datasette
datasette copied to clipboard
simonw
Permissions defined in datasette.yml do not correctly obey the veto rule
https://docs.datasette.io/en/1.0a12/authentication.html#other-permissions-in-datasette-yaml describes how you can nest permissions in datasette.yml something like this:
databases:
docs:
permissions:
update-row:
id: editor
tables:
news:
update-low:
false
One would expect the above to allow editor to update row in any table in docs except for news - since that would fit the veto rule described in https://docs.datasette.io/en/1.0a12/authentication.html#how-permissions-are-resolved
But that's not actually what happens - in the above case (or a case like it) - as far as I can tell the database-level rule is obeyed and the table-level one is ignored.
I was testing this with:
datasette content.db --secret 1 \
-s plugins.datasette-unsafe-actor-debug.enabled 1 \
-s databases.content.tables.news.permissions.update-row false \
-s databases.content.permissions.update-row true \
--reload
It looks like this is the code at fault: https://github.com/simonw/datasette/blob/86335dc722d31dbf44c6d4bbffd7c5d2d11b1290/datasette/default_permissions.py#L175-L230
Also of note: since that's called by this parent function a related issue is that root gets a True for every check, even if there should have been a veto in place. Root is excluded from the veto rule (as it applies to configured permissions, not as it applies to permissions from other plugins) thanks to this:
https://github.com/simonw/datasette/blob/86335dc722d31dbf44c6d4bbffd7c5d2d11b1290/datasette/default_permissions.py#L130-L172
I don't like that. It should either be fixed or at least be documented.