datasette --default-deny option

[simonw]

I'm going to try adding this feature to see how it feels:

datasette --default-deny data.db --root

The --default-deny option would be passed as a keyword argument to the Datasette(..., default_deny=True) constructor, and set as datasette.default_deny=True on the instance.

It would then affect this code here:

datasette/datasette/default_permissions.py

Lines 348 to 367 in 354d7a2

	@hookimpl(specname="permission_resources_sql")
	async def default_action_permissions_sql(datasette, actor, action):
	"""Apply default allow rules for standard view/execute actions.
	With the INTERSECT-based restriction approach, these defaults are always generated
	and then filtered by restriction_sql if the actor has restrictions.
	"""
	default_allow_actions = {
	"view-instance",
	"view-database",
	"view-database-download",
	"view-table",
	"view-query",
	"execute-sql",
	}
	if action in default_allow_actions:
	reason = f"default allow for {action}".replace("'", "''")
	return PermissionSQL.allow(reason=reason)
	return None

If default_deny is set then those default rules are NOT added by that plugin hook implementation.

The goal of this feature is to make it as easy as possible for people to run a locked-down Datasette instance where only users who are authenticated using whatever extra auth mechanisms they configure can view anything.

I need this for Datasette Cloud.

[simonw]

Initial prototype implementation by Claude Code: http://gistpreview.github.io/?b24a4ed0f3953708fbb2aa22d09dbb0f

Summary:

Implementation Summary

1. CLI Option (datasette/cli.py)

• Added --default-deny flag to the serve command
• The flag is passed through to the Datasette constructor

2. Core Implementation (datasette/app.py)

• Added default_deny parameter to Datasette.init() with default value False
• Set self.default_deny instance attribute to track the setting

3. Permission Logic (datasette/default_permissions.py)

• Modified default_action_permissions_sql() function to check datasette.default_deny
• When enabled, it skips returning default allow rules for:
  • view-instance
  • view-database
  • view-database-download
  • view-table
  • view-query
  • execute-sql

4. Tests (tests/test_default_deny.py)

Created comprehensive tests covering:

• Default behavior: anonymous users can access content normally
• With --default-deny: anonymous users are denied access to all resources
• Root user retains full access even with --default-deny enabled
• Config allow blocks still work to grant specific permissions
• Basic permission checks for all default actions

5. Documentation (docs/authentication.rst)

Added a new section "Denying all permissions by default" that explains:

• The purpose and use cases for --default-deny
• How to use it with examples
• Interaction with root user and configuration rules
• Example showing how to grant access to specific authenticated users

Usage Example

# Run Datasette with all access denied by default
datasette --default-deny data.db --root

# With configuration to allow specific users
datasette --default-deny data.db --config datasette.yaml

All tests pass and the feature is fully documented and ready to use!

[simonw]

Apparently I already built a prototype of this before, in:

• Prototype what it would look like if you could start with default deny #2540

[simonw]

This new prototype is better than that old one.

[asg017]

👀