issue_comments: 1691036559
This data as json
| html_url | issue_url | id | node_id | user | created_at | updated_at | author_association | body | reactions | issue | performed_via_github_app |
|---|---|---|---|---|---|---|---|---|---|---|---|
| https://github.com/simonw/datasette/issues/2102#issuecomment-1691036559 | https://api.github.com/repos/simonw/datasette/issues/2102 | 1691036559 | IC_kwDOBm6k_c5kyyuP | 9599 | 2023-08-24T05:40:53Z | 2023-08-24T05:40:53Z | OWNER | There might be an easier way to solve this. Here's some permission checks that run when hitting ``` permission_allowed: action=view-table, resource=('fixtures', 'facetable'), actor={'_r': {'a': ['vi'], 'd': {'fixtures': ['vd']}, 'r': {'fixtures': {'facetable': ['vt']}}}, 'a': 'user'} File "/datasette/views/table.py", line 727, in table_view_traced view_data = await table_view_data( File "/datasette/views/table.py", line 875, in table_view_data visible, private = await datasette.check_visibility( File "/datasette/app.py", line 890, in check_visibility await self.ensure_permissions(actor, permissions) permission_allowed: action=view-database, resource=fixtures, actor={'_r': {'a': ['vi'], 'd': {'fixtures': ['vd']}, 'r': {'fixtures': {'facetable': ['vt']}}}, 'a': 'user'} File "/datasette/views/table.py", line 727, in table_view_traced view_data = await table_view_data( File "/datasette/views/table.py", line 875, in table_view_data visible, private = await datasette.check_visibility( File "/datasette/app.py", line 890, in check_visibility await self.ensure_permissions(actor, permissions) permission_allowed: action=view-instance, resource=<None>, actor={'_r': {'a': ['vi'], 'd': {'fixtures': ['vd']}, 'r': {'fixtures': {'facetable': ['vt']}}}, 'a': 'user'} File "/datasette/views/table.py", line 727, in table_view_traced view_data = await table_view_data( File "/datasette/views/table.py", line 875, in table_view_data visible, private = await datasette.check_visibility( File "/datasette/app.py", line 890, in check_visibility await self.ensure_permissions(actor, permissions) ``` That's with a token that has the view instance, view database and view table permissions required. But... what if the restrictions logic said that if you have view-table you automatically also get view-database and view-instance? Would that actually let people do anything they shouldn't be able to do? I don't think it would even let them see a list of tables that they weren't allowed to visit, so it might be OK. I'll try that and see how it works. |
{
"total_count": 0,
"+1": 0,
"-1": 0,
"laugh": 0,
"hooray": 0,
"confused": 0,
"heart": 0,
"rocket": 0,
"eyes": 0
} |
1805076818 |