Finely grained permissions

[simonw]

Here's the documentation I wrote for finely grained permissions, which are not yet implemented:

---

Finely grained permissions

Using an "allow" block as described above grants full permission to the features enabled by the API.

The API implements several new Datasett permissions, which other plugins can use to make more finely grained decisions.

The full set of permissions are as follows:

• insert-api:all - all permissions - this is used by the "allow" block described above. Argument: database_name
• insert-api:insert-update - the ability to insert data into an existing table, or to update data by its primary key. Arguments: (database_name, table_name)
• insert-api:create-table - the ability to create a new table. Argument: database_name
• insert-api:alter-table - the ability to add columns to an existing table (using ?alter=1). Arguments: (database_name, table_name)

You can use plugins like datasette-permissions-sql to hook into these more detailed permissions for finely grained control over what actions each authenticated actor can take.

Plugins that implement the permission_allowed() plugin hook can take full control over these permission decisions.

Originally posted by @simonw in #4 (comment)

[simonw]

To implement the finely grained permissions I need to switch over to calling datasette.permission_allowed() - https://datasette.readthedocs.io/en/stable/internals.html#await-permission-allowed-actor-action-resource-none-default-false

Then I can implement a default permission check that uses the "allow" block from the datasette-insert-api plugin config - at least to check insert-api:all.

I'll have to think a bit about how to write robust tests for all four of those permissions though. I think I'll need the tests themselves to define a plugin which gets used for the duration of the authentication tests. Maybe a plugin function they can mock so they can check that it was called correctly.

[simonw]

Implementing insert-api:create-table is a tiny bit tricky, because sqlite-utils doesn't currently provide a way to opt-out of automatic table creation. I'll have to add a separate if db[table].exists() check to the view.

[simonw]

Documentation: https://github.com/simonw/datasette-insert-api/blob/9309f8851f466181213bda8ff1d3b84211796bc4/README.md#finely-grained-permissions

Tests: https://github.com/simonw/datasette-insert-api/blob/9309f8851f466181213bda8ff1d3b84211796bc4/tests/test_insert_api.py#L156-L244

[simonw]

Wrote up the testing pattern here: https://github.com/simonw/til/blob/master/pytest/registering-plugins-in-tests.md