Canned query permissions mechanism

[simonw]

Idea: default is anyone can execute a query.

Or you can specify the following:

{
    "databases": {
       "my-database": {
           "queries": {
               "add_twitter_handle": {
                   "sql": "insert into twitter_handles (username) values (:username)",
                   "write": true,
                   "allow": {
                       "id": ["simon"],
                       "role": ["staff"]
                   }
               }
           }
       }
    }
}

These get matched against the actor JSON. If any of the fields in any of the keys of "allow" match a key on the actor, the query is allowed.

"id": "*" matches any actor with an id key.

Originally posted by @simonw in #698 (comment)

[simonw]

Maybe #801 (configuring permissions with a SQL query) is enough here - might not need this mechanism at all, since that mechanism covers it.

[simonw]

It's a bit obscure though. I'll try building both and see how they feel in practice.

[simonw]

I like this mechanism better than the SQL query one. Constructing SQL queries that return true if a particular string is embedded inside a JSON list in a larger object is decidedly non-trivial.

[simonw]

I'm going to implement this documentation-first.

[simonw]

Docs here: https://github.com/simonw/datasette/blob/d4c7b85f556230923d37ff327a068ed08aa9b62b/docs/authentication.rst#setting-permissions-for-canned-queries

[simonw]

I should add the '*' bit to the docs.

[simonw]

Next step: a utility function and tests for matching actors to allow blocks.