actor, "insert-row", database_name, table_name
	)
	and await self.ds.permission_allowed(
	request.actor, "update-row", database_name, table_name
	)
	):
	return _error(
	["Permission denied: need both insert-row and update-row"], 403
	)
	else:
	# Must have insert-row permission
	if not await self.ds.permission_allowed(
	request.actor, "insert-row", resource=(database_name, table_name)
	):
	return _error(["Permission denied"], 403)

That looks wrong to me. Note how the later check does this:

self.ds.permission_allowed(request.actor, "insert-row", resource=(database_name, table_name))

But the earlier checks do this:

self.ds.permission_allowed(request.actor, "insert-row", database_name, table_name)

From looking at the code I think that second example is incorrect, it's using table_name as the default value:

datasette/datasette/app.py

Lines 898 to 900 in 569aacd

	async def permission_allowed(
	self, actor, action, resource=None, default=DEFAULT_NOT_SET
	):

[simonw]

I need tests to demonstrate how this broke things (and prove the fix).

More importantly though, this mistake makes me question if I should redesign the permission_allowed() function before 1.0 to make this kind of mistake less likely in the future.

[simonw]

I could design a keyword-argument-only version of this that uses database_name=, resource_name= - that would avoid conflicting with the existing resource= parameter.

[simonw]

From looking at this search https://github.com/search?q=owner%3Asimonw+%2Fawait+%5Cw%2B%5C.permission_allowed%2F+-repo%3Asimonw%2Fdatasette&type=code

I think I might be able to at least make default= a keyword-only argument. I think anywhere that is using it as a positional argument is a bug.

[simonw]

These are the tests that should be ensuring that this permission works correctly:

datasette/tests/test_api_write.py

Lines 287 to 301 in dcd9ea3

	# Upsert permissions
	(
	"/data/docs/-/upsert",
	{"rows": [{"id": 1, "title": "Disallowed"}]},
	"insert-but-not-update",
	403,
	["Permission denied: need both insert-row and update-row"],
	),
	(
	"/data/docs/-/upsert",
	{"rows": [{"id": 1, "title": "Disallowed"}]},
	"update-but-not-insert",
	403,
	["Permission denied: need both insert-row and update-row"],
	),

[simonw]

Since this looks like it should be a security bug I'm trying to figure out why the incorrect default (the string name of the table) was not being used here.

With the help of the debugger I got to this code:

datasette/datasette/app.py

Lines 902 to 918 in dcd9ea3

	result = None
	# Use default from registered permission, if available
	if default is DEFAULT_NOT_SET and action in self.permissions:
	default = self.permissions[action].default
	for check in pm.hook.permission_allowed(
	datasette=self,
	actor=actor,
	action=action,
	resource=resource,
	):
	check = await await_me_maybe(check)
	if check is not None:
	result = check
	used_default = False
	if result is None:
	result = default
	used_default = True

The default only gets used in that code if not a single one of the permission checks returns True or False - they have to ALL return None for the default to be returned.

Still not sure what's going on here, need to investigate deeper. I should look at how datasette.default_permissions.permission_allowed_default() works next.

[simonw]

I think the test is working because it tests against a token with "all" set for the specific action - I'm not actually testing that the per-database or per-table permissions are being respected here.

[simonw]

Some thing I need to do:

• A test that exercises database and table-level variants of the insert-row and update-row permissions
• Potentially a mechanism that prevents me from failing to test permissions at the resource level in general
• Documentation that very clearly explains how resource level permissions work
• Redesign the API for datasette.check_permission() method - get rid of that horrible resource as string or tuple-of-strings thing, and make default= a keyword-only argument

Since this requires changing the signature of that function I'm inclined to rename it instead, and have the old one stick around logging deprecation warnings.

[simonw]

I should release a new alpha with the smallest possible fix for this, and then redesign the method in the next release after that.

I could at least make default= a keyword-only argument though, I'm confident that won't break any code that's out there today.

[simonw]

I'm going to add a test that exercises just this upsert thing, and confirm it fails before my fix and passes after it.