A Datasette plugin that allows you to dynamically set permissions for users, groups, data and plugins using a new DB: live_permissions.db. In addition to checking and responding to permission requests, it also listens for new users and permissions and automatically adds them to the DB, easing management. This plugin integrates with the rest of the datasette-live plugins.
Installing via GitHub is the simplest.
datasette install git+https://github.com/next-LI/datasette-live-permissions.git
That's it! You can specify a version, branch or SHA1 by adding an @ symbol followed by the identifier, e.g.: @v1.0.8
Install this plugin in the same environment as Datasette.
python setup.py install
This plugin adds a database which will be populated with users, actions and resources that are requested from the various parts of Datasette. You can set configuration by granting access to users/groups to actions/resources via the live_permissions table.
Optionally, you can set the directory where the live_permissions.db file lives in your metadata.yml:
datasette-live-permissions:
db_path: /path/to/databases
By default, the directory is assumed to be the current working directory that Datasette is running from (e.g., ./).
If you set this directory to somewhere what Datasette isn't expecting to look for databases, then you won't be able to change any permissions via the UI!
Permissions in the permission database here, map back to permission check using Datasette's internal datasette.permission_allowed function.
await datasette.permission_allowed(
actor, "view-database", ("my-database","my-table")
)
Is equivalent to the following row in the actions_resources table:
# Table: actions_resources (ids are arbitrary here)
id, action, resource_primary, resource_secondary
1, "view-database", "my-database", "my-table"
Leaving resource_primary and resource_secondary blank in any of these fields grants access to any permission checks regardless if that field is set or not. So, for example, to grant a user view-database access to al DBs and tables, you'd grant a user this actions_resources entry:
id, action, resource_primary, resource_secondary
2, "view-database", null, null
Same goes for users. Setting a value of null with a lookup key, will grant access to any user with that key set on their actor object. Etc etc. Be careful how you use null in your permissions!
The ability to change permissions is determined by the "live-permissions-edit" permission. You can restrict permission to a specific DB with the ("live-permissions-edit", DB_NAME) permission tuple.
To set up this plugin locally, first checkout the code. Then create a new virtual environment:
cd datasette-live-permissions
python3 -mvenv venv
source venv/bin/activate
Or if you are using pipenv:
pipenv shell
Now install the dependencies and tests:
pip install -e '.[test]'
To run the tests:
pytest