-
-
Notifications
You must be signed in to change notification settings - Fork 639
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions defined in datasette.yml do not correctly obey the veto rule #2292
Comments
It looks like this is the code at fault: datasette/datasette/default_permissions.py Lines 175 to 230 in 86335dc
Also of note: since that's called by this parent function a related issue is that datasette/datasette/default_permissions.py Lines 130 to 172 in 86335dc
I don't like that. It should either be fixed or at least be documented. |
https://docs.datasette.io/en/1.0a12/authentication.html#other-permissions-in-datasette-yaml describes how you can nest permissions in
datasette.yml
something like this:One would expect the above to allow
editor
to update row in any table indocs
except fornews
- since that would fit the veto rule described in https://docs.datasette.io/en/1.0a12/authentication.html#how-permissions-are-resolvedBut that's not actually what happens - in the above case (or a case like it) - as far as I can tell the database-level rule is obeyed and the table-level one is ignored.
I was testing this with:
The text was updated successfully, but these errors were encountered: