Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to customize what happens when a view permission fails #812

Closed
simonw opened this issue Jun 8, 2020 · 3 comments
Closed

Ability to customize what happens when a view permission fails #812

simonw opened this issue Jun 8, 2020 · 3 comments
Labels
authentication-and-permissions medium plugins security
Milestone
Datasette 0.45

Comments

@simonw
Copy link
Owner

simonw commented Jun 8, 2020

Currently view permission failures raise a Forbidden error which is transformed into a 403.

It would be good if this page could offer a way forward - maybe just by linking to (or redirecting to) a login screen. This behaviour will vary based on authentication plugins, so a new plugin hook is probably the best way to do this.
@simonw simonw added this to the Datasette 0.44 milestone Jun 8, 2020
@simonw simonw added the medium label Jun 9, 2020
@simonw
Copy link
Owner Author

simonw commented Jun 9, 2020

I'm going to figure this out by working with simonw/datasette-auth-github#62

@simonw simonw mentioned this issue Jun 10, 2020
Closed
@simonw simonw modified the milestones: Datasette 0.44, Datasette 0.45 Jun 11, 2020
@simonw
Copy link
Owner Author

simonw commented Jul 1, 2020
edited
Loading

This can be a plugin hook:

@hookspec
def forbidden(datasette, request, message, send):
    "Custom response for a 403 forbidden error"

If the hook returns a Response object, it will be returned to the user. Plugins are likely to want to return a redirect response.

Maybe the hook can instead use the send argument to respond to the request and return True which means "I've responded to this"?

I'm going to leave send off for the moment - I can add that in the future if it turns out it would have been a good idea.

@simonw
Copy link
Owner Author

simonw commented Jul 1, 2020

This case may not be covered without extra work:

datasette/datasette/views/database.py

Lines 122 to 123 in 3ec5b1a

if not self.ds.config("allow_download") or db.is_mutable:
raise DatasetteError("Database download is forbidden", status=403)

@simonw simonw closed this as completed in 549b1c2 Jul 1, 2020
simonw added a commit that referenced this issue Jul 1, 2020
@simonw
Release 0.45a5
676bb64 
Refs #840, #832, #835, #812
simonw added a commit that referenced this issue Jul 1, 2020
@simonw
Release notes for 0.45
f1f581b 
Refs #687, #807, #812, #832, #834, #835, #840, #842, #846, #852, #854, #863, #864, #870
@simonw simonw mentioned this issue Jul 6, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authentication-and-permissions medium plugins security
Projects
None yet
Milestone
Datasette 0.45
Development

No branches or pull requests
1 participant
@simonw