{"html_url": "https://github.com/simonw/datasette/issues/877#issuecomment-651984355", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/877", "id": 651984355, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk4NDM1NQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:02:15Z", "updated_at": "2020-06-30T19:02:15Z", "author_association": "OWNER", "body": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#login-csrf\r\n\r\n> Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form.\r\n\r\nSounds like regular CSRF protection to me.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 648421105, "label": "Consider dropping explicit CSRF protection entirely?"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/877#issuecomment-651984989", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/877", "id": 651984989, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk4NDk4OQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:03:25Z", "updated_at": "2020-06-30T19:03:25Z", "author_association": "OWNER", "body": "Relevant: #835", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 648421105, "label": "Consider dropping explicit CSRF protection entirely?"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651992737", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651992737, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5MjczNw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:19:33Z", "updated_at": "2020-06-30T19:20:02Z", "author_association": "OWNER", "body": "I already have this method on Datasette:\r\n```python\r\nasync def permission_allowed(self, actor, action, resource=None, default=False):\r\n```\r\nWhat would be a good method name that complements that and indicates \"check a list of permissions in order\"? Should it even run against the request or should you have to hand it `request.actor`?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651993537", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651993537, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5MzUzNw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:21:15Z", "updated_at": "2020-06-30T19:21:15Z", "author_association": "OWNER", "body": "I could rename `permission_allowed()` to `check_permission()` and have a complementary `check_permissions()` method.\r\n\r\nThis is a breaking change but we're pre-1.0 so I think that's OK. I could even set up a temporary `permission_allowed()` alias which prints a deprecation warning to the console, then remove that at 1.0.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651993977", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651993977, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5Mzk3Nw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:22:06Z", "updated_at": "2020-06-30T19:22:06Z", "author_association": "OWNER", "body": "`permission_allowed` is already the name of the pugin hook. It's actually a bit confusing that it's also the name of a method on `datasette.`.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651994978", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651994978, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5NDk3OA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:24:12Z", "updated_at": "2020-06-30T19:24:12Z", "author_association": "OWNER", "body": "Hah... but check_permission` is a method on `BaseView`. Here are the various permission methods at the moment:\r\n\r\nhttps://github.com/simonw/datasette/blob/6c2634583627bfab750c115cb13850252821d637/datasette/default_permissions.py#L5-L14\r\n\r\nAnd on BaseView:\r\n\r\nhttps://github.com/simonw/datasette/blob/a8a5f813722f72703a7aae41135ccc40635cc02f/datasette/views/base.py#L65-L70", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651995453", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651995453, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5NTQ1Mw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:25:13Z", "updated_at": "2020-06-30T19:25:26Z", "author_association": "OWNER", "body": "I'm going to put the new `check_permissions()` method on `BaseView` as well. If I want that method to be available to plugins I can do so by turning that `BaseView` class into a documented API that plugins are encouraged to use themselves.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-651999516", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 651999516, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MTk5OTUxNg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T19:33:49Z", "updated_at": "2020-06-30T21:34:59Z", "author_association": "OWNER", "body": "Tests needed for this:\r\n\r\n- If a user has view table but NOT view database / view instance, can they view the table page?\r\n- If a user has view canned query but NOT view database / view instance, can they view the canned query page?\r\n- If a user has view database but NOT view instance, can they view the database page?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-652103895", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 652103895, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MjEwMzg5NQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T23:41:22Z", "updated_at": "2020-06-30T23:41:22Z", "author_association": "OWNER", "body": "I don't think this needs any additional documentation - the new behaviour matches how the permissions are documented here: https://datasette.readthedocs.io/en/0.44/authentication.html#built-in-permissions", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/879#issuecomment-652105722", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/879", "id": 652105722, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MjEwNTcyMg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T23:48:06Z", "updated_at": "2020-06-30T23:48:06Z", "author_association": "OWNER", "body": "Updated documentation: https://datasette.readthedocs.io/en/latest/pages.html", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 648569227, "label": "Database page documentation still talks about hashes in URLs"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/876#issuecomment-652106227", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/876", "id": 652106227, "node_id": "MDEyOklzc3VlQ29tbWVudDY1MjEwNjIyNw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-30T23:49:55Z", "updated_at": "2020-06-30T23:50:04Z", "author_association": "OWNER", "body": "Done: https://latest.datasette.io/-/patterns\r\n\r\n<img width=\"1004\" alt=\"Datasette__Pattern_Portfolio\" src=\"https://user-images.githubusercontent.com/9599/86187862-b680cb00-baf1-11ea-8905-8c257dd67665.png\">", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 647879783, "label": "Add log out link to the pattern portfolio"}, "performed_via_github_app": null}