Datasette has an odd wrinkle in its permission system at the moment.
The current permission system mostly works by saying "here is the list of resources this user can perform action X" on.
The wrinkle is when a resource is meant to be private to the "owning" user only.
We added this to core quite recently: stored queries have owner_id and is_private column. If a query is marked as private the restriction_sql= mechanism is used such that NO OTHER USER can view-query, update-query, delete-query no matter what permissions they have.
Even a root user can't do those things - if site admins want to poke around in a user's private queries they have to consult internal SQLite directly themselves.
Here's where that was implemented: 316daf9#diff-1c8a70aa01c60ea886843849f8b00f8d47966b7b7a1b58d71444ae37a4938f85
The datasette-apps plugin now replicates the exact same pattern: https://github.com/datasette/datasette-apps/blob/53c28fcbce18893a503614f72aaf1fdb5dbbe964/datasette_apps/permissions.py#L96-L107
This is the best solution I could come up with for the "private things only accessible by their owners" pattern. I think it's OK, but there are a few outstanding issues:
- It's a weird pattern that different plugins end up duplicating, and they might differ in semantics or make mistakes.
- The datasette-acl and datasette-acl-share plugins provide a mechanism and UI for controlling permissions. This mechanism is not aware of the owner-private mechanism, which is confusing. Users might see a "share" dialog on one of their private resources which would not have the desired effect if they used it.
I think the way forward is to make "owned resources" a stable, documented concept in Datasette core. This would allow other plugins to more easily implement the pattern consistently, and it would also allow datasette-acl to detect if something is an owned resource and present the UI/API in a way that takes that into account.
Datasette has an odd wrinkle in its permission system at the moment.
The current permission system mostly works by saying "here is the list of resources this user can perform action X" on.
The wrinkle is when a resource is meant to be private to the "owning" user only.
We added this to core quite recently: stored queries have
owner_idandis_privatecolumn. If a query is marked as private therestriction_sql=mechanism is used such that NO OTHER USER canview-query,update-query,delete-queryno matter what permissions they have.Even a root user can't do those things - if site admins want to poke around in a user's private queries they have to consult internal SQLite directly themselves.
Here's where that was implemented: 316daf9#diff-1c8a70aa01c60ea886843849f8b00f8d47966b7b7a1b58d71444ae37a4938f85
The datasette-apps plugin now replicates the exact same pattern: https://github.com/datasette/datasette-apps/blob/53c28fcbce18893a503614f72aaf1fdb5dbbe964/datasette_apps/permissions.py#L96-L107
This is the best solution I could come up with for the "private things only accessible by their owners" pattern. I think it's OK, but there are a few outstanding issues:
I think the way forward is to make "owned resources" a stable, documented concept in Datasette core. This would allow other plugins to more easily implement the pattern consistently, and it would also allow
datasette-aclto detect if something is an owned resource and present the UI/API in a way that takes that into account.