From 9315bacf6f63e20781d21d170e55a55b2c54fcdd Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Sat, 30 May 2020 15:24:43 -0700
Subject: [PATCH] Implemented datasette.permission_allowed(), refs #699

---
 datasette/app.py             | 19 +++++++++++++++++++
 docs/internals.rst           | 19 +++++++++++++++++++
 tests/plugins/my_plugin.py   |  8 ++++++++
 tests/plugins/my_plugin_2.py | 13 +++++++++++++
 tests/test_plugins.py        | 20 ++++++++++++++++----
 5 files changed, 75 insertions(+), 4 deletions(-)

diff --git a/datasette/app.py b/datasette/app.py
index 3f2876ec2a..773dee311c 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -406,6 +406,25 @@ def _prepare_connection(self, conn, database):
         # pylint: disable=no-member
         pm.hook.prepare_connection(conn=conn, database=database, datasette=self)
 
+    async def permission_allowed(
+        self, actor, action, resource_type=None, resource_identifier=None, default=False
+    ):
+        "Check permissions using the permissions_allowed plugin hook"
+        for check in pm.hook.permission_allowed(
+            datasette=self,
+            actor=actor,
+            action=action,
+            resource_type=resource_type,
+            resource_identifier=resource_identifier,
+        ):
+            if callable(check):
+                check = check()
+            if asyncio.iscoroutine(check):
+                check = await check
+            if check is not None:
+                return check
+        return default
+
     async def execute(
         self,
         db_name,
diff --git a/docs/internals.rst b/docs/internals.rst
index e9ba95672c..2ba70722e6 100644
--- a/docs/internals.rst
+++ b/docs/internals.rst
@@ -111,6 +111,25 @@ This method lets you read plugin configuration values that were set in ``metadat
 
 Renders a `Jinja template <https://jinja.palletsprojects.com/en/2.11.x/>`__ using Datasette's preconfigured instance of Jinja and returns the resulting string. The template will have access to Datasette's default template functions and any functions that have been made available by other plugins.
 
+await .permission_allowed(actor, action, resource_type=None, resource_identifier=None, default=False)
+-----------------------------------------------------------------------------------------------------
+
+``actor`` - dictionary
+    The authenticated actor. This is usually ``request.scope.get("actor")``.
+
+``action`` - string
+    The name of the action that is being permission checked.
+
+``resource_type`` - string, optional
+    The type of resource being checked, e.g. ``"table"``.
+
+``resource_identifier`` - string, optional
+    The resource identifier, e.g. the name of the table.
+
+Check if the given actor has permission to perform the given action on the given resource. This uses plugins that implement the :ref:`plugin_permission_allowed` plugin hook to decide if the action is allowed or not.
+
+If none of the plugins express an opinion, the return value will be the ``default`` argument. This is deny, but you can pass ``default=True`` to default allow instead.
+
 .. _datasette_get_database:
 
 .get_database(name)
diff --git a/tests/plugins/my_plugin.py b/tests/plugins/my_plugin.py
index 305cb3b793..4689371038 100644
--- a/tests/plugins/my_plugin.py
+++ b/tests/plugins/my_plugin.py
@@ -134,3 +134,11 @@ def actor_from_request(datasette, request):
         return {"id": "bot"}
     else:
         return None
+
+
+@hookimpl
+def permission_allowed(actor, action):
+    if action == "this_is_allowed":
+        return True
+    elif action == "this_is_denied":
+        return False
diff --git a/tests/plugins/my_plugin_2.py b/tests/plugins/my_plugin_2.py
index 0a5cbba543..039112f42e 100644
--- a/tests/plugins/my_plugin_2.py
+++ b/tests/plugins/my_plugin_2.py
@@ -107,3 +107,16 @@ async def inner():
             return None
 
     return inner
+
+
+@hookimpl
+def permission_allowed(datasette, actor, action):
+    # Testing asyncio version of permission_allowed
+    async def inner():
+        assert 2 == (await datasette.get_database().execute("select 1 + 1")).first()[0]
+        if action == "this_is_allowed_async":
+            return True
+        elif action == "this_is_denied_async":
+            return False
+
+    return inner
diff --git a/tests/test_plugins.py b/tests/test_plugins.py
index 3ad2698686..e123b7a020 100644
--- a/tests/test_plugins.py
+++ b/tests/test_plugins.py
@@ -523,7 +523,19 @@ def test_actor_from_request_async(app_client):
     assert {"id": "bot2", "1+1": 2} == app_client.ds._last_request.scope["actor"]
 
 
-@pytest.mark.xfail
-def test_permission_allowed(app_client):
-    # TODO
-    assert False
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "action,expected",
+    [
+        ("this_is_allowed", True),
+        ("this_is_denied", False),
+        ("this_is_allowed_async", True),
+        ("this_is_denied_async", False),
+        ("no_match", None),
+    ],
+)
+async def test_permission_allowed(app_client, action, expected):
+    actual = await app_client.ds.permission_allowed(
+        {"id": "actor"}, action, default=None
+    )
+    assert expected == actual