Skip to content

Introduce concept of "owned resources" for permissions (for discussion) #2793

Description

@simonw

Datasette has an odd wrinkle in its permission system at the moment.

The current permission system mostly works by saying "here is the list of resources this user can perform action X" on.

The wrinkle is when a resource is meant to be private to the "owning" user only.

We added this to core quite recently: stored queries have owner_id and is_private column. If a query is marked as private the restriction_sql= mechanism is used such that NO OTHER USER can view-query, update-query, delete-query no matter what permissions they have.

Even a root user can't do those things - if site admins want to poke around in a user's private queries they have to consult internal SQLite directly themselves.

Here's where that was implemented: 316daf9#diff-1c8a70aa01c60ea886843849f8b00f8d47966b7b7a1b58d71444ae37a4938f85

The datasette-apps plugin now replicates the exact same pattern: https://github.com/datasette/datasette-apps/blob/53c28fcbce18893a503614f72aaf1fdb5dbbe964/datasette_apps/permissions.py#L96-L107

This is the best solution I could come up with for the "private things only accessible by their owners" pattern. I think it's OK, but there are a few outstanding issues:

  1. It's a weird pattern that different plugins end up duplicating, and they might differ in semantics or make mistakes.
  2. The datasette-acl and datasette-acl-share plugins provide a mechanism and UI for controlling permissions. This mechanism is not aware of the owner-private mechanism, which is confusing. Users might see a "share" dialog on one of their private resources which would not have the desired effect if they used it.

I think the way forward is to make "owned resources" a stable, documented concept in Datasette core. This would allow other plugins to more easily implement the pattern consistently, and it would also allow datasette-acl to detect if something is an owned resource and present the UI/API in a way that takes that into account.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions