issue_comments: 1350019528
This data as json
| html_url | issue_url | id | node_id | user | created_at | updated_at | author_association | body | reactions | issue | performed_via_github_app |
|---|---|---|---|---|---|---|---|---|---|---|---|
| https://github.com/simonw/datasette/issues/1947#issuecomment-1350019528 | https://api.github.com/repos/simonw/datasette/issues/1947 | 1350019528 | IC_kwDOBm6k_c5Qd6nI | 9599 | 2022-12-13T23:19:16Z | 2022-12-13T23:19:16Z | OWNER | Here's the checkbox prototype: ```diff diff --git a/datasette/templates/create_token.html b/datasette/templates/create_token.html index a94881ed..1795ebaf 100644 --- a/datasette/templates/create_token.html +++ b/datasette/templates/create_token.html @@ -2,11 +2,20 @@ {% block title %}Create an API token{% endblock %} +{% block extra_head %} +<style type="text/css"> +#restrict-permissions label { + display: inline; + width: 90%; +} +</style> +{% endblock %} + {% block content %} <h1>Create an API token</h1> -<p>This token will allow API access with the same abilities as your current user.</p> +<p>This token will allow API access with the same abilities as your current user, <strong>{{ request.actor.id }}</strong></p> {% if errors %} {% for error in errors %} @@ -27,8 +36,39 @@ <input type="text" name="expire_duration" style="width: 10%"> <input type="hidden" name="csrftoken" value="{{ csrftoken() }}"> <input type="submit" value="Create token"> - </div> + + <details style="margin-top: 1em" open id="restrict-permissions"> + <summary style="cursor: pointer;">Restrict actions that can be performed using this token</summary> + <h2>All databases and tables</h2> + <ul> + {% for permission in all_permissions %} + <li><label><input type="checkbox" name="all:{{ permission }}"> {{ permission }}</label></li> + {% endfor %} + </ul> + + {% for database in databases %} + <h2>All tables in database: {{ database }}</h2> + <ul> + {% for permission in database_permissions %} + <li><label><input type="checkbox" name="db:{{ database }}:{{ permission }}"> {{ permission }}</label></li> + {% endfor %} + </ul> + {% endfor %} + <h2>Specific tables</h2> + {% for dbt in database_with_tables %} + {% for table in dbt.tables %} + <h3>{{ dbt.database }}: {{ table }}</h3> + <ul> + {% for permission in table_permissions %} + <li><label><input type="checkbox" name="table:{{ dbt.database }}:{{ permission }}"> {{ permission }}</label></li> + {% endfor %} + </ul> + {% endfor %} + {% endfor %} + </details> + </form> +</div> {% if token %} <div> diff --git a/datasette/views/special.py b/datasette/views/special.py index 30345d14..48357f87 100644 --- a/datasette/views/special.py +++ b/datasette/views/special.py @@ -231,12 +231,37 @@ class CreateTokenView(BaseView): return await self.render( ["create_token.html"], request, - {"actor": request.actor}, + { + "actor": request.actor, + "all_permissions": self.ds.permissions.keys(), + "database_permissions": [ + key + for key, value in self.ds.permissions.items() + if value.takes_database + ], + "table_permissions": [ + key + for key, value in self.ds.permissions.items() + if value.takes_resource + ], + "databases": [k for k in self.ds.databases.keys() if k != "_internal"], + "database_with_tables": [ + { + "database": db.name, + "tables": await db.table_names(), + } + for db in self.ds.databases.values() + if db.name != "_internal" + ], + }, ) async def post(self, request): self.check_permission(request) post = await request.post_vars() + from pprint import pprint + + pprint(post) errors = [] duration = None if post.get("expire_type"): ``` | {"total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0} | 1493390939 |