Authentication and permissions¶
Datasette doesn't require authentication by default. Any visitor to a Datasette instance can explore the full data and execute read-only SQL queries.
Datasette can be configured to only allow authenticated users, or to control which databases, tables, and queries can be accessed by the public or by specific users. Datasette's plugin system can be used to add many different styles of authentication, such as user accounts, single sign-on or API keys.
Actors¶
Through plugins, Datasette can support both authenticated users (with cookies) and authenticated API clients (via authentication tokens). The word "actor" is used to cover both of these cases.
Every request to Datasette has an associated actor value, available in the code as request.actor. This can be None for unauthenticated requests, or a JSON compatible Python dictionary for authenticated users or API clients.
The actor dictionary can be any shape - the design of that data structure is left up to the plugins. Actors should always include a unique "id" string, as demonstrated by the "root" actor below.
Plugins can use the actor_from_request(datasette, request) hook to implement custom logic for authenticating an actor based on the incoming HTTP request.
How actors are displayed¶
In a number of places - such as the navigation menu and the /-/logout page - Datasette needs to display a short label representing the currently authenticated actor.
To decide what to show, Datasette looks through the following keys in the actor dictionary and uses the value of the first one that is present and not empty:
displaynameusernameloginid
If none of those keys have a value the actor dictionary is displayed as a string instead.
Using the "root" actor¶
Datasette currently leaves almost all forms of authentication to plugins - datasette-auth-github for example.
The one exception is the "root" account, which you can sign into while using Datasette on your local machine. The root user starts with all permissions: Datasette contributes a global allow rule for every action. More specific deny rules can still override that global rule.
The --root flag is designed for local development and testing. When you start Datasette with --root, the root user automatically receives every permission, including:
All view permissions (
view-instance,view-database,view-table, etc.)All write permissions (
insert-row,update-row,delete-row,create-table,create-view,alter-table,set-column-type,drop-table,drop-view)Debug permissions (
permissions-debug,debug-menu)Any custom permissions defined by plugins
If you add explicit deny rules in datasette.yaml those can still block the
root actor from specific databases or tables.
The --root flag sets an internal root_enabled switch—without it, a signed-in user with {"id": "root"} is treated like any other actor.
To sign in as root, start Datasette using the --root command-line option, like this:
datasette --root
Datasette will output a single-use-only login URL on startup:
http://127.0.0.1:8001/-/auth-token?token=786fc524e0199d70dc9a581d851f466244e114ca92f33aa3b42a139e9388daa7
INFO: Started server process [25801]
INFO: Waiting for application startup.
INFO: Application startup complete.
INFO: Uvicorn running on http://127.0.0.1:8001 (Press CTRL+C to quit)
Click on that link and then visit http://127.0.0.1:8001/-/actor to confirm that you are authenticated as an actor that looks like this:
{
"id": "root"
}
Permissions¶
The key question the permissions system answers is this:
Is this actor allowed to perform this action, optionally against this particular resource?
Every permission decision can be understood in terms of those three values. Datasette implements the decisions using SQL, but you do not need to understand the generated SQL to configure or debug permissions.
Actors are described above.
An action is a string describing the action the actor would like to perform. A full list is provided below - examples include view-table and execute-sql.
A resource is the item the actor wishes to interact with - for example a specific database or table. Some actions, such as permissions-debug, are not associated with a particular resource.
Datasette's built-in view actions (view-database, view-table etc) are allowed by Datasette's default configuration: unless you configure additional permission rules unauthenticated users will be allowed to access content.
Other actions, including those introduced by plugins, will default to deny.
Denying all permissions by default¶
By default, Datasette allows unauthenticated access to view databases, tables, and execute SQL queries.
You may want to run Datasette in a mode where all access is denied by default, and you explicitly grant permissions only to authenticated users, either using the --root mechanism or through configuration file rules or plugins.
Use the --default-deny command-line option to run Datasette in this mode:
datasette --default-deny data.db --root
With --default-deny enabled:
Anonymous users are denied access to view the instance, databases, tables, and queries
Authenticated users are also denied access unless they're explicitly granted permissions
The root user (when using
--root) still has access to everythingYou can grant permissions using configuration file rules or plugins
For example, to allow only a specific user to access your instance:
datasette --default-deny data.db --config datasette.yaml
Where datasette.yaml contains:
allow:
id: alice
This configuration will deny access to everyone except the user with id of alice.
How permissions are resolved¶
Permission rules describe an effect (allow or deny) at one of three levels:
resourceA specific child resource, such as the
analytics/salestable.parentA parent resource, such as the
analyticsdatabase. A parent rule also applies to its child resources.globalEvery resource for that action.
Datasette resolves matching rules from most specific to least specific:
Resource rules take precedence over parent and global rules.
Parent rules take precedence over global rules.
If both allow and deny rules match at the same level, deny takes precedence.
If no rule matches, access is denied.
This means a resource-level allow can provide an exception to a parent-level deny. It also means that two plugins which disagree at the same level resolve to deny.
Matching rules |
Result |
Explanation |
|---|---|---|
Global allow |
Allow |
The global rule is the most specific matching rule. |
Global allow, parent deny |
Deny |
The parent rule is more specific. |
Parent deny, resource allow |
Allow |
The resource rule is more specific. |
Resource allow and resource deny |
Deny |
Deny takes precedence at the same level. |
No matching rules |
Deny |
Permissions default to deny when no rule applies. |
The built-in public defaults are global allow rules for actions such as view-instance, view-database and view-table. They follow the same precedence rules as configuration and plugin rules. The --default-deny option prevents Datasette from contributing those default allow rules.
Datasette performs checks using await .allowed(*, action, resource, actor=None), which accepts keyword arguments for action, resource and an optional actor.
resource should be an instance of the appropriate Resource subclass from datasette.resources—for example InstanceResource(), DatabaseResource(database="...)`` or TableResource(database="...", table="..."). This defaults to InstanceResource() if not specified.
When a check runs Datasette gathers allow/deny rules from multiple sources and compiles them into a SQL query. The resulting query describes all of the resources an actor may access for that action, together with the reasons those resources were allowed or denied. The combined sources are:
allowblocks configured in datasette.yaml.Actor restrictions encoded into the actor dictionary or API token.
The "root" user rule when
--root(orDatasette.root_enabled) is active. This is a global allow rule, so a more specific configuration deny can override it.Any additional SQL provided by plugins implementing permission_resources_sql(datasette, actor, action).
Actor restrictions are applied after the allow/deny rules. They act as an additional allowlist: a restriction can remove access but cannot grant access that the actor did not already have. See Restricting the actions that a token can perform.
Some actions have dependencies on other actions. These are evaluated as an AND condition. For example, execute-sql also requires view-database: both decisions must be allowed for the final result to be allowed.
Defining permissions with "allow" blocks¶
One way to define permissions in Datasette is to use an "allow" block in the datasette.yaml file. This is a JSON document describing which actors are allowed to perform an action against a specific resource.
Each allow block is compiled into SQL and combined with any
plugin-provided rules to produce
the cascading allow/deny decisions that power await .allowed(*, action, resource, actor=None).
The most basic form of allow block is this (allow demo, deny demo):
allow:
id: root
{
"allow": {
"id": "root"
}
}
This will match any actors with an "id" property of "root" - for example, an actor that looks like this:
{
"id": "root",
"name": "Root User"
}
An allow block can specify "deny all" using false (demo):
allow: false
{
"allow": false
}
An "allow" of true allows all access (demo):
allow: true
{
"allow": true
}
Allow keys can provide a list of values. These will match any actor that has any of those values (allow demo, deny demo):
allow:
id:
- simon
- cleopaws
{
"allow": {
"id": [
"simon",
"cleopaws"
]
}
}
This will match any actor with an "id" of either "simon" or "cleopaws".
Actors can have properties that feature a list of values. These will be matched against the list of values in an allow block. Consider the following actor:
{
"id": "simon",
"roles": ["staff", "developer"]
}
This allow block will provide access to any actor that has "developer" as one of their roles (allow demo, deny demo):
allow:
roles:
- developer
{
"allow": {
"roles": [
"developer"
]
}
}
Note that "roles" is not a concept that is baked into Datasette - it's a convention that plugins can choose to implement and act on.
If you want to provide access to any actor with a value for a specific key, use "*". For example, to match any logged-in user specify the following (allow demo, deny demo):
allow:
id: "*"
{
"allow": {
"id": "*"
}
}
You can specify that only unauthenticated actors (from anonymous HTTP requests) should be allowed access using the special "unauthenticated": true key in an allow block (allow demo, deny demo):
allow:
unauthenticated: true
{
"allow": {
"unauthenticated": true
}
}
Allow keys act as an "or" mechanism. An actor will be able to execute the query if any of their JSON properties match any of the values in the corresponding lists in the allow block. The following block will allow users with either a role of "ops" OR users who have an id of "simon" or "cleopaws":
allow:
id:
- simon
- cleopaws
role: ops
{
"allow": {
"id": [
"simon",
"cleopaws"
],
"role": "ops"
}
}
Demo for cleopaws, demo for ops role, demo for an actor matching neither rule.
The /-/allow-debug tool¶
The /-/allow-debug tool lets you try out different "action" blocks against different "actor" JSON objects. You can try that out here: https://latest.datasette.io/-/allow-debug
Access permissions in datasette.yaml¶
There are two ways to configure permissions using datasette.yaml (or datasette.json).
For simple visibility permissions you can use "allow" blocks in the root, database, table and query sections.
For other permissions you can use a "permissions" block, described in the next section.
You can limit who is allowed to view different parts of your Datasette instance using "allow" keys in your Configuration.
You can control the following:
Access to the entire Datasette instance
Access to specific databases
Access to specific tables and views
Access to specific queries
If a user has permission to view a table they will be able to view that table, independent of if they have permission to view the database or instance that the table exists within.
Access to an instance¶
Here's how to restrict access to your entire Datasette instance to just the "id": "root" user:
title: My private Datasette instance
allow:
id: root
{
"title": "My private Datasette instance",
"allow": {
"id": "root"
}
}
To deny access to all users, you can use "allow": false:
title: My entirely inaccessible instance
allow: false
{
"title": "My entirely inaccessible instance",
"allow": false
}
One reason to do this is if you are using a Datasette plugin - such as datasette-permissions-sql - to control permissions instead.
Access to specific databases¶
To limit access to a specific private.db database to just authenticated users, use the "allow" block like this:
databases:
private:
allow:
id: "*"
{
"databases": {
"private": {
"allow": {
"id": "*"
}
}
}
}
Access to specific tables and views¶
To limit access to the users table in your bakery.db database:
databases:
bakery:
tables:
users:
allow:
id: '*'
{
"databases": {
"bakery": {
"tables": {
"users": {
"allow": {
"id": "*"
}
}
}
}
}
}
This works for SQL views as well - you can list their names in the "tables" block above in the same way as regular tables.
Warning
Restricting access to tables and views in this way will NOT prevent users from querying them using arbitrary SQL queries, like this for example.
If you are restricting access to specific tables you should also use the "allow_sql" block to prevent users from bypassing the limit with their own SQL queries - see Controlling the ability to execute arbitrary SQL.
Access to specific queries¶
Queries allow you to configure named SQL queries in your datasette.yaml that can be executed by users. These queries can be set up to both read and write to the database, so controlling who can execute them can be important.
To limit access to the add_name query in your dogs.db database to just the root user:
databases:
dogs:
queries:
add_name:
sql: INSERT INTO names (name) VALUES (:name)
write: true
allow:
id:
- root
{
"databases": {
"dogs": {
"queries": {
"add_name": {
"sql": "INSERT INTO names (name) VALUES (:name)",
"write": true,
"allow": {
"id": [
"root"
]
}
}
}
}
}
}
Controlling the ability to execute arbitrary SQL¶
Datasette defaults to allowing any site visitor to execute their own custom SQL queries, for example using the form on the database page or by appending a ?_where= parameter to the table page like this.
Access to this ability is controlled by the execute-sql permission.
The easiest way to disable arbitrary SQL queries is using the default_allow_sql setting when you first start Datasette running.
You can alternatively use an "allow_sql" block to control who is allowed to execute arbitrary SQL queries.
To prevent any user from executing arbitrary SQL queries, use this:
allow_sql: false
{
"allow_sql": false
}
To enable just the root user to execute SQL for all databases in your instance, use the following:
allow_sql:
id: root
{
"allow_sql": {
"id": "root"
}
}
To limit this ability for just one specific database, use this:
databases:
mydatabase:
allow_sql:
id: root
{
"databases": {
"mydatabase": {
"allow_sql": {
"id": "root"
}
}
}
}
Other permissions in datasette.yaml¶
For all other permissions, you can use one or more "permissions" blocks in your datasette.yaml configuration file.
To grant access to the permissions debug tool to all signed in users, you can grant permissions-debug to any actor with an id matching the wildcard * by adding this a the root of your configuration:
permissions:
debug-menu:
id: '*'
{
"permissions": {
"debug-menu": {
"id": "*"
}
}
}
To grant create-table to the user with id of editor for the docs database:
databases:
docs:
permissions:
create-table:
id: editor
{
"databases": {
"docs": {
"permissions": {
"create-table": {
"id": "editor"
}
}
}
}
}
Other table-scoped write permissions, including set-column-type, can be configured in the same place.
And for insert-row against the reports table in that docs database:
databases:
docs:
tables:
reports:
permissions:
insert-row:
id: editor
{
"databases": {
"docs": {
"tables": {
"reports": {
"permissions": {
"insert-row": {
"id": "editor"
}
}
}
}
}
}
}
The permissions debug tool can be useful for helping test permissions that you have configured in this way.
API Tokens¶
Datasette includes a default mechanism for generating API tokens that can be used to authenticate requests.
Authenticated users can create new API tokens using a form on the /-/create-token page.
Tokens created in this way can be further restricted to only allow access to specific actions, or to limit those actions to specific databases, tables or queries.
Created tokens can then be passed in the Authorization: Bearer $token header of HTTP requests to Datasette.
A token created by a user will include that user's "id" in the token payload, so any permissions granted to that user based on their ID can be made available to the token as well.
When one of these a token accompanies a request, the actor for that request will have the following shape:
{
"id": "user_id",
"token": "dstok",
"token_expires": 1667717426
}
The "id" field duplicates the ID of the actor who first created the token.
The "token" field identifies that this actor was authenticated using a Datasette signed token (dstok).
The "token_expires" field, if present, indicates that the token will expire after that integer timestamp.
The /-/create-token page cannot be accessed by actors that are authenticated with a "token": "some-value" property. This is to prevent API tokens from being used to create more tokens.
Datasette plugins that implement their own form of API token authentication should follow this convention.
If a request presents a token that a token handler recognizes but rejects - an invalid signature, a malformed payload or an expired token - Datasette responds with a 401 status, the standard JSON error format and a WWW-Authenticate: Bearer error="invalid_token" header. This means API clients can distinguish "your token needs to be renewed" (401) from "your token does not grant this permission" (403). A Bearer token that no registered handler recognizes at all is ignored, since it may be intended for an authentication plugin.
You can disable the signed token feature entirely using the allow_signed_tokens setting. Requests presenting a dstok_ token while the feature is disabled receive a 401.
datasette create-token¶
You can also create tokens on the command line using the datasette create-token command.
This command takes one required argument - the ID of the actor to be associated with the created token.
You can specify a -e/--expires-after option in seconds. If omitted, the token will never expire.
The command will sign the token using the DATASETTE_SECRET environment variable, if available. You can also pass the secret using the --secret option.
This means you can run the command locally to create tokens for use with a deployed Datasette instance, provided you know that instance's secret.
To create a token for the root actor that will expire in one hour:
datasette create-token root --expires-after 3600
To create a token that never expires using a specific secret:
datasette create-token root --secret my-secret-goes-here
Restricting the actions that a token can perform¶
Tokens created using datasette create-token ACTOR_ID will inherit all of the permissions of the actor that they are associated with.
You can pass additional options to create tokens that are restricted to a subset of that actor's permissions.
To restrict the token to just specific permissions against all available databases, use the --all option:
datasette create-token root --all insert-row --all update-row
This option can be passed as many times as you like. In the above example the token will only be allowed to insert and update rows.
You can also restrict permissions such that they can only be used within specific databases:
datasette create-token root --database mydatabase insert-row
The resulting token will only be able to insert rows, and only to tables in the mydatabase database.
Finally, you can restrict permissions to individual resources - tables, SQL views and named queries - within a specific database:
datasette create-token root --resource mydatabase mytable insert-row
These options have short versions: -a for --all, -d for --database and -r for --resource.
You can add --debug to see a JSON representation of the token that has been created. Here's a full example:
datasette create-token root \
--secret mysecret \
--all view-instance \
--all view-table \
--database docs view-query \
--resource docs documents insert-row \
--resource docs documents update-row \
--debug
This example outputs the following:
dstok_.eJxFizEKgDAMRe_y5w4qYrFXERGxDkVsMI0uxbubdjFL8l_ez1jhwEQCA6Fjjxp90qtkuHawzdjYrh8MFobLxZ_wBH0_gtnAF-hpS5VfmF8D_lnd97lHqUJgLd6sls4H1qwlhA.nH_7RecYHj5qSzvjhMU95iy0Xlc
Decoded:
{
"a": "root",
"token": "dstok",
"t": 1670907246,
"_r": {
"a": [
"vi",
"vt"
],
"d": {
"docs": [
"vq"
]
},
"r": {
"docs": {
"documents": [
"ir",
"ur"
]
}
}
}
}
Restrictions act as an allowlist layered on top of the actor's existing
permissions. They can only remove access the actor would otherwise have—they
cannot grant new access. If the underlying actor is denied by allow rules in
datasette.yaml or by a plugin, a token that lists that resource in its
"_r" section will still be denied.
To create tokens with restrictions in Python code, use the TokenRestrictions builder and pass it to datasette.create_token().
Checking permissions in plugins¶
Datasette plugins can check if an actor has permission to perform an action using await .allowed(*, action, resource, actor=None)—for example:
from datasette.resources import TableResource
can_edit = await datasette.allowed(
action="update-row",
resource=TableResource(database="fixtures", table="facetable"),
actor=request.actor,
)
Use await .ensure_permission(action, resource=None, actor=None) when you need to enforce a permission and
raise a Forbidden error automatically.
Plugins that define new operations should return Action
objects from register_actions(datasette) and can supply additional allow/deny
rules by returning PermissionSQL objects from the
permission_resources_sql(datasette, actor, action) hook. Those rules are merged with
configuration allow blocks and actor restrictions to determine the final
result for each check.
actor_matches_allow()¶
Plugins that wish to implement this same "allow" block permissions scheme can take advantage of the datasette.utils.actor_matches_allow(actor, allow) function:
from datasette.utils import actor_matches_allow
actor_matches_allow({"id": "root"}, {"id": "*"})
# returns True
The currently authenticated actor is made available to plugins as request.actor.
Permissions debug tools¶
The debug tool at /-/permissions is available to any actor with the permissions-debug permission. By default this is just the authenticated root user but you can open it up to all users by starting Datasette like this:
datasette -s permissions.permissions-debug true data.db
The permission debug tools answer four different questions:
- Why was this decision allowed or denied?
Use Permission check view. It shows every matching rule, identifies the winning specificity level, applies actor restrictions and evaluates any required actions.
- Which resources can the current actor access?
Use Allowed resources view to view an access map for a selected action.
- Which raw rules did Datasette and its plugins contribute?
Use Permission rules view to inspect the rules before they are resolved into decisions.
- Which checks has this Datasette instance performed recently?
Use
/-/permissionsto view recent permission activity.
These tools are designed to help administrators and plugin authors understand and confirm the effective permissions configuration.
These debug endpoints are exempt from the JSON API stability promise - their JSON shapes may change in future releases.
Allowed resources view¶
The /-/allowed endpoint displays resources that the current actor can access for a specified action.
This endpoint provides an interactive HTML form interface. Add .json to the URL path (e.g. /-/allowed.json) to get the raw JSON response instead.
Pass ?action=view-table (or another action) to select the action. Optional parent= and child= query parameters can narrow the results to a specific database/table pair. Results are paginated: ?_size= sets the page size (default 50, maximum 200, max for the maximum) and ?_page= selects a page.
This endpoint is publicly accessible to help users understand their own permissions. The potentially sensitive reason field is only shown to users with the permissions-debug permission - it shows the plugins and explanatory reasons that were responsible for each decision.
Permission rules view¶
The /-/rules endpoint displays all permission rules (both allow and deny) for each candidate resource for the requested action.
This endpoint provides an interactive HTML form interface. Add .json to the URL path (e.g. /-/rules.json?action=view-table) to get the raw JSON response instead.
Pass ?action= as a query parameter to specify which action to check. The ?_size= and ?_page= pagination parameters work the same as on /-/allowed.
This endpoint requires the permissions-debug permission.
Permission check view¶
The /-/check endpoint evaluates and explains a single actor, action and resource decision. The explanation includes:
Every matching allow and deny rule, with its source and reason.
The winning resource, parent or global scope.
Rules ignored because a more specific rule matched, or because a deny won at the same scope.
Actor restriction allowlists that included or excluded the resource.
Additional actions required by the requested action.
An explicit default-deny explanation when no rule matched.
This endpoint provides an interactive HTML form interface. Add .json to the URL path (e.g. /-/check.json?action=view-instance) to get the raw JSON response instead.
Pass ?action= to specify the action to check, and optional ?parent= and ?child= parameters to specify the resource. The interactive form also accepts actor JSON, allowing a hypothetical actor to be tested without signing in as that actor. The JSON endpoint accepts the same value using the actor query string parameter. Use actor=null to represent an anonymous actor.
This endpoint requires the permissions-debug permission. The hypothetical actor is used only for the decision being explained; access to the debug tool is checked against the actor who is actually signed in.
Built-in actions¶
This section lists all of the permission checks that are carried out by Datasette core, along with the resource if it was passed.
view-instance¶
Top level permission - Actor is allowed to view any pages within this instance, starting at https://latest.datasette.io/
view-database¶
Actor is allowed to view a database page, e.g. https://latest.datasette.io/fixtures
resource-datasette.permissions.DatabaseResource(database)databaseis the name of the database (string)
view-database-download¶
Actor is allowed to download a database, e.g. https://latest.datasette.io/fixtures.db
resource-datasette.resources.DatabaseResource(database)databaseis the name of the database (string)
view-table¶
Actor is allowed to view a table (or view) page, e.g. https://latest.datasette.io/fixtures/complex_foreign_keys
resource-datasette.resources.TableResource(database, table)databaseis the name of the database (string)tableis the name of the table (string)
view-query¶
Actor is allowed to view a stored query page, e.g. https://latest.datasette.io/fixtures/pragma_cache_size. Executing an untrusted stored query also requires execute-sql or the relevant write permissions; trusted stored queries can execute with view-query alone.
resource-datasette.resources.QueryResource(database, query)databaseis the name of the database (string)queryis the name of the query (string)
store-query¶
Actor is allowed to create stored queries against a database.
resource-datasette.resources.DatabaseResource(database)databaseis the name of the database (string)
update-query¶
Actor is allowed to update a stored query.
resource-datasette.resources.QueryResource(database, query)databaseis the name of the database (string)queryis the name of the query (string)
delete-query¶
Actor is allowed to delete a stored query.
resource-datasette.resources.QueryResource(database, query)databaseis the name of the database (string)queryis the name of the query (string)
insert-row¶
Actor is allowed to insert rows into a table.
resource-datasette.resources.TableResource(database, table)databaseis the name of the database (string)tableis the name of the table (string)
delete-row¶
Actor is allowed to delete rows from a table.
resource-datasette.resources.TableResource(database, table)databaseis the name of the database (string)tableis the name of the table (string)
update-row¶
Actor is allowed to update rows in a table.
resource-datasette.resources.TableResource(database, table)databaseis the name of the database (string)tableis the name of the table (string)
create-table¶
Actor is allowed to create a database table.
resource-datasette.resources.DatabaseResource(database)databaseis the name of the database (string)
create-view¶
Actor is allowed to create a database view.
resource-datasette.resources.DatabaseResource(database)databaseis the name of the database (string)
alter-table¶
Actor is allowed to alter a database table.
resource-datasette.resources.TableResource(database, table)databaseis the name of the database (string)tableis the name of the table (string)
set-column-type¶
Actor is allowed to set assigned column types for columns in a table.
resource-datasette.resources.TableResource(database, table)databaseis the name of the database (string)tableis the name of the table (string)
drop-table¶
Actor is allowed to drop a database table.
resource-datasette.resources.TableResource(database, table)databaseis the name of the database (string)tableis the name of the table (string)
drop-view¶
Actor is allowed to drop a database view.
resource-datasette.resources.TableResource(database, table)databaseis the name of the database (string)tableis the name of the view (string)
execute-sql¶
Actor is allowed to run arbitrary read-only SQL queries against a specific database using the custom SQL query page, e.g. https://latest.datasette.io/fixtures/-/query?sql=select+100
resource-datasette.resources.DatabaseResource(database)databaseis the name of the database (string)
See also the default_allow_sql setting.
execute-write-sql¶
Actor is allowed to run arbitrary writable SQL queries against a specific database using the write SQL queries page, subject to table-level write permissions such as insert-row, update-row and delete-row. SQL functions are allowed and are not separately restricted by Datasette permissions.
resource-datasette.resources.DatabaseResource(database)databaseis the name of the database (string)
permissions-debug¶
Actor is allowed to view the /-/permissions debug tools.