id,page,ref,title,content,breadcrumbs,references
authentication:authentication-permissions-execute-sql,authentication,authentication-permissions-execute-sql,Controlling the ability to execute arbitrary SQL,"Datasette defaults to allowing any site visitor to execute their own custom SQL queries, for example using the form on  the database page  or by appending a  ?_where=  parameter to the table page  like this . 
                 Access to this ability is controlled by the  execute-sql  permission. 
                 The easiest way to disable arbitrary SQL queries is using the  default_allow_sql setting  when you first start Datasette running. 
                 You can alternatively use an  ""allow_sql""  block to control who is allowed to execute arbitrary SQL queries. 
                 To prevent any user from executing arbitrary SQL queries, use this: 
                 [[[cog
config_example(cog, """"""
    allow_sql: false
"""""") 
                 ]]] 
                 [[[end]]] 
                 To enable just the  root user  to execute SQL for all databases in your instance, use the following: 
                 [[[cog
config_example(cog, """"""
    allow_sql:
      id: root
"""""") 
                 ]]] 
                 [[[end]]] 
                 To limit this ability for just one specific database, use this: 
                 [[[cog
config_example(cog, """"""
    databases:
      mydatabase:
        allow_sql:
          id: root
"""""") 
                 ]]] 
                 [[[end]]]","[""Authentication and permissions"", ""Access permissions in ""]","[{""href"": ""https://latest.datasette.io/fixtures"", ""label"": ""the database page""}, {""href"": ""https://latest.datasette.io/fixtures/facetable?_where=_city_id=1"", ""label"": ""like this""}]"
authentication:authentication-permissions-table,authentication,authentication-permissions-table,Access to specific tables and views,"To limit access to the  users  table in your  bakery.db  database: 
                 [[[cog
config_example(cog, """"""
    databases:
      bakery:
        tables:
          users:
            allow:
              id: '*'
"""""") 
                 ]]] 
                 [[[end]]] 
                 This works for SQL views as well - you can list their names in the  ""tables""  block above in the same way as regular tables. 
                 
                     Restricting access to tables and views in this way will NOT prevent users from querying them using arbitrary SQL queries,  like this  for example. 
                     If you are restricting access to specific tables you should also use the  ""allow_sql""  block to prevent users from bypassing the limit with their own SQL queries - see  Controlling the ability to execute arbitrary SQL .","[""Authentication and permissions"", ""Access permissions in ""]","[{""href"": ""https://latest.datasette.io/fixtures?sql=select+*+from+facetable"", ""label"": ""like this""}]"
authentication:authentication-permissions-database,authentication,authentication-permissions-database,Access to specific databases,"To limit access to a specific  private.db  database to just authenticated users, use the  ""allow""  block like this: 
                 [[[cog
config_example(cog, """"""
    databases:
      private:
        allow:
          id: ""*""
"""""") 
                 ]]] 
                 [[[end]]]","[""Authentication and permissions"", ""Access permissions in ""]",[]
authentication:authentication-permissions-query,authentication,authentication-permissions-query,Access to specific canned queries,"Canned queries  allow you to configure named SQL queries in your  datasette.yaml  that can be executed by users. These queries can be set up to both read and write to the database, so controlling who can execute them can be important. 
                 To limit access to the  add_name  canned query in your  dogs.db  database to just the  root user : 
                 [[[cog
config_example(cog, """"""
    databases:
      dogs:
        queries:
          add_name:
            sql: INSERT INTO names (name) VALUES (:name)
            write: true
            allow:
              id:
              - root
"""""") 
                 ]]] 
                 [[[end]]]","[""Authentication and permissions"", ""Access permissions in ""]",[]
authentication:authentication-permissions-instance,authentication,authentication-permissions-instance,Access to an instance,"Here's how to restrict access to your entire Datasette instance to just the  ""id"": ""root""  user: 
                 [[[cog
from metadata_doc import config_example
config_example(cog, """"""
    title: My private Datasette instance
    allow:
      id: root
  """""") 
                 ]]] 
                 [[[end]]] 
                 To deny access to all users, you can use  ""allow"": false : 
                 [[[cog
config_example(cog, """"""
    title: My entirely inaccessible instance
    allow: false
"""""") 
                 ]]] 
                 [[[end]]] 
                 One reason to do this is if you are using a Datasette plugin - such as  datasette-permissions-sql  - to control permissions instead.","[""Authentication and permissions"", ""Access permissions in ""]","[{""href"": ""https://github.com/simonw/datasette-permissions-sql"", ""label"": ""datasette-permissions-sql""}]"