{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642412017", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642412017, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjQxMjAxNw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T05:13:59Z", "updated_at": "2020-06-11T05:13:59Z", "author_association": "OWNER", "body": "Relevant code:\r\n\r\nhttps://github.com/simonw/datasette/blob/ce4958018ede00fbdadf0c37a99889b6901bfb9b/datasette/views/table.py#L267-L272", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/818#issuecomment-642420375", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/818", "id": 642420375, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjQyMDM3NQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T05:40:07Z", "updated_at": "2020-06-11T05:40:07Z", "author_association": "OWNER", "body": "https://github.com/simonw/datasette-permissions-sql is now released as a 0.1a here: https://pypi.org/project/datasette-permissions-sql/", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 634917088, "label": "Example permissions plugin"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/394#issuecomment-642522285", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/394", "id": 642522285, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjUyMjI4NQ==", "user": {"value": 58298410, "label": "LVerneyPEReN"}, "created_at": "2020-06-11T09:15:19Z", "updated_at": "2020-06-11T09:15:19Z", "author_association": "NONE", "body": "Hi @wragge,\r\n\r\nThis looks great, thanks for the share! I refactored it into a self-contained function, binding on a random available TCP port (multi-user context). I am using subprocess API directly since the `%run` magic was leaving defunct process behind :/\r\n\r\n![image](https://user-images.githubusercontent.com/58298410/84367566-b5d0d500-abd4-11ea-96e2-f5c05a28e506.png)\r\n\r\n```python\r\nimport socket\r\n\r\nfrom signal import SIGINT\r\nfrom subprocess import Popen, PIPE\r\n\r\nfrom IPython.display import display, HTML\r\nfrom notebook.notebookapp import list_running_servers\r\n\r\n\r\ndef get_free_tcp_port():\r\n    \"\"\"\r\n    Get a free TCP port.\r\n    \"\"\"\r\n    tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n    tcp.bind(('', 0))\r\n    _, port = tcp.getsockname()\r\n    tcp.close()\r\n    return port\r\n\r\n\r\ndef datasette(database):\r\n    \"\"\"\r\n    Run datasette on an SQLite database.\r\n    \"\"\"\r\n    # Get current running servers\r\n    servers = list_running_servers()\r\n\r\n    # Get the current base url\r\n    base_url = next(servers)['base_url']\r\n\r\n    # Get a free port\r\n    port = get_free_tcp_port()\r\n\r\n    # Create a base url for Datasette suing the proxy path\r\n    proxy_url = f'{base_url}proxy/absolute/{port}/'\r\n\r\n    # Display a link to Datasette\r\n    display(HTML(f'<p><a href=\"{proxy_url}\">View Datasette</a> (Click on the stop button to close the Datasette server)</p>'))\r\n\r\n    # Launch Datasette\r\n    with Popen(\r\n        [\r\n            'python', '-m', 'datasette', '--',\r\n            database,\r\n            '--port', str(port),\r\n            '--config', f'base_url:{proxy_url}'\r\n        ],\r\n        stdout=PIPE,\r\n        stderr=PIPE,\r\n        bufsize=1,\r\n        universal_newlines=True\r\n    ) as p:\r\n        print(p.stdout.readline(), end='')\r\n        while True:\r\n            try:\r\n                line = p.stderr.readline()\r\n                if not line:\r\n                    break\r\n                print(line, end='')\r\n                exit_code = p.poll()\r\n            except KeyboardInterrupt:\r\n                p.send_signal(SIGINT)\r\n```\r\n\r\nIdeally, I'd like some extra magic to notify users when they are leaving the closing the notebook tab and make them terminate the running datasette processes. I'll be looking for it.", "reactions": "{\"total_count\": 1, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 1, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 396212021, "label": "base_url configuration setting"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642741930", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642741930, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjc0MTkzMA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T15:35:53Z", "updated_at": "2020-06-11T15:36:05Z", "author_association": "OWNER", "body": "May the fix here is to implement a `.check_permissions()` method which passes when the first permission passes?\r\n```python\r\nawait self.check_permissions(request, [\r\n    (\"view-table\", (database, table)),\r\n    (\"view-database\", database),\r\n    \"view-instance\",\r\n])\r\n```", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/809#issuecomment-642745518", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/809", "id": 642745518, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjc0NTUxOA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T15:38:51Z", "updated_at": "2020-06-11T15:38:51Z", "author_association": "OWNER", "body": "The way to manually test this is to publish a database to each provider and then check that the `/-/messages` debug tool works.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 632919570, "label": "Publish secrets"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/809#issuecomment-642750790", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/809", "id": 642750790, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjc1MDc5MA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T15:42:23Z", "updated_at": "2020-06-11T15:42:23Z", "author_association": "OWNER", "body": "    datasette publish heroku fixtures.db -n datasette-publish-secret --branch=master\r\n\r\nhttps://datasette-publish-secret.herokuapp.com/-/messages - Heroku works.\r\n", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 632919570, "label": "Publish secrets"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/809#issuecomment-642754589", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/809", "id": 642754589, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjc1NDU4OQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T15:45:25Z", "updated_at": "2020-06-11T15:45:25Z", "author_association": "OWNER", "body": "    datasette publish cloudrun fixtures.db --service datasette-publish-secret --branch=master\r\n\r\nhttps://datasette-publish-secret-j7hipcg4aq-uw.a.run.app/-/messages", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 632919570, "label": "Publish secrets"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/pull/809#issuecomment-642772344", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/809", "id": 642772344, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjc3MjM0NA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T16:01:15Z", "updated_at": "2020-06-11T16:01:15Z", "author_association": "OWNER", "body": "```\r\ndatasette package fixtures.db --secret woot --branch master\r\nSending build context to Docker daemon  260.6kB\r\nStep 1/9 : FROM python:3.8\r\n3.8: Pulling from library/python\r\ne9afc4f90ab0: Downloading [=======>                                           ]  7.195MB/50.39MB\r\n989e6b19a265: Downloading [============================>                      ]  4.475MB/7.812MB\r\naf14b6c2f878: Downloading [===========================>                       ]  5.422MB/9.996MB\r\n5573c4b30949: Waiting \r\n11a88e764313: Waiting \r\nee776f0e36af: Waiting \r\n513c90a1afc3: Waiting \r\ndf9b9e95bdb9: Waiting \r\n86c9edb54464: Waiting \r\n...\r\ndatasette package fixtures.db --secret woot --branch master\r\ndocker run -p 8001:8001 a155798bd842\r\n```\r\nThis works too.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 632919570, "label": "Publish secrets"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642795966", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642795966, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjc5NTk2Ng==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T16:37:21Z", "updated_at": "2020-06-11T16:37:21Z", "author_association": "OWNER", "body": "How would I document this? Probably in another section on https://datasette.readthedocs.io/en/latest/authentication.html#permissions\r\n\r\nBut I'd also need to add documentation to the individual views stating what permissions are checked and in what order. I could do that on this page: https://datasette.readthedocs.io/en/latest/pages.html", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/801#issuecomment-642870553", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/801", "id": 642870553, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjg3MDU1Mw==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T18:58:49Z", "updated_at": "2020-06-11T18:58:49Z", "author_association": "OWNER", "body": "I've implemented this in a plugin instead: https://github.com/simonw/datasette-permissions-sql", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 631932926, "label": "allow_by_query setting for configuring permissions with a SQL statement"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/833#issuecomment-642874724", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/833", "id": 642874724, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjg3NDcyNA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T19:07:49Z", "updated_at": "2020-06-11T19:07:49Z", "author_association": "OWNER", "body": "A live demo running the `datasette-auth-github` plugin will help demonstrate this.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 637253789, "label": "/-/metadata and so on should respect view-instance permission"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/220#issuecomment-642944645", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/220", "id": 642944645, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjk0NDY0NQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T21:49:55Z", "updated_at": "2020-06-11T21:49:55Z", "author_association": "OWNER", "body": "I'm OK with not implementing this - I've got used to the existing mechanism, and it doesn't frustrate me enough to work on this more.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 314847571, "label": "Investigate syntactic sugar for plugins"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/824#issuecomment-642951150", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/824", "id": 642951150, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjk1MTE1MA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T22:00:17Z", "updated_at": "2020-06-11T22:00:17Z", "author_association": "OWNER", "body": "I got this working: https://github.com/simonw/datasette-auth-github/pull/64\r\n\r\nJust one problem: it uses the existing `ds_actor` cookie, which means it doesn't actually exercise the `actor_from_request` plugin!\r\n\r\nIt does use `register_routes` though.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 635108074, "label": "Example authentication plugin"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/824#issuecomment-642952962", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/824", "id": 642952962, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjk1Mjk2Mg==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T22:01:58Z", "updated_at": "2020-06-11T22:01:58Z", "author_association": "OWNER", "body": "Alternative idea: a plugin that handles Bearer token authentication. Uses `metadata.json` with secret plugin values to map an incoming token to an actor dictionary, which can then be mapped to permissions.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 635108074, "label": "Example authentication plugin"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/824#issuecomment-642953605", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/824", "id": 642953605, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjk1MzYwNQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T22:02:32Z", "updated_at": "2020-06-11T22:02:32Z", "author_association": "OWNER", "body": "`datasette-auth-tokens` can be the name. I can get a simple initial version of it running pretty quickly.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 635108074, "label": "Example authentication plugin"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/833#issuecomment-642958225", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/833", "id": 642958225, "node_id": "MDEyOklzc3VlQ29tbWVudDY0Mjk1ODIyNQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T22:15:32Z", "updated_at": "2020-06-11T22:15:32Z", "author_association": "OWNER", "body": "https://github.com/simonw/datasette/blob/29c5ff493ad7918b8fc44ea7920b41530e56dd5d/tests/test_permissions.py#L327-L348", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 637253789, "label": "/-/metadata and so on should respect view-instance permission"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/833#issuecomment-642902208", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/833", "id": 642902208, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjkwMjIwOA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T20:08:57Z", "updated_at": "2020-06-11T20:08:57Z", "author_association": "OWNER", "body": "I'm tempted to add a `view-instance` check before routing any URLs, but that wouldn't be compatible with the idea in #832 that having `view-table` should be enough to view a table even if you don't pass `view-instance`.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 637253789, "label": "/-/metadata and so on should respect view-instance permission"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/833#issuecomment-642905424", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/833", "id": 642905424, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjkwNTQyNA==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T20:16:41Z", "updated_at": "2020-06-11T20:16:41Z", "author_association": "OWNER", "body": "I'll add a new test in `test_permissions.py` which locks down an instance and  then loops through paths as the anonymous user making sure they aren't accessible.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 637253789, "label": "/-/metadata and so on should respect view-instance permission"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642906681", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642906681, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjkwNjY4MQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T20:19:47Z", "updated_at": "2020-06-11T20:20:02Z", "author_association": "OWNER", "body": "So for the following:\r\n```\r\nawait self.check_permissions(request, [\r\n    (\"view-table\", (database, table)),\r\n    (\"view-database\", database),\r\n    \"view-instance\",\r\n])\r\n```\r\nThe logic is: if the first test returns `True`, you get access. If it returns `False` you are denied. If it says `None` then move on to the next check in the list and repeat.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/832#issuecomment-642907021", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/832", "id": 642907021, "node_id": "MDEyOklzc3VlQ29tbWVudDY0MjkwNzAyMQ==", "user": {"value": 9599, "label": "simonw"}, "created_at": "2020-06-11T20:20:35Z", "updated_at": "2020-06-11T20:20:35Z", "author_association": "OWNER", "body": "I think the new `.check_permissions()` should be a documented utility that is available to plugins.\r\n Maybe a method on `datasette`?", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 636722501, "label": "Having view-table permission but NOT view-database should still grant access to /db/table"}, "performed_via_github_app": null}